0

I want to anti-debug and write a function like following code to call API debug "IsDebuggerPresent" to check:

#include "windows.h"
bool checkdbg(){
    int i = 1;
    __asm{
        call IsDebuggerPresent //gọi api debug
        test eax, eax
        jne L1
        mov i,0
        L1 : 
    }
    if(i == 0) return false;
    else return true;
}

But when compile,VS2010 can not find IsDebuggerPresent to call.Please help me !

Deduplicator
  • 44,692
  • 7
  • 66
  • 118
quanrock
  • 89
  • 2
  • 10

3 Answers3

1
#include "Windows.h"

bool checkdbg() {
    __asm {
        call IsDebuggerPresent //gọi api debug
        test eax, eax
        jne L1
        mov i,0
        L1 : 
    }
    if(i == 0) return false;
    else return true;
}

int CALLBACK WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) {
  checkdbg();
  return ERROR_SUCCESS;
}

This will compile just fine. It's probably complaining because you were missing an entry point. The subsystem you supplied in the project options mandates what main is required, whether that be WinMain (for Windows subsystem) or main (for console subsystem).

Also I would advise using:

#include <Windows.h>

As opposed to:

#include "Windows.h"

See here for explanation. Also you should just do this:

#include <Windows.h>

BOOL checkdbg() {
    int i = 1;
    __asm{
        call IsDebuggerPresent
        ret
    }
}

int main() {
  checkdbg();
  return ERROR_SUCCESS;
}

The return is expected in eax anyway so you may as well return, otherwise all you're doing is checking if the return is true, then return true. If it's false, return false. Just return. The only thing you did was effectively cast from BOOL to bool. Beats me why you're using inline ASM for this anyway though.

Community
  • 1
  • 1
Mike Kwan
  • 24,123
  • 12
  • 63
  • 96
  • No,I just give my function.I have main function(sure).But I can not call IsDebuggerPresent API.So,when I try your code,it can not retn because compiler can't call IsDebuggerPresent. – quanrock Sep 01 '11 at 09:54
  • his error is : "Unhandled exception at 0x00d581e0 in antidebug.exe: 0xC0000005: Access violation".When i disassembly to debug on VS2010,at line "call IsDebuggerPresent",compiler can not call .. – quanrock Sep 01 '11 at 10:19
  • an unhandled exception is a runtime error, and has nothing to do with the compiler... – Adrien Plisson Sep 01 '11 at 10:27
  • Oh. I don't know why VC++ does this. I encountered this before debugging into inline assembler code. Perhaps a bug? – Mike Kwan Sep 01 '11 at 10:35
  • after testing both code: i get an unhandled in both cases, looks like something is not setup appropriately before calling the function. calling the C API works well... (i told you, inline assembler is a maintenance nightmare) – Adrien Plisson Sep 01 '11 at 10:36
  • Thank all.I have a another question.If you re free,reference into this link : http://stackoverflow.com/questions/7270687/how-to-get-parent-process-id-throught-teb-or-peb – quanrock Sep 01 '11 at 13:15
0

do not use

call balabala

use

call dword ptr [balabala]
Zhang Boyang
  • 81
  • 1
  • 2
0

any reason for not calling the API directly from C ?

#include <windows.h>
#pragma comment(lib, "kernel32.lib")

bool checkdbg() {
    return IsDebuggerPresent();
}
Adrien Plisson
  • 22,486
  • 6
  • 42
  • 73
  • Thanks,but i want to inline ASM,not use call API from C like this. the ways of Mike Kwan cant run successfully because compiler not call IsDebuggerPresent.So,it cant return(on eax register) – quanrock Sep 01 '11 at 09:59
  • so your problem is when compiling. someone asked you: what is the exact error message the compiler gives you ? what is the result of the compilation ? the error message is crucial in understanding why the compiler fails... – Adrien Plisson Sep 01 '11 at 10:04
  • (also, note that inlining assembler does not add anything, except some maintenance nightmares) – Adrien Plisson Sep 01 '11 at 10:04
  • This error is : "Unhandled exception at 0x00d581e0 in antidebug.exe: 0xC0000005: Access violation".When i disassembly to debug on VS2010,at line "call IsDebuggerPresent",compiler can not call .. – quanrock Sep 01 '11 at 10:18