how can i detect ring-3 debuggers(like OllyDbg) with out IsDebuggerPresent API ?
Posted on 2004-04-29 05:56:53 by Criminal2
Don't bother. If anybody is going to attack your application, they'll either use a ring0 debugger or know how to defeat ring3 debugger checks. If you really insist on doing this, I believe there's some TIB/TEB field to check, but I can't remember exactly nor whether if it's 9x/NT dependant (probably is).
Posted on 2004-04-29 06:49:21 by f0dder


mov ecx, [fs:30h]
test ecx, ecx
js _9x
movzx ecx, byte[ecx+2]
jecxz @F
jmp detected
_9x:
mov ecx, [fs:20h]
jecxz @F
detected:
....


Anyway do not bother because some people have patched their TIB/TEB field to stop this kind of detection
Posted on 2004-04-29 07:23:47 by roticv