Carding Mafia - The best Carding Forum, Altenen > Coding > C/C++/Obj-C Programming > Basic Anti-Debugging in C++
Carding Mafia - The best Carding Forum, Altenen > Coding > C/C++/Obj-C Programming > Basic Anti-Debugging in C++

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | WesternUnion Tracking

carding forums carding forums
revolut carding carding forums
carding forums carding forums
carding forums
Thread Rating:
Basic Anti-Debugging in C++
Prince
Verified Seller
*****
Verified Seller
Start Conversation
Posts:
2,206
Threads:
790
Joined:
Jul 2011
Reputation:
272
Money:
$14,161
Mail
[email protected]
#1
Saturday 3 | 02:37:AM
I am going to share a simple method for detecting whether your program (it may be viral code as well) is being debugged. Anti-debugging is an essential trick for survival of your malicious code.

Windows API provides a simple function isDebuggerPresent() but it can be bypassed too easily, and therefore should NOT be used. I will show you how to use Process Control Box to test debugging.

Process Control Box or PCB is a kernel level stuff, and therefore is accessible by Native API (not Win32 API). The following code shows how to do it. Code is self explanatory.

Code:
void alert()
{
    typedef unsigned long (__stdcall  *pfnNtQueryInformationProcess)(IN  HANDLE, IN  unsigned int, OUT PVOID,  IN ULONG, OUT PULONG);
    const int ProcessDbgPort = 7;
    pfnNtQueryInformationProcess NtQueryInfoProcess = NULL;
    unsigned long Ret;
    unsigned long IsRemotePresent = 0;

    HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
    if(hNtDll == NULL)
    {
        cout<<"\nFATAL ERROR!!!!\nPress any key to terminate....";
        _getch();
        exit(0);
    }

    NtQueryInfoProcess = (pfnNtQueryInformationProcess)
    GetProcAddress(hNtDll, "NtQueryInformationProcess");
    if(NtQueryInfoProcess == NULL)
    {
        cout<<"\nFATAL ERROR!!!!\nPress any key to terminate....";
        _getch();
        exit(0);
    }
    Ret = NtQueryInfoProcess(GetCurrentProcess(), ProcessDbgPort, &IsRemotePresent, sizeof(unsigned long), NULL);
    if(Ret == 0x00000000 && IsRemotePresent != 0)
    {
        cout<<"\nClose your bloody debugger!!!\n";
    }
    else
    {
        cout<<"\nI am not being debugged...\n";
    }
}

To use it in your code, simply call alert() function. You may want to modify it to return a value (true/false) instead of printing string.
[Image: JbpXowl.png] WesternUnion / MoneyGram / Bank - Transferring -WorldWide [ MTCN in 3 hours ] [Image: JbpXowl.png]

[Image: zHUQ5w8.png] REVOLUT carding, MONESE carding - Money loading [Safe + ESCROW Accepted][Image: zHUQ5w8.png]

[Image: u1WxV4y.png] Carding PayPal, Payza, Ukash, Ucard, EgoPay, Skrill - TRANSFER [Escrow accepted][Image: u1WxV4y.png]

[Image: JbpXowl.png] WesternUnion Tracking link: https://cardingmafia.to/misc.php?page=wu-tracking[Image: JbpXowl.png]
email: [email protected]
Find
Reply
Paid adv. expire in 31 days
CLICK to buy Advertisement !

    Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding
REVO
Verified Seller
*****
Verified Seller
Start Conversation
Posts:
155
Threads:
3
Joined:
Aug 2013
Reputation:
0
Money:
$3,122
#2
Thursday 22 | 06:46:AM
thx for share
Find
Reply
Xp2018
Junior Member
**
Start Conversation
Posts:
28
Threads:
2
Joined:
Apr 2019
Reputation:
0
Money:
$1
#3
Saturday 2 | 11:30:PM
The ImmunityDebugger has also a plugin that bypass several anti-debug tricks. Maybe thats also interesting to look at their github repo, if you want to learn what kind of techniques are popular.
Find
Reply
  


Forum Jump:


Contributors: Xp2018 , REVO , Prince