I'm teaching myself to analyze malware, and in order to increase my understanding of some of the more common anti-debugging techniques, I wrote the int 2d debugger detection concept in assembly. However, when it reaches the int 2d, the program terminates rather than skipping the expected opcode.
Here is my code:
include 'win32ax.inc'
.data
dbg db "Debugger!",0
nodbg db "No debugger!",0
.code
start:
xor eax,eax ;set the zero flag
int 2dh ;The debugger detection interupt
inc eax ;the instruction to be skipped during debugging
jnz notpresent ;the jump
invoke MessageBox,0,dbg,dbg,MB_OK ;Debugger detected!
jmp exit
notpresent:
invoke MessageBox,0,nodbg,nodbg,MB_OK ;No debugger detected!
exit:
invoke ExitProcess,0
.end start
What it should have done was jumped to the MessageBox saying "No debugger!", instead, when it reaches the int 2d opcode, the program crashes even when not being debugged. Any helpful tips? What have I done wrong and how can I fix it? I'm using The Flat Assembler, if that helps.
INT 2Dh will throw an exception if no debugger is attached. So you need to handle this exception or your programm will crash.
Which debugger did you try, since it seems that many of them won't handle this opcode correctly and might crash or show unexpected behaviour.
A code example and more information might be found here: OpenRCE Debugger Detection