Click here to Skip to main content
13,191,642 members (62,931 online)
Click here to Skip to main content
Add your own
alternative version


23 bookmarked
Posted 8 Sep 2004

Anti BPX

, 8 Sep 2004
Rate this:
Please Sign up or sign in to vote.
Simple check for break-points on eXecution of a system debugger!

Sample Image - Anti_BPX.jpg


Any software can be analyzed step-by-step from a debugger! A debugger is a valid instrument in order to discover bugs, but most times it is used by the hackers/crackers in order to alter the routines of protection of our programs, or worse, in order to reverse engineer an entire algorithm!


It is present, in Windows systems, an API function called IsDebuggerPresent (contained in kernel32.dll). It serves to verify the presence of a debugger. This function does not exist in Windows 95. It is also interesting to see using Pointers from VB.NET!

Example code (VB.NET):

Declare Function IsDebuggerPresent Lib "kernel32" () As Integer

Dim chkDebug as Integer = IsDebuggerPresent
chkDebug = 0 --> not debugged
chkDebug = 1 --> debugged

Using the code

It is supposed, in this demonstration, to use the SoftIce debugger.

It seems all simple, I can stop a hacker! Unfortunately, the truth is very different as our adversary can behave itself:

  1. Starts the debugger;
  2. It presses ctrl+d;
  3. It writes BPX IsDebuggerPresent;
  4. Presses F5 in order to send in execution of the program, and magically a window similar to this appears (code assembler x86):

    001B:77E52740    64A118000000    MOV    EAX, FS:[00000018] 
    001B:77E52746    8B4030          MOV    EAX, [EAX+30] 
    001B:77E52749    0FB64002        MOVZX  EAX, BYTE PTR [EAX+02] 
    001B:77E5274D    C3              RET

Therefore, it does not have to make other changes than to modify the value of return of the function and/or to make the patch directly for the library kernel32.dll:

001B:77E52749    0FB64002        MOVZX  EAX, BYTE PTR [EAX+02]

It becomes:

001B:77E52749    33C0            XOR    EAX, EAX    ;return always 0 !
001B:77E5274B    90              NOP                ;nothing
001B:77E5274C    90              NOP

Our adversary is a good reverser! But from that what can we make? We can make a check on the BPX presence. BPX means to virtually put the value hex 0CCh in a determined memory area. In order to resolve this problem, we gain the address of the memory that interests us (in this case, on my WinXP home) 77E52740h, and verifies if it exists, in one of the 14 bytes, an equal value to 0CCh! It seems all very simple.

We use the APIs:

Declare Function LoadLibrary Lib "kernel32" Alias _
      "LoadLibraryA" (ByVal lpLibFileName As String) As Integer
Declare Function FreeLibrary Lib "kernel32" Alias _
      "FreeLibrary" (ByVal hLibModule As Integer) As Integer
Declare Function GetProcAddress Lib "kernel32" Alias _
      "GetProcAddress" (ByVal hModule As Integer, _
      ByVal lpProcName As String) As Integer

And we proceed as follows:

  1. We load in memory the library kernel32.dll;
  2. We find with GetProcAddress the address of the API IsDebuggerPresent;
  3. We analyze the memory area.

Example code (VB.NET):

Dim hLib As Integer = LoadLibrary("kernel32") 'address base
Dim apiaddress as integer = GetProcAddress(hLib, _
                "IsDebuggerPresent") 'return value: 77E52740h
Dim memdebug(13) As Byte 'lenght 14-1
Marshal.Copy(IntPtr.op_Explicit(apiaddress), _
        memdebug, _
        0, _
        memdebug.Length) 'read to memory pointer
Dim bFlag as Boolean = False
Dim ij As Integer
For ij = 0 To memdebug.Length - 1
    If memdebug(ij) = &HCC Then
            '[i] no bpx please
        bFlag = True
        Exit For
    End If
Next ij
FreeLibrary(hLib) 'release library
If bFlag Then
    '[i] some actions: reset, hd format ;-p, ...your creativity!
End If

Clearly, this is only an example! You can analyze and check any portion of memory to leave from its address.

Points of Interest

Stopping the Reverse engineering of our programs puts in difficulty hackers/ least those who are not too much good!

Other articles from the author:

For other information, please visit my web site (in continuous modernization).


September 2004: First public release. (Sorry for my bad English...I'm Italian.)


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Marcello Cantelmo
President Cantelmo Software
Italy Italy
President of "Cantelmo Software" (micro-ISV situated in Lizzanello (Lecce) - Italy): Development Software and Professional Component for .NET Platform. Author of Goliath .NET Obfuscator

You may also be interested in...

Comments and Discussions

GeneralAnti-BPX checker Pin
Vitoto1-Jan-06 12:31
memberVitoto1-Jan-06 12:31 
GeneralRe: Anti-BPX checker Pin
Marcello Cantelmo1-Jan-06 22:17
memberMarcello Cantelmo1-Jan-06 22:17 
GeneralRe: Anti-BPX checker Pin
Vitoto2-Jan-06 1:56
memberVitoto2-Jan-06 1:56 
GeneralProtect .Net Process for Attach to Debuger Pin
Vitoto5-Oct-05 10:20
memberVitoto5-Oct-05 10:20 
GeneralGoliath.NET Obfuscator Pin
Marcello Cantelmo24-Jan-05 10:54
sussMarcello Cantelmo24-Jan-05 10:54 
GeneralMaking code harder to analise Pin
Slawek Piotrowski4-Nov-04 1:12
memberSlawek Piotrowski4-Nov-04 1:12 
GeneralRe: Making code harder to analise Pin
Marcello Cantelmo4-Nov-04 4:57
sussMarcello Cantelmo4-Nov-04 4:57 
GeneralNice idea Pin
Cap'n Code8-Sep-04 14:58
memberCap'n Code8-Sep-04 14:58 
GeneralRe: Nice idea Pin
Marcello Cantelmo8-Sep-04 22:28
sussMarcello Cantelmo8-Sep-04 22:28 
GeneralRe: Nice idea Pin
TQN8-Sep-04 23:09
memberTQN8-Sep-04 23:09 
GeneralRe: Nice idea Pin
Marcello Cantelmo8-Sep-04 23:36
sussMarcello Cantelmo8-Sep-04 23:36 
GeneralRe: Nice idea Pin
Pumqara29-Sep-04 1:38
memberPumqara29-Sep-04 1:38 
GeneralRe: Nice idea Pin
Marcello Cantelmo29-Sep-04 2:26
memberMarcello Cantelmo29-Sep-04 2:26 
GeneralRe: Nice idea Pin
Joseph Hapkom29-Sep-04 9:27
sussJoseph Hapkom29-Sep-04 9:27 
GeneralRe: Nice idea Pin
Marcello Cantelmo29-Sep-04 10:34
memberMarcello Cantelmo29-Sep-04 10:34 
GeneralRe: Nice idea Pin
Marcello Cantelmo27-Jan-05 11:31
sussMarcello Cantelmo27-Jan-05 11:31 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.171017.2 | Last Updated 8 Sep 2004
Article Copyright 2004 by Marcello Cantelmo
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid