Anti-debugging

Exams Market
Such a code (fasm). Under the debugger, it displays 0xF00DBAAD
test under both Windbg, x64dbg, Ida dbg.

You can have a look at yourself, xs button accordion or not, but it may come in handy.

Code:
 format PE GUI 5.0 section '.data' data readable writeable buf db 256 dup (0)
; ========================================================= section '.code' code import writeable readable executable
; ========================================================= include 'win32ax.inc' ; =========================================================
; IAT
; =========================================================
library kernel32, 'kernel32.dll',\ user32, 'user32.dll',ntdll,'ntdll.dll'
import kernel32,\ ExitProcess, 'ExitProcess',\ GetProcessHeap,'GetProcessHeap',\ Sleep,'Sleep'
import user32,\ MessageBoxA, 'MessageBoxA',\ wsprintfA,'wsprintfA'
import ntdll,RtlAlloc,'RtlAllocateHeap'
; =========================================================
; ENTRY POINT
; =========================================================
entry $
invoke Sleep,0
invoke RtlAlloc,<invoke GetProcessHeap>,0,1024
mov ecx,[eax+10]
invoke wsprintfA,buf,"ecx = %x",ecx
invoke MessageBoxA,0,buf,"Caption",MB_OK
invoke ExitProcess,0

zs Sleep is not needed in the code, just put a breakpoint on it.
 
  • Watchers 0
  • Top