Auto Debug System

Anti Debug

Anti Debug feature allow you to debug some application which used anti-debug technology to protected trace. You must check this option before tracing your application.

Features

Allow to debug some program to check Debugger using IsDebuggerPresent().

Allow to debug some program to check TEB anti-debug technology.

Allow to debug some program to check STEP DEBUG.

Allow to debug some program to check parent process must be explorer.

Allow to debug some program to check the API first byte is 0xCC. This function like bpx CreateFileA+1.

BPX CreateFileA+1

Anti Debug feature allow you to debug application to set breakpoint at API's last byte to avoid some anti-debug to check. Like softice using bpx CreateFile+1, you can also to set bpx CreateFile+n using Breakpoint Offset File.

At the Function Filter dialog, select process using right mouse menu and select [Load Breakpoint Offset] menu item, and then select the breakpoint offset ini file which define breakpoint information. Now, you also set breakpoint at the API after bytes like bpx CreateFileA+n.

Breakpoint Offset file format

The breakpoint offset file using ini format to save the information.
Like the following sample.
; DLL Name
[kernel32]
; Function Name = EIP Offset, ESP Offset
CreateFileA=6,8
GetProcAddress=7,14

; DLL Name
[Advapi32]
; Function Name = EIP Offset, ESP Offset
RegCreateKeyExA=6,2C
RegCreateKeyA=6,4
RegOpenKeyExA=6,10
RegOpenKeyA=6,0

Like the sample, the section is Dll Name, and key is function name.
The keyvalue is EIP offset and ESP Offset.
You must use some disassember tools to get right EIP Offset and ESP Offset, 
like CreateFileA, you maybe get some asm code like the following.

kernel32.DLL - CreateFileA
Exported fn(): CreateFileA - Ord:0039h
:77E6C037 55          push ebp
:77E6C038 8BEC        mov ebp, esp                  ;CreateFileA=1,4
:77E6C03A FF7508      push [ebp+08]                 ;CreateFileA=3,4
:77E6C03D E82ACF0000  call 77E78F6C                 ;CreateFileA=6,8
:77E6C042 85C0        test eax, eax
:77E6C044 7505        jne 77E6C04B
:77E6C046 83C8FF      or eax, FFFFFFFF
:77E6C049 EB1A        jmp 77E6C065

Like this code, if you want set breakpoint at 0x77E6C038, 
you must set EIP Offset as 1 and ESP Offset as 4.
Advapi32.DLL  - RegCreateKeyExA
Exported fn(): RegCreateKeyExA - Ord:018Eh
:77D871DE 55          push ebp
:77D871DF 8BEC        mov ebp, esp                  ;RegCreateKeyExA=1,4
:77D871E1 83EC28      sub esp, 00000028             ;RegCreateKeyExA=3,0x2C
:77D871E4 8B4508      mov eax, dword ptr [ebp+08]   ;RegCreateKeyExA=6,0x2C
:77D871E7 53          push ebx                      ;RegCreateKeyExA=9,0x2C
:77D871E8 56          push esi                      ;RegCreateKeyExA=A,0x30
:77D871E9 33F6        xor esi, esi 
:77D871EB 3D04000080  cmp eax, 80000004 
:77D871F0 57          push edi

If the asm code has "push", the ESP Offset must add 4, if asm 
code has sub esp, 00000010, the ESP Offset must add 0x10, like sub esp, 
00000028, the esp offset had be add 0x28.

Now, you can set your breakpoint like as bpx CreateFileA+n.

Copyright © 2003-2008, www.autodebug.com All Rights Reserved