AutoHotkey Community

[SKAN]

[DeWild1]

Clash...
It is really my fault sorry. In my stupidity, I thought it was an AHK script.. It is not.
It is ASM code from Adam ( kakeeware.com ).

I should listen to my own saying.. "It is better to sit there and look stupid, rather than to open my mouth and remove all doubt."
Sorry, I need to think and read before I post..
_________________
CPULOCK.com
virusSWAT.com
GuaranteedPCFIX.com
911PCFIX.com

[Laszlo]

[Guest]

[SKAN]

[Guest]

[Clash]

Couldn't i just have this ASM code extracted to some non-immediate folder like the temp folder, and have the ahk script open it every few seconds? surely that'd deter the amature decompiler.

Apart from that script, are there any other tricks i can use?
_________________

[tic]

that would be a very annoying method, running a new exe every few seconds as it would put more strain on your hdd than was necessary, so programs would slow down every time it was run.

[Azerty]

Hi

In reply to :

[Laszlo]

Do you mean

[DerRaphael]

FYI here is the workaround for the ASM code: http://www.woodmann.com/forum/showthread.php?t=7586

wouldnt it be better to make the script hooking debug routines in windows itself via RCB? so when these are hooked, IMHO a debugger wont work anymore since its own hooks got broken.

at laszlo: why bothering with extra computer who reads out memory: when using a program in userspace an emulated windows is enough to get a memory dump (pretty easy ... for those interested, have a closer look at QEMUs Console Commands) but im sure u knew this already

at skan: i recently discussed with lexikos on irc the possibility to make a ahk dll. theoretically its possible to take a modified script engine, make a list of which compiled code (from ahks source) will be actually used by the script, take origins from sourcecode and recompile the gathered code with a c compiler (eg tcc). afterwards we will have a true PE and no scriptengine anymore. the problem is that due to AHKs license software produced this way has to be OpenSource Software, because it is technically made of sources which were already GPL'd before. So putting the resulted software under a contrary license style to GPL would violate their terms of usage and make the program 'ilegal'. though the program may have more than one license. but this is quite heavy to explain. on gnu.org is a pretty good faq of what GPL is about and whats legals whats not.

greets
derRaphael
_________________

[ AHK Forum Plugins (de/en) | AHK Help (de) | http://playahk.com]

[SKAN]

@Azerty: Many thanks, for the code and and your kindness.
@derRaphael: .. We will discuss it on IRC.

[DeWild1]

Azerty
Laszlo
DerRaphael
SKAN

Wow, thank you..

I do not understand it all, but wow...

I've been touched by the gods!
_________________
CPULOCK.com
virusSWAT.com
GuaranteedPCFIX.com
911PCFIX.com

[SKAN]

Dear Azerty,

What does Suspend ( of SysInternals Process Explorer ) do ?
I thought it should suspend a process !?
I tried suspending your script and then attach, but to my joy it still works.

Can you throw some light on this ?

[Azerty]

Skan :

I think what it does is the following : using something similar to ListProcessThreads() in Taking a Snapshot and Viewing Processes, it calls SuspendThread(). Once done, since it doesn' monitor new threads for the process (which shouldn't be able to appear since process is suspended...), it doesn't suspend the new thread created for debug session as stated there : This antidebugging trick works, because anytime a debugger is attaching itself to a debugee, system creates a new thread, which starts at DbgUiRemoteBreakin (ntdll!DbgUiRemoteBreakin) function in debugee's process space.

There's no SuspendProcess() in Windows...

[ Moderator!: links were fixed ]