| Trees | Indices | Help |
|---|
|
|
1 ''' 2 Try to prevent an executable from knowing it's being debugged. 3 ''' 4 import vtrace 5 import vstruct 68 """ 9 A breakpoint to fake out CheckRemoteDebuggerPresent. 10 """1912 sp = trace.getStackCounter() 13 eip, handle, outbool = trace.readMemoryFormat(sp, "<LLL") 14 trace.setRegisterByName("eax", 1) 15 trace.writeMemoryFormat(outbool, "<L", 0) 16 trace.setProgramCounter(eip) 17 trace.setStackCounter(sp+12) 18 trace.runAgain()21 peb = trace.parseExpression("peb") 22 ps = vstruct.getStructure("win32.PEB") 23 off = ps.vsGetOffset("BeingDebugged") 24 trace.writeMemoryFormat(peb+off, "<B", val)2527 28 writeBeingDebugged(trace, 0) 29 sym = trace.getSymByName("kernel32").getSymByName("CheckRemoteDebuggerPresent") 30 if sym != None: 31 addr = long(sym) 32 bp = StealthBreak(addr) 33 bpid = trace.addBreakpoint(bp) 34 trace.setMeta("Win32Stealth", bpid)3537 writeBeingDebugged(trace, 1) 38 bp = trace.getMeta("Win32Stealth") 39 if bp != None: 40 trace.setMeta("Win32Stealth", None) 41 trace.removeBreakpoint(bp)42
| Trees | Indices | Help |
|---|
| Generated by Epydoc 3.0.1 on Fri Nov 16 18:22:27 2012 | http://epydoc.sourceforge.net |