WKL-Sec · February 14, 2024 18:47
diff --git a/IsDebuggerPresentModification.cpp b/IsDebuggerPresentModification.cpp
 // White Knight Labs - Offensive Development Course
 // Anti-Debug Patch Check - KERNELBASE!IsDebuggerPresent function

 #include <iostream>
 #include <Windows.h>

 // Define the expected bytes of the KERNELBASE!IsDebuggerPresent function.
 // This array represents the specific sequence of bytes we expect to find at the
 // beginning of the IsDebuggerPresent function in a non-modified state.
 const unsigned char expectedBytes[] = {0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0xC3};
 // Calculate the length of the expectedBytes array for use in the comparison loop.
 const size_t expectedBytesLength = sizeof(expectedBytes) / sizeof(expectedBytes[0]);

 int main() {
    // Attempt to dynamically retrieve the memory address of the IsDebuggerPresent function
    // located within KERNELBASE.dll, which is a core Windows system library.
    auto pIsDebuggerPresent = reinterpret_cast<unsigned char*>(GetProcAddress(GetModuleHandleW(L"KERNELBASE.dll"), "IsDebuggerPresent"));
    // Check if the retrieval was successful. If not, output an error message and exit the program.
    if (!pIsDebuggerPresent) {
        std::cerr << "Failed to get the address of IsDebuggerPresent from KERNELBASE.dll" << std::endl;
        return 1; // Return a non-zero value to indicate failure.
    }

    // Flag to track if any modification has been detected in the IsDebuggerPresent function.
    bool isModified = false;
   
    // Iterate through each byte of the expected sequence and compare it to the actual
    // bytes present at the function's address in memory.
    for (size_t i = 0; i < expectedBytesLength; ++i) {
        // If a discrepancy is found, set isModified to true and break out of the loop.
        if (pIsDebuggerPresent[i] != expectedBytes[i]) {
            isModified = true;
            break;
        }
    }

    // After checking all the expected bytes, output the result to the user.
    if (isModified) {
        // If any byte did not match, report that a modification has been detected.
        std::cout << "Modification detected in KERNELBASE!IsDebuggerPresent." << std::endl;
    } else {
        // If all bytes matched, report that no modifications have been detected.
        std::cout << "No modification detected in KERNELBASE!IsDebuggerPresent." << std::endl;
    }

    return 0; // Return zero to indicate successful execution.
 }
	// White Knight Labs - Offensive Development Course
	// Anti-Debug Patch Check - KERNELBASE!IsDebuggerPresent function

	#include <iostream>
	#include <Windows.h>

	// Define the expected bytes of the KERNELBASE!IsDebuggerPresent function.
	// This array represents the specific sequence of bytes we expect to find at the
	// beginning of the IsDebuggerPresent function in a non-modified state.
	const unsigned char expectedBytes[] = {0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0xC3};
	// Calculate the length of the expectedBytes array for use in the comparison loop.
	const size_t expectedBytesLength = sizeof(expectedBytes) / sizeof(expectedBytes[0]);

	int main() {
	// Attempt to dynamically retrieve the memory address of the IsDebuggerPresent function
	// located within KERNELBASE.dll, which is a core Windows system library.
	auto pIsDebuggerPresent = reinterpret_cast<unsigned char*>(GetProcAddress(GetModuleHandleW(L"KERNELBASE.dll"), "IsDebuggerPresent"));
	// Check if the retrieval was successful. If not, output an error message and exit the program.
	if (!pIsDebuggerPresent) {
	std::cerr << "Failed to get the address of IsDebuggerPresent from KERNELBASE.dll" << std::endl;
	return 1; // Return a non-zero value to indicate failure.
	}

	// Flag to track if any modification has been detected in the IsDebuggerPresent function.
	bool isModified = false;

	// Iterate through each byte of the expected sequence and compare it to the actual
	// bytes present at the function's address in memory.
	for (size_t i = 0; i < expectedBytesLength; ++i) {
	// If a discrepancy is found, set isModified to true and break out of the loop.
	if (pIsDebuggerPresent[i] != expectedBytes[i]) {
	isModified = true;
	break;
	}
	}

	// After checking all the expected bytes, output the result to the user.
	if (isModified) {
	// If any byte did not match, report that a modification has been detected.
	std::cout << "Modification detected in KERNELBASE!IsDebuggerPresent." << std::endl;
	} else {
	// If all bytes matched, report that no modifications have been detected.
	std::cout << "No modification detected in KERNELBASE!IsDebuggerPresent." << std::endl;
	}

	return 0; // Return zero to indicate successful execution.
	}