Forked from WKL-Sec/IsDebuggerPresentModification.cpp
Created
February 15, 2024 21:54
-
-
Save analyticsearch/8dc1caf240d70b720448c9e843e161e4 to your computer and use it in GitHub Desktop.
This C++ code performs an integrity check on the `IsDebuggerPresent` API function in `KERNELBASE.dll` to detect any unauthorized modifications, a technique useful for evading debugging and analysis in cybersecurity operations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// White Knight Labs - Offensive Development Course | |
// Anti-Debug Patch Check - KERNELBASE!IsDebuggerPresent function | |
#include <iostream> | |
#include <Windows.h> | |
// Define the expected bytes of the KERNELBASE!IsDebuggerPresent function. | |
// This array represents the specific sequence of bytes we expect to find at the | |
// beginning of the IsDebuggerPresent function in a non-modified state. | |
const unsigned char expectedBytes[] = {0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x0F, 0xB6, 0x40, 0x02, 0xC3}; | |
// Calculate the length of the expectedBytes array for use in the comparison loop. | |
const size_t expectedBytesLength = sizeof(expectedBytes) / sizeof(expectedBytes[0]); | |
int main() { | |
// Attempt to dynamically retrieve the memory address of the IsDebuggerPresent function | |
// located within KERNELBASE.dll, which is a core Windows system library. | |
auto pIsDebuggerPresent = reinterpret_cast<unsigned char*>(GetProcAddress(GetModuleHandleW(L"KERNELBASE.dll"), "IsDebuggerPresent")); | |
// Check if the retrieval was successful. If not, output an error message and exit the program. | |
if (!pIsDebuggerPresent) { | |
std::cerr << "Failed to get the address of IsDebuggerPresent from KERNELBASE.dll" << std::endl; | |
return 1; // Return a non-zero value to indicate failure. | |
} | |
// Flag to track if any modification has been detected in the IsDebuggerPresent function. | |
bool isModified = false; | |
// Iterate through each byte of the expected sequence and compare it to the actual | |
// bytes present at the function's address in memory. | |
for (size_t i = 0; i < expectedBytesLength; ++i) { | |
// If a discrepancy is found, set isModified to true and break out of the loop. | |
if (pIsDebuggerPresent[i] != expectedBytes[i]) { | |
isModified = true; | |
break; | |
} | |
} | |
// After checking all the expected bytes, output the result to the user. | |
if (isModified) { | |
// If any byte did not match, report that a modification has been detected. | |
std::cout << "Modification detected in KERNELBASE!IsDebuggerPresent." << std::endl; | |
} else { | |
// If all bytes matched, report that no modifications have been detected. | |
std::cout << "No modification detected in KERNELBASE!IsDebuggerPresent." << std::endl; | |
} | |
return 0; // Return zero to indicate successful execution. | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment