domingo, 17 de agosto de 2008

thing you care if you are writing malware...


There are million of ways to detect a debugger. I'm usually on the other side, "millions of ways to hide a debugger", but this time let me show you a simple but neat trick.
Call the win32 api function GetCommandLine and check if the last char is a space.
If it isn't, means its been executed from a debugger (tested on ID and windbg) or the command shell.


LPSTR ptr;
unsigned int ret;

ptr = GetCommandLine();
ret = strlen(ptr);
if(ptr[ret-1] == ' ')
printf("Carry On\n");
else
printf("Debugger detected!\n");

In other news, if you feel like having a good cabernet sauvignon, a juicy steak or listening to hackers talking about what they know Buenos Aires is your place the first days of October:
cansecwest's dragos is throwing a conference this year: Ba-Con
And exactly the day after, the second edition of the Eko-party including Dave Aitel as a keynote "Hacking Has An Economy of Scale" and Pablo Solé recon talk "Adobe javascript unleashed".

I'll be around!

No hay comentarios: