* CheckRemoteDebuggerPresent
* IsDebuggerPresent
MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address
ADD EAX,2 ; PEB+2 is beingdebug memory address
MOV EAX,DWORD PTR DS:[EAX] ; AL maybe 0(not debug) or 1(debug present)
OR AL,AL
JE NO_DEBUG
ProcessHeap
MOV EAX,DWORD PTR FS:[18] ; fs:[18] return the TEB address
MOV EAX,DWORD PTR [EAX+30] ;TEB+0x30 return the PEB address
MOV EAX, DWORD PTR[EAX+18] ;PEB+0x18 retunr the ProcessHeap address
CMP DWORD PTR DS:[EAX+10],0 ;EAX+10 maybe 0(not debug) or other values (debug present)
JNE DEBUG_PRESENT
NtGlobalFlag
MOV EAX,DWORD PTR FS:[30] ;fs:[30] return the PEB address
ADD EAX,068h; address of NtGlobalFlag
MOV EAX,DWORD PTR DS:[EAX] ; NtGlobalFlag maybe 0x70(debug present) or 0
TEST EAX, EAX
JE NO_DEBUG
reflink: http://forum.exetools.com/showthread.php?t=12975
