Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save analyticsearch/8dc1caf240d70b720448c9e843e161e4 to your computer and use it in GitHub Desktop.
Save analyticsearch/8dc1caf240d70b720448c9e843e161e4 to your computer and use it in GitHub Desktop.
This C++ code performs an integrity check on the `IsDebuggerPresent` API function in `KERNELBASE.dll` to detect any unauthorized modifications, a technique useful for evading debugging and analysis in cybersecurity operations.
// White Knight Labs - Offensive Development Course
// Anti-Debug Patch Check - KERNELBASE!IsDebuggerPresent function
#include <iostream>
#include <Windows.h>
// Define the expected bytes of the KERNELBASE!IsDebuggerPresent function.
// This array represents the specific sequence of bytes we expect to find at the
// beginning of the IsDebuggerPresent function in a non-modified state.
const unsigned char expectedBytes[] = {0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0xC3};
// Calculate the length of the expectedBytes array for use in the comparison loop.
const size_t expectedBytesLength = sizeof(expectedBytes) / sizeof(expectedBytes[0]);
int main() {
// Attempt to dynamically retrieve the memory address of the IsDebuggerPresent function
// located within KERNELBASE.dll, which is a core Windows system library.
auto pIsDebuggerPresent = reinterpret_cast<unsigned char*>(GetProcAddress(GetModuleHandleW(L"KERNELBASE.dll"), "IsDebuggerPresent"));
// Check if the retrieval was successful. If not, output an error message and exit the program.
if (!pIsDebuggerPresent) {
std::cerr << "Failed to get the address of IsDebuggerPresent from KERNELBASE.dll" << std::endl;
return 1; // Return a non-zero value to indicate failure.
}
// Flag to track if any modification has been detected in the IsDebuggerPresent function.
bool isModified = false;
// Iterate through each byte of the expected sequence and compare it to the actual
// bytes present at the function's address in memory.
for (size_t i = 0; i < expectedBytesLength; ++i) {
// If a discrepancy is found, set isModified to true and break out of the loop.
if (pIsDebuggerPresent[i] != expectedBytes[i]) {
isModified = true;
break;
}
}
// After checking all the expected bytes, output the result to the user.
if (isModified) {
// If any byte did not match, report that a modification has been detected.
std::cout << "Modification detected in KERNELBASE!IsDebuggerPresent." << std::endl;
} else {
// If all bytes matched, report that no modifications have been detected.
std::cout << "No modification detected in KERNELBASE!IsDebuggerPresent." << std::endl;
}
return 0; // Return zero to indicate successful execution.
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment