Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // http://waleedassar.blogspot.com (@waleedassar)
- #include "stdafx.h"
- #include "windows.h"
- typedef struct _PROCESS_BASIC_INFORMATION {
- unsigned long Reserved1;
- unsigned long PebBaseAddress;
- unsigned long Reserved2[2];
- unsigned long UniqueProcessId;
- unsigned long ParentProcessId;
- }PROCESS_BASIC_INFORMATION;
- extern "C"
- {
- int __stdcall ZwQueryInformationProcess(HANDLE,int,PROCESS_BASIC_INFORMATION*,int,unsigned long*);
- }
- int main(int argc, char* argv[])
- {
- //---------------Get parent process's PID----------------------------------
- PROCESS_BASIC_INFORMATION PBI={0};
- ZwQueryInformationProcess(GetCurrentProcess(),0,&PBI,sizeof(PBI),0);
- HANDLE h=OpenProcess(PROCESS_VM_READ,FALSE,PBI.ParentProcessId);
- if(!h) return 0;
- //----------------Get Info about parent------------------------------------
- ZwQueryInformationProcess(h,0,&PBI,sizeof(PBI),0);
- unsigned long parent_IB=0;
- ReadProcessMemory(h,(void*)((PBI.PebBaseAddress)+0x8),&parent_IB,4,0);
- //---------------Start reading from PE header of parent process------------
- IMAGE_DOS_HEADER DOS={0};
- ReadProcessMemory(h,(void*)parent_IB,&DOS,sizeof(DOS),0);
- IMAGE_NT_HEADERS INH={0};
- if(ReadProcessMemory(h,(void*)(parent_IB+DOS.e_lfanew),&INH,sizeof(INH),0))
- {
- if((INH.OptionalHeader.DataDirectory[7].VirtualAddress)==0) return 0;
- unsigned long addr=parent_IB+INH.OptionalHeader.DataDirectory[7].VirtualAddress; //copyright data directory
- char* pStr=(char*)LocalAlloc(LMEM_ZEROINIT,100);
- if(ReadProcessMemory(h,(void*)addr,pStr,100,0))
- {
- if(!lstrcmp(pStr,"32-bit analysing debugger"))
- {
- MessageBox(0,"OllyDbg detected","waliedassar",0);
- }
- }
- LocalFree(pStr);
- }
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
