[putrid]

Wow, I'm glad you've figured out how to find !PEB->IsDebuggerPresent()

Congrats kiddo!

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scamming | Last IP: 172.7.7.248 | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[Vittlesical]

Wow, I'm glad you've figured out how to find !PEB->IsDebuggerPresent()

Congrats kiddo!

yea thanks! but ever heard of CPUID ? seems not so ill show you something

#include <windows.h>
#include <stdio.h>
#include <intrin.h>

// Global variable to track if a debugger is detected
bool g_bDebugged = false;

// Exception filter function
LONG WINAPI filter(struct _EXCEPTION_POINTERS *ep) {
    g_bDebugged = ep->ExceptionRecord->ExceptionCode != EXCEPTION_BREAKPOINT;
    // Adjust RIP to point past the INT 3 long form instruction
    if (ep->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT) {
        ep->ContextRecord->Rip += 1;
    }
    return EXCEPTION_EXECUTE_HANDLER;
}

// Function to check if debugger is present (short form)
bool IsDebugged() {
    __try {
        // Trigger a breakpoint exception
        __debugbreak();
        // If a debugger is present, execution will reach here
        return true;
    } __except(EXCEPTION_EXECUTE_HANDLER) {
        // If no debugger, execution will reach here
        return false;
    }
}

// Function to check if debugger is present (long form)
bool IsDebuggedLongForm() {
    __try {
        // Trigger a long form breakpoint exception
        __asm {
            .byte 0xCD, 0x03
        }
    } __except (filter(GetExceptionInformation())) {
        // If an exception occurs, the filter function will be called
        return g_bDebugged;
    }
    // If a debugger is present, execution will reach here
    return true;
}

int main() {
    if (IsDebugged()) {
        printf("Debugger detected (short form).\n");
    } else {
        printf("No debugger detected (short form).\n");
    }

    if (IsDebuggedLongForm()) {
        printf("Debugger detected (long form).\n");
    } else {
        printf("No debugger detected (long form).\n");
    }

    return 0;
}

this is a code i've implemented using short/long form breakpoints and SEH to detect whether a debugger is there or not
aka Anti-Debugging using SL BreakPoints (:
see this graph to understand:


and ill show you more:

#include <stdio.h>
#include <string.h>

// Function to execute cpuid and retrieve the results
void execute_cpuid(unsigned int eax, unsigned int *data) {
    __asm__ __volatile__(
        "cpuid"
        : "=a"(data[0]), "=b"(data[1]), "=c"(data[2]), "=d"(data[3])
        : "a"(eax)
    );
}

int is_vmware() {
    unsigned int data[4];
    execute_cpuid(0x40000000, data);
    return memcmp(&data[1], "VMwareVMware", 12) == 0;
}

int is_virtualbox() {
    unsigned int data[4];
    execute_cpuid(0x40000000, data);
    return memcmp(&data[1], "VBoxVBoxVBox", 12) == 0;
}

int is_hyperv() {
    unsigned int data[4];
    execute_cpuid(0x40000000, data);
    return memcmp(&data[1], "Microsoft Hv", 12) == 0;
}

int is_qemu() {
    unsigned int data[4];
    execute_cpuid(0x40000000, data);
    return memcmp(&data[1], "TCGTCGTCGTCG", 12) == 0;
}

int main() {
    int is_under_vm = 0;

    if (is_vmware() || is_virtualbox() || is_hyperv() || is_qemu()) {
        is_under_vm = 1;
    }

    printf("Is the system running under a VM? %s\n", is_under_vm ? "Yes" : "No");
    return 0;
}

and this is a code implemented using CPUID to execute specific vendor-strings to see whether the env is VM or not
and return to the main page of the thread to understand Mr. FUD Windows Loader with EFI Drivers (:

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: See you on the other side.

[UND0XX4BL3]

looks great bro thankss :)