waliedassar

ProcessInstrumentationCallback

Jan 20th, 2013
354
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Certain information classes of the "ZwSetInformationProcess" function requires
  5. // the "SeDebugPrivilege" privilege. If the caller's thread does not have this
  6. //privilege, an error (0xC0000061) STATUS_PRIVILEGE_NOT_HELD is returned.
  7. //OllyDbg has that privilege and passes it to its child processes i.e. debuggees.
  8. //Thus, this information class can be used as an anti-debug trick. If 0xC0000061
  9. //is not returned, then a debugger is present.
  10.  
  11. #include "stdafx.h"
  12. #include "windows.h"
  13. #include "stdio.h"
  14.  
  15. #define ProcessInstrumentationCallback 0x28
  16.  
  17. extern "C"
  18. {
  19.     int __stdcall ZwSetInformationProcess(HANDLE,unsigned long,unsigned long*,unsigned long);
  20. }
  21.  
  22. int main()
  23. {
  24.     unsigned long PebAddress=0;
  25.     unsigned long Value=0xCECEFEFE;
  26.     int ret=ZwSetInformationProcess(GetCurrentProcess(),ProcessInstrumentationCallback,&Value,0x4);
  27.     if(ret>=0)
  28.     {
  29.         __asm
  30.         {
  31.             mov eax,dword ptr fs:[0x30]
  32.             mov PebAddress,eax
  33.         }
  34.         PebAddress+=0x254;
  35.         if(*(unsigned long*)PebAddress==0xCECEFEFE) printf("Being debugged\r\n");
  36.     }
  37.     else if(ret==0xC0000061) printf("Expected\r\n");
  38.     return 0;
  39. }
  40.  
  41.  
  42. //N.B. Also the "ProcessBreakOnTermination" information class requires this privilege. Nasty?!
RAW Paste Data