Anti-ChildDebugging

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //The following code prevents the debugger e.g. WinDbg or OllyDbg v2.x from catching
4. //the child process and debugging it.
5. #include "stdafx.h"
6. #include "windows.h"
7. #include "stdio.h"
8.  
9. #define ProcessDebugFlags 0x1F
10.  
11. extern "C"
12. {
13. int __stdcall ZwSetInformationProcess(HANDLE,unsigned long,unsigned long*,unsigned long);
14. }
15.  
16.  
17. int main(int argc, char* argv[])
18. {
19.     //The following call cause the "NoDebugInherit" bit of the _EPROCESS structure to be set to 1.
20.     unsigned long value=0x0; //This value will be inversed and stored in NoDebugInherit.
21.     int ret=ZwSetInformationProcess(GetCurrentProcess(),ProcessDebugFlags,&value,0x4);
22.     if(ret>=0)
23.     {
24.         STARTUPINFO SI={sizeof(SI)};
25.         PROCESS_INFORMATION PI;
26.         if(!CreateProcess(0,"calc.exe",0,0,TRUE,0,0,0,&SI,&PI)) return 0;
27.         while(1) Sleep(1000);
28.     }
29.     return 0;
30. }