waliedassar

64-Bit ZwQueryObject (Detect Debuggers)

Feb 27th, 2013
440
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //@waleedassar
  3.  
  4. //Using the "ZwQueryObject" function to detect debuggers
  5. // 64-Bit code
  6.  
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11. struct UNICODE_STRING
  12. {
  13.     unsigned short Length;
  14.     unsigned short MaxLength;
  15.     unsigned long pad;
  16.     wchar_t* Buffer;
  17. };
  18.  
  19. struct _GENERIC_MAPPING_
  20. {
  21.    unsigned long GenericRead;
  22.    unsigned long GenericWrite;
  23.    unsigned long GenericExecute;
  24.    unsigned long GenericAll;
  25. };
  26.  
  27. struct SINGLE_OBJECT_BLOCK
  28. {
  29.     UNICODE_STRING     TypeName;
  30.     unsigned long TotalNumberOfObjects;
  31.     unsigned long TotalNumberOfHandles;
  32.     unsigned long long pad0;
  33.     unsigned long long pad1;
  34.     unsigned long HighWaterNumberOfObjects;
  35.     unsigned long HighWaterNumberOfHandles;
  36.     unsigned long long pad3;
  37.     unsigned long long pad4;
  38.     unsigned long InvalidAttributes;
  39.     _GENERIC_MAPPING_ GenericMapping;
  40.     unsigned long ValidAccessMask;
  41.     bool ObjectTypeFlags_SecurityRequired;
  42.     bool ObjectTypeFlags_MaintainHandleCount;
  43.     bool pad5;
  44.     bool pad6;
  45.     unsigned long PoolType;
  46.     unsigned long DefaultPagedPoolCharge;
  47.     unsigned long DefaultNonPagedPoolCharge;
  48.     wchar_t  Name[0x20];
  49. };
  50.  
  51.  
  52. struct OBJECT_TYPE_ALL_INFO
  53. {
  54.     unsigned long long NumberOfObjectTypes;
  55.     SINGLE_OBJECT_BLOCK Block[1];
  56. };
  57.  
  58.  
  59.  
  60. extern "C"
  61. {
  62.     int ZwQueryObject(HANDLE hObject,unsigned long long InfoClass,void* pInfo,
  63.                        unsigned long long InfoLength,unsigned long long* pResultLength);
  64. }
  65.    
  66. int main(int argc, _TCHAR* argv[])
  67. {
  68.     unsigned long long reqLength=0;
  69.  
  70.     OBJECT_TYPE_ALL_INFO* pInfo=   (OBJECT_TYPE_ALL_INFO*)VirtualAlloc(0,0x10000,
  71.                                    MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
  72.    
  73.     int ret=ZwQueryObject(0,0x3,pInfo,0x10000,&reqLength);
  74.  
  75.     unsigned long i=0;
  76.     SINGLE_OBJECT_BLOCK* pBlocks= &(pInfo->Block[0]);
  77.  
  78.     for(i=0;i<pInfo->NumberOfObjectTypes;i++)
  79.     {
  80.           unsigned long TypeNameLength=pBlocks->TypeName.MaxLength;
  81.           wchar_t* pName=(wchar_t*)LocalAlloc(LMEM_ZEROINIT,TypeNameLength);
  82.           wcsncpy(pName,pBlocks->TypeName.Buffer,(TypeNameLength-2)/2);
  83.           wprintf(L"%d: Type Name: %s\r\n",i,pName);
  84.  
  85.           //-----------
  86.           if(!wcscmp(pName,L"DebugObject"))
  87.           {
  88.               if(pBlocks->TotalNumberOfObjects)
  89.               {
  90.                  MessageBox(0,L"Debugger detected",L"waliedassar",0);
  91.               }
  92.           }
  93.           LocalFree(pName);
  94.           //-------
  95.  
  96.           wprintf(L"---TotalNumberOfObjects %x\r\n",pBlocks->TotalNumberOfObjects);
  97.  
  98.           wprintf(L"---TotalNumberOfHandles %x\r\n",pBlocks->TotalNumberOfHandles);
  99.  
  100.           wprintf(L"---InvalidAttributes %x\r\n",pBlocks->InvalidAttributes);
  101.  
  102.           wprintf(L"---GenericRead %x\r\n",pBlocks->GenericMapping.GenericRead);
  103.  
  104.           wprintf(L"---GenericWrite %x\r\n",pBlocks->GenericMapping.GenericWrite);
  105.        
  106.           wprintf(L"---GenericExecute %x\r\n",pBlocks->GenericMapping.GenericExecute);
  107.  
  108.           wprintf(L"---GenericAll %x\r\n",pBlocks->GenericMapping.GenericAll);
  109.  
  110.           wprintf(L"---ValidAccessMask %x\r\n",pBlocks->ValidAccessMask);
  111.  
  112.           wprintf(L"---Flag SecurityRequired %x\r\n",pBlocks->ObjectTypeFlags_SecurityRequired);
  113.  
  114.           wprintf(L"---Flag MaintainHandleCount %x\r\n",
  115.                                 pBlocks->ObjectTypeFlags_MaintainHandleCount);
  116.  
  117.                   wprintf(L"---PoolType %x\r\n",pBlocks->PoolType);
  118.  
  119.           wprintf(L"---DefaultPagedPoolCharge %x\r\n",pBlocks->DefaultPagedPoolCharge);
  120.                                          
  121.           wprintf(L"---DefaultNonPagedPoolCharge %x\r\n",pBlocks->DefaultNonPagedPoolCharge);
  122.           //-------------------
  123.           unsigned long long pX= ((((unsigned long long)
  124.                   (pBlocks->TypeName.Buffer))+TypeNameLength)+0x7)&0xFFFFFFFFFFFFFFF8;
  125.           pBlocks=(SINGLE_OBJECT_BLOCK*)pX;
  126.     }
  127.     return 0;
  128. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×