calling IsDebuggerPresent using inline assembly

Question

I'm on a Windows 7 machine and I tried opening up kernel32.dll in IDA and IDA says that the address of the IsDebuggerPresent function is 0x77e2b020. I'm trying to call the function using inline assembly.

On a vs2010 platform, I tried using the following code:-

#include<iostream>
using namespace std;

int blah() {
    __asm {
        xor eax, eax
        mov ebx, 0x77e2b020
        call ebx
    }
}

int main() {
    cout<<blah();
    return 0;
}

On building the exe, it shows the kernel32.dll is being loaded.

I tried debugging the exe in OllyDbg and the error is an "Access violation" when the "call" instruction executes.

Yes, I know that calling the API directly from C++ is the best/right way to do this, I'm doing this for fun I just dont understand why this does not work.

Answer 1

The address 0x77e2b020 is not static, you MUST call it by name rather than by explicit address.

When you reboot, the library will be loaded at a different address if ASLR is enabled. You also cannot guarantee the library load order, so that will affect the address too.

If you're trying to do an indirect call, consider using LoadLibrary and GetProcAddress to find the address of IsDebuggerPresent at runtime.

Another issue is that you're trashing eax and ebx. You should use pushad and popad to keep the registers safe whilst you do such inline assembly, for example:

__asm {
    pushad
    call IsDebuggerPresent
    mov dbgPresent, eax
    popad
}