I would like to convert this to asm.

Thanks.

Is it a 1024 byte array of zeros?

char fib[1024] = {0};
Posted on 2009-10-24 14:35:25 by skywalker
I'm not 100% sure, but I'm inclined to say that it's a 1024 byte array where the first item is initialized to 0, and the other 1023 elements are in an uninitialized state.
Posted on 2009-10-24 15:28:36 by Scali
This is what I am using it in.

It is a conversion from a c source.
But it returns ERROR_INVALID_PARAMETER even when it isn't going thru a debugger.

I don't understand anything about what a fiber really is.
Seems like there has to be a CreateFiber in order to delete one. :-)

Andy


_WIN32_WINNT EQU 500h

.DATA

fib db 0,1023 dup (?)
DebMsgBox  db  "NOT being debuggged.",0
MsgCaption  db  " ",0
Debugged  db  "Being Debugged.",0

.CODE


start:

;Set last error to ERROR_SUCCESS, before we call the function we want to invalidate...

invoke SetLastError, ERROR_SUCCESS


invoke DeleteFiber,ADDR fib

      .IF EAX == ERROR_INVALID_PARAMETER ; 57 - not being debugged
invoke MessageBox,NULL,addr DebMsgBox, addr MsgCaption, MB_OK
            invoke ExitProcess,0

      .ELSE
invoke MessageBox,NULL,addr Debugged, addr MsgCaption, MB_OK

.ENDIF

invoke ExitProcess,1
Posted on 2009-10-24 17:32:29 by skywalker
I don't know how this code is supposed to work. You are trying to delete a nonexistent fiber. A fiber, in short, is a beta version of a thread ;p And I have no idea how deleting a (nonexistent) fiber would tell you whether your process is being debugged or not.
Posted on 2009-10-24 19:19:19 by ti_mo_n
ti_mo_n,

This is from here and is supposed to work.

skywalker,

Personally I would declare it as fib db 1024 dup (0) and I think that's what the C code is intending to do, although it only initializes the first char to 0.

You forgot to call GetLastError after your call to DeleteFiber
Posted on 2009-10-24 20:24:56 by JimmyClif
Thanks, putting in GetLastError fixed it right up.
At the end is some more Anti-Debug code I found.

Andy


; DeleteFiber.asm Anti-Debug routine
;
;
.386
.MODEL FLAT, STDCALL
OPTION CASEMAP: NONE


    include \masm32\include\windows.inc
    include \masm32\include\user32.inc
    include \masm32\include\kernel32.inc
    include \masm32\include\advapi32.inc
    include \masm32\include\shlwapi.inc
    include \masm32\macros\macros.asm

    includelib  \masm32\lib\kernel32.lib
    includelib  \masm32\lib\user32.lib
    includelib  \masm32\lib\advapi32.lib
    includelib  \masm32\lib\shlwapi.lib

_WIN32_WINNT EQU 500h

.DATA

fib db 1024 dup (0)
DebMsgBox  db  "NOT being debuggged.",0
MsgCaption  db  " ",0
Debugged  db  "Being Debugged.",0

.CODE

start:

;Set last error to ERROR_SUCCESS, before we call the function we want to invalidate...

invoke SetLastError, ERROR_SUCCESS

invoke DeleteFiber,ADDR fib

call GetLastError

      .IF EAX == ERROR_INVALID_PARAMETER ; 57 - not being debugged
invoke MessageBox,NULL,addr DebMsgBox, addr MsgCaption, MB_OK
            invoke ExitProcess,0

      .ELSE
invoke MessageBox,NULL,addr Debugged, addr MsgCaption, MB_OK

.ENDIF

invoke ExitProcess,1

end start




;int2d.asm Anti-debug code

.386
.model flat, stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32
includelib \masm32\lib\user32

.data

procinfo PROCESS_INFORMATION <0>

startinfo STARTUPINFO <0>

debugEvt DEBUG_EVENT<0>

_str db 100 DUP (0)

_fmt db 'eax: %08X',0dh,0ah,'ebx: %08X',0dh,0ah,'ecx: %08X',0dh,0ah,
'edx: %08X',0

; MACROS
; CLOAKxB -> cloaks x bytes instruction

CLOAK1B macro ;int.int
int 2dh
db 0cdh
endm

CLOAK2B macro ;int.ret
int 2dh
db 0c2h
endm

CLOAK3B macro ;int.enter
int 2dh
db 0c8h
endm

CLOAK4B macro ;int.call
int 2dh
db 0e8h
endm

;If you find some other 'cloaking' opcodes i.e. 5 or more bytes please send
;me e-mail ;-)

;sample mov r32, val macro

MOV_REG macro reg1: REQ, val1:REQ, val2:REQ, val3:REQ, val4:REQ
int 2dh
int reg1 ;\
int val3 ; >mov eax, (val1)CD(val3)CD
int val1 ;/
int 2dh
;enter 78xxh, 90h ;  mov al, val4
db 0c8h, reg1 - 8, val4, 90h
int 2dh
;enter 0xxc1h, 10h ;  ror eax, 10h
db 0c8h, 0c1h, reg1 + 10h, 10h
int 2dh
;enter 34xxh, 90h ;  mov al, val2
db 0c8h, reg1 - 8, val2, 90h
int 2dh
;enter 0xxc1h, 10h ;  ror eax, 10h
db 0c8h, 0c1h, reg1 + 10h, 10h
endm

MOV_EAX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0b8h, val1, val2, val3, val4
endm

MOV_EBX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0bbh, val1, val2, val3, val4
endm

MOV_ECX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0b9h, val1, val2, val3, val4
endm

MOV_EDX macro val1:REQ, val2:REQ, val3:REQ, val4:REQ
MOV_REG 0bah, val1, val2, val3, val4
endm

.code

start:

assume fs:nothing
push offset _seh ;\
push fs:[0] ; > set SEH
mov fs:[0], esp ;/

int 2dh ; if debugger attached it will run normally,
; else we've got exception
nop
pop fs:[0] ;\ clear SEH
add esp, 4 ;/


MOV_EAX 98h ,76h, 54h, 32h ; mov eax, 98765432h
MOV_EBX 12h, 34h, 56h, 78h ; mov ebx, 12345678h
MOV_ECX 0abh, 0cdh, 0efh, 0 ; mov ecx, 0abcdef00h
MOV_EDX 90h, 0efh, 0cdh, 0abh ; mov edx, 90efcdabh

CLOAK1B
push edx
CLOAK1B
push ecx
CLOAK1B
push ebx
CLOAK1B
push eax
CLOAK4B
push offset _fmt
CLOAK4B
push offset _str
CLOAK4B
call wsprintf
CLOAK3B
add esp, 18h
CLOAK2B
push 0
CLOAK4B
push offset _str
CLOAK4B
push offset _str
CLOAK2B
push 0
CLOAK4B
call MessageBox
CLOAK2B
push 0
CLOAK2B
jmp _end2

_seh: ; Structured exception handler
; setting mini-debugger ;-)
push offset procinfo
push offset startinfo
push 0
push 0
push DEBUG_PROCESS
push 0
push 0
push 0
call GetCommandLine
push eax
push 0
call CreateProcess

_dbgloop:
push INFINITE
push offset debugEvt
call WaitForDebugEvent

cmp debugEvt.dwDebugEventCode, EXIT_PROCESS_DEBUG_EVENT
je _end

push DBG_CONTINUE
push debugEvt.dwThreadId
push debugEvt.dwProcessId
call ContinueDebugEvent

jmp _dbgloop

_end: push 0
_end2: call ExitProcess

end start

Posted on 2009-10-24 20:54:59 by skywalker

ti_mo_n,

This is from here and is supposed to work.

Interesting article. Thanks.
Posted on 2009-10-25 00:49:55 by ti_mo_n
Please don't try to use this code for anything but your own amusement - it depends on implementation details which there are absolutely no guarantees for; a later Windows version could (and should) make your application crash and burn for attempting such lameness.
Posted on 2009-10-25 10:14:23 by f0dder

Please don't try to use this code for anything but your own amusement - it depends on implementation details which there are absolutely no guarantees for; a later Windows version could (and should) make your application crash and burn for attempting such lameness.


You are certainly entitled to your opinion.

Andy
Posted on 2009-10-25 14:56:22 by skywalker


Please don't try to use this code for anything but your own amusement - it depends on implementation details which there are absolutely no guarantees for; a later Windows version could (and should) make your application crash and burn for attempting such lameness.


You are certainly entitled to your opinion.

Andy
Don't come crying when your copy-pasted-and-not-particularly-understood code blows up on a bunch of deployed installs after a routine windows update.
Posted on 2009-10-25 14:58:17 by f0dder