Ichinin
Veteran
Joined: 3 Apr 2009
Gender: Male
Posts: 3,653
Location: A cold place with lots of blondes.
05 Aug 2017, 7:54 am
AngryAngryAngry wrote:
Ichinin wrote:
* In 2006 while i was working as a teacher, i showed decompilers to my students and while i was doing that i wrote a tiny program to show that you could subvert or crash the decompiler just to screw with the reverse engineer 
That is awesome, can you give any indications how this works?
Is it something that just prevents the compiler from opening or translating the code properly??
Well, you can do this in a few ways.
* Check the process list names for "dbg"
* Check the parent process PID and enumerate if it is ollydbg or idapro
* Check IsDebuggerPresent API call, it probably wont help much nowadays.
Then when you find the PID, open process, enumerate threads and use suspend on them. Of fill the proc memory with junk that makes it crash. Or more fun - Createremotethread() and inject some fun shellcode
EDIT: This only works when someone initially starts a PE executable to see what it is doing, if someone is slowly stepping each instruction, they will see it.
| Similar Topics | |
|---|---|
| Uranus & Neptune Aren't Made of What We Thought |
17 Apr 2024, 5:53 pm |
| Documentary ‘Understanding Autism’ made by Autistic |
09 Mar 2024, 4:13 pm |
