-
Notifications
You must be signed in to change notification settings - Fork 353
/
Copy pathanti_debug.nim
46 lines (36 loc) · 1.01 KB
/
anti_debug.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#[
Author: Itay Migdal
License: BSD 3-Clause
Two anti-debugging techniques implemented in Nim
]#
import winim
{.passC:"-masm=intel".}
proc pebBeingDebugged(): bool {.asmNoStackFrame.} =
# https://anti-debug.checkpoint.com/techniques/debug-flags.html#manual-checks-peb-beingdebugged-flag
asm """
mov rax, gs:[0x60]
movzx rax, byte ptr [rax+2]
ret
"""
proc getProcessFileHandle(): bool =
# https://anti-debug.checkpoint.com/techniques/object-handles.html#createfile
var fileName: array[MAX_PATH + 1, WCHAR]
discard GetModuleFileNameW(
0,
addr fileName[0],
MAX_PATH
)
var res = CreateFileW(
addr fileName[0],
GENERIC_READ,
0,
NULL,
OPEN_EXISTING,
0,
0
)
var isDebugged = (res == INVALID_HANDLE_VALUE)
CloseHandle(res)
return isDebugged
proc isDebugged*(): bool =
return pebBeingDebugged() or getProcessFileHandle()