Why does this code enable me to detect a debugger?
The link above told me the way to use prefetch queue to anti-debug, then I tried to use the code below to test, but I failed. Can anyone help me point out if my code is wrong. My cpu is Intel(R) Core(TM) i7-2630QM 2.00GHz. Thanks a lot
ML: D:\Programs\masm32\Bin\ML.EXE /c /coff /Cp /nologo /I"D:\Programs\masm32\Include" "AntiDebug.asm"
Link: D:\Programs\masm32\Bin\LINK.EXE /SECTION:.text,RWE /SUBSYSTEM:WINDOWS /RELEASE /VERSION:4.0 /LIBPATH:"D:\Programs\masm32\Lib" /OUT:"AntiDebug.exe" "AntiDebug.obj"
It always executes the debug label no matter I am debugging or not, and it will never execute 'jmp normal'.
.386
.model flat, stdcall ;32 bit memory model
option casemap :none ;case sensitive
include windows.inc
include kernel32.inc
include user32.inc
includelib kernel32.lib
includelib user32.lib
.data
szDebug db 'Hey, you are debugging!!!',0
szError db 'Error',0
szNormal db 'You are running it without debugging',0
szPrompt db 'Prompt',0
.code
start:
call IsDebug
debug:
invoke MessageBox, NULL, addr szDebug, addr szError, MB_OK
invoke ExitProcess, -1
normal:
invoke MessageBox, NULL, addr szNormal, addr szPrompt, MB_OK
invoke ExitProcess, 0
IsDebug:
mov al, 0c3h
mov edi, offset IsDebug
mov cx, 20h
rep stosb
jmp normal
end start
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 够拽才男人 的文章《Anti-debug using prefetch queue doesn't work w》','https://www.manongdao.com/article-601916.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}