waliedassar

PAGE_EXECUTE_WRITECOPY TRICK

Sep 26th, 2012
1,040
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com (@waleedassar)
  2. #include "stdafx.h"
  3. #include "windows.h"
  4. #pragma comment(linker,"/incremental:no")
  5. #pragma comment(linker,"/entry:main")
  6. #pragma comment(lib,"ntdll")
  7. #define ProcessDebugPort 0x7
  8. #define ProcessDebugObjectHandle 0x1E
  9. #define ProcessDebugFlags 0x1F
  10.  
  11. extern "C"
  12. {
  13.     int __stdcall ZwQueryInformationProcess(HANDLE,int,void*,unsigned long,unsigned long*);
  14. }
  15.  
  16.  
  17.  
  18. //If PE section has Read-Write-Execute access attributes, then its memory pages are initially PAGE_EXECUTE_WRITECOPY and any
  19. //attempt to write to it e.g. Placing an software breakpoint or Stepping Over changes it to PAGE_EXECUTE_READWRITE.
  20. #pragma comment(linker,"/SECTION:xyz,ERW")
  21. #pragma code_seg("xyz")
  22. int main2()
  23. {
  24.     //-----------------Stuff file with some anti-debug tricks-------------------
  25.     unsigned long _port_=0;
  26.     ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugPort,&_port_,0x4,0);
  27.     if(_port_)
  28.     {
  29.                 MessageBox(0,L"BeingDebugged",L"waliedassar",0);
  30.                 ExitProcess(-1);
  31.     }
  32.     unsigned long DbgObjHand=0;
  33.     int ret=ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugObjectHandle,&DbgObjHand,0x4,0);
  34.     if(ret>=0 || DbgObjHand)
  35.     {
  36.                 MessageBox(0,L"BeingDebugged",L"waliedassar",0);
  37.                 ExitProcess(-2);
  38.     }
  39.     unsigned long DbgFlags=0;
  40.     ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugFlags,&DbgFlags,0x4,0);
  41.     if(DbgFlags==0)
  42.     {
  43.                 MessageBox(0,L"BeingDebugged",L"waliedassar",0);
  44.                 ExitProcess(-2);
  45.     }
  46.     //-------------------------------------------------------------------------
  47.     void* base=&main2;//????
  48.  
  49.     MEMORY_BASIC_INFORMATION MBI={0};
  50.     VirtualQuery(base,&MBI,sizeof(MBI));
  51.     if(MBI.Protect!=PAGE_EXECUTE_WRITECOPY)
  52.     {
  53.              MessageBox(0,L"BeingDebugged",L"waliedassar",0);
  54.              ExitProcess(-2);
  55.     }
  56.     return 0;
  57. }
  58. #pragma code_seg()
  59.  
  60. int main(int argc, char* argv[])
  61. {
  62.     main2();
  63.     return 0;
  64. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×