#[allow(unused_mut)] #[allow(asm_sub_register)] #[allow(unused_assignments)] use crate::exit_codes; use std::arch::asm; use std::mem::size_of; use std::process; use std::ptr; use winapi::shared::minwindef::BOOL; use winapi::shared::windef::HWND; use winapi::um::debugapi::{CheckRemoteDebuggerPresent, IsDebuggerPresent}; use winapi::um::handleapi::CloseHandle; use winapi::um::handleapi::INVALID_HANDLE_VALUE; use winapi::um::processthreadsapi::GetCurrentProcess; use winapi::um::tlhelp32::CreateToolhelp32Snapshot; use winapi::um::tlhelp32::Process32FirstW; use winapi::um::tlhelp32::Process32NextW; use winapi::um::tlhelp32::PROCESSENTRY32W; use winapi::um::tlhelp32::TH32CS_SNAPPROCESS; use winapi::um::winnt::{HANDLE}; use winapi::um::winuser::FindWindowW; use winsafe::WString; pub unsafe fn adbg_is_debugger_present() { if IsDebuggerPresent() != 0 { process::exit(exit_codes::DBG_ISDEBUGGERPRESENT); } } pub fn adbg_being_debugged_peb() { let mut found: BOOL = 0; unsafe { #[cfg(target_arch = "x86_64")] asm!( "xor rax, rax", "mov rax, gs:[60h]", "mov rax, [rax + 02h]", "and rax, 0FFh", "mov {found}, rax", found = out(reg) found ); #[cfg(not(target_arch = "x86_64"))] asm!( "xor eax, eax", "mov eax, fs:[0x30]", "mov eax, [eax + 0x02]", "and eax, 0xFF", "mov {found}, eax", found = out(reg) found ); } if found != 0 { process::exit(exit_codes::DBG_BEINGEBUGGEDPEB); } } pub fn adbg_nt_global_flag_peb() { let mut found: BOOL = 0; unsafe { #[cfg(target_arch = "x86_64")] asm!( "xor rax, rax", "mov rax, gs:[60h]", "mov rax, [rax + 0BCh]", "and rax, 70h", "mov {found}, rax", found = out(reg) found ); #[cfg(not(target_arch = "x86_64"))] asm!( "xor eax, eax", "mov eax, fs: [0x30]", "mov eax, [eax + 0x68]", "and eax, 0x00000070", "mov {found}, eax", found = out(reg) found ); } if found != 0 { process::exit(exit_codes::DBG_NTGLOBALFLAGPEB); } } pub unsafe fn adbg_check_remote_debugger_present() { let mut h_process: HANDLE = INVALID_HANDLE_VALUE; let mut found: BOOL = 0; h_process = GetCurrentProcess(); CheckRemoteDebuggerPresent(h_process, &mut found); if found != 0 { process::exit(exit_codes::DBG_CHECKREMOTEDEBUGGERPRESENT); } } pub unsafe fn adbg_check_window_class_name() { let mut found: bool = false; let mut h_window: HWND = ptr::null_mut(); let window_class_name_olly: WString = WString::from_str(obfstr::obfstr!("OLLYDBG")); let window_class_name_immunity: WString = WString::from_str(obfstr::obfstr!("ID")); h_window = FindWindowW(window_class_name_olly.as_ptr(), ptr::null_mut()); if h_window != ptr::null_mut() { found = true; } h_window = FindWindowW(window_class_name_immunity.as_ptr(), ptr::null_mut()); if h_window != ptr::null_mut() { found = true; } if found { process::exit(exit_codes::DBG_FINDWINDOW); } } pub unsafe fn adbg_check_window_name() { let mut found: bool = false; let mut h_window: HWND = ptr::null_mut(); let window_name_olly: WString = WString::from_str(obfstr::obfstr!("OllyDbg - [CPU]")); let window_name_immunity: WString = WString::from_str(obfstr::obfstr!("Immunity Debugger - [CPU]")); h_window = FindWindowW(window_name_olly.as_ptr(), ptr::null_mut()); if h_window != ptr::null_mut() { found = true; } h_window = FindWindowW(window_name_immunity.as_ptr(), ptr::null_mut()); if h_window != ptr::null_mut() { found = true; } if found { process::exit(exit_codes::DBG_FINDWINDOW); } } pub unsafe fn adbg_process_file_name() { let debuggers_filename: Vec = vec![ String::from(obfstr::obfstr!("cheatengine-x86_64.exe")), String::from(obfstr::obfstr!("ollydbg.exe")), String::from(obfstr::obfstr!("ida.exe")), String::from(obfstr::obfstr!("ida64.exe")), String::from(obfstr::obfstr!("radare2.exe")), String::from(obfstr::obfstr!("x64dbg.exe")), String::from(obfstr::obfstr!("httpdebuggerui.exe")), String::from(obfstr::obfstr!("wireshark.exe")), String::from(obfstr::obfstr!("fiddler.exe")), String::from(obfstr::obfstr!("vboxservice.exe")), String::from(obfstr::obfstr!("processhacker.exe")), String::from(obfstr::obfstr!("pestudio.exe")), String::from(obfstr::obfstr!("x96dbg.exe")), String::from(obfstr::obfstr!("x32dbg.exe")), String::from(obfstr::obfstr!("prl_cc.exe")), String::from(obfstr::obfstr!("prl_tools.exe")), String::from(obfstr::obfstr!("xenservice.exe")), String::from(obfstr::obfstr!("qemu-ga.exe")), String::from(obfstr::obfstr!("joeboxcontrol.exe")), String::from(obfstr::obfstr!("ksdumperclient.exe")), String::from(obfstr::obfstr!("ksdumper.exe")), String::from(obfstr::obfstr!("joeboxserver.exe")), String::from(obfstr::obfstr!("df5serv.exe")), String::from(obfstr::obfstr!("vboxtray.exe")), String::from(obfstr::obfstr!("vmtoolsd.exe")), String::from(obfstr::obfstr!("vmwaretray.exe")), String::from(obfstr::obfstr!("vmwareuser.exe")), String::from(obfstr::obfstr!("vgauthservice.exe")), String::from(obfstr::obfstr!("vmacthlp.exe")), String::from(obfstr::obfstr!("vmsrvc.exe")), String::from(obfstr::obfstr!("vmusrvc.exe")) ]; let mut process_information = &mut PROCESSENTRY32W { dwSize: 0, cntUsage: 0, th32ProcessID: 0, th32DefaultHeapID: 0, th32ModuleID: 0, cntThreads: 0, th32ParentProcessID: 0, pcPriClassBase: 0, dwFlags: 0, szExeFile: [0; 260], }; let process_list: HANDLE = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); process_information.dwSize = size_of::() as u32; if Process32FirstW(process_list, process_information) != 0 { while Process32NextW(process_list, process_information) != 0 { for debugger in debuggers_filename.clone() { let exe_file = WString::from_wchars_slice(&process_information.szExeFile[..]) .to_string() .replace("\u{0}", "") .to_lowercase(); if exe_file == debugger { process::exit(exit_codes::DBG_PROCESSFILENAME); } } } } CloseHandle(process_list); }