domingo, 17 de agosto de 2008
thing you care if you are writing malware...
There are million of ways to detect a debugger. I'm usually on the other side, "millions of ways to hide a debugger", but this time let me show you a simple but neat trick.
Call the win32 api function GetCommandLine and check if the last char is a space.
If it isn't, means its been executed from a debugger (tested on ID and windbg) or the command shell.
unsigned int ret;
ptr = GetCommandLine();
ret = strlen(ptr);
if(ptr[ret-1] == ' ')
In other news, if you feel like having a good cabernet sauvignon, a juicy steak or listening to hackers talking about what they know Buenos Aires is your place the first days of October:
cansecwest's dragos is throwing a conference this year: Ba-Con
I'll be around!
Publicado por Nico Waisman en 14:53