waliedassar

NtGlobalFlag As Anti-Debug Trick

Jun 4th, 2013
522
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Comparing the returned NtGlobalFlag value of NtQuerySystemInformation(SystemFlagsInformation,..); with the
  5. //values of NtGlobalFlag in Process Environment Blocks (PEB's). This can be used to detect debuggers.
  6. //Stealthy tools mistakenly do following:
  7. // 1) Set to zero the "NtGlobalFlag" field of PEB, erasing other flags e.g. 0x400.
  8. // 2) Set to zero the "NtGlobalFlag" field of 32Bit Peb only, forgetting the 64Bit Peb in Wow64 processes.
  9.  
  10. //N.B. Tested With Win7 SP1 64Bit.
  11.  
  12. #include "stdafx.h"
  13. #include "windows.h"
  14. #include "stdio.h"
  15.  
  16. #define SystemFlagsInformation 0x9
  17.  
  18.  
  19. extern "C"
  20. {
  21.      int __stdcall ZwQuerySystemInformation(unsigned long  SystemInformationClass,
  22.                                     unsigned long* SystemInformation,
  23.                                 unsigned long  SystemInformationLength,
  24.                         unsigned long* pResultLength);
  25. }
  26.  
  27. void main()
  28. {
  29.    
  30.     unsigned long NtGlobalFlag=0;
  31.  
  32.     int ret = ZwQuerySystemInformation(SystemFlagsInformation,& NtGlobalFlag,0x4,0);
  33.     printf("Return Value is %x NtGlobalFlag is %x\r\n",ret,NtGlobalFlag);
  34.  
  35.  
  36.     unsigned long IsWow64=0;
  37.     unsigned long NtGlobalFlag32=0;
  38.     unsigned long NtGlobalFlag64=0;
  39.     __asm
  40.     {
  41.         mov eax,dword ptr fs:[0xC0]
  42.         mov IsWow64,eax
  43.  
  44.         mov eax,dword ptr fs:[0x30]
  45.         mov ebx,dword ptr[eax+0x68]
  46.         mov NtGlobalFlag32,ebx
  47.     }
  48.  
  49.     if(NtGlobalFlag32 != NtGlobalFlag)
  50.     {
  51.         printf("Being Debugged\r\n");
  52.         ExitProcess(0);
  53.     }
  54.  
  55.     if(IsWow64)
  56.     {
  57.         __asm
  58.         {
  59.             mov eax,dword ptr fs:[0x30]
  60.             add eax,0x1000
  61.             mov ebx,dword ptr[eax+0xBC]
  62.             mov NtGlobalFlag64,ebx
  63.         }
  64.  
  65.         if( (NtGlobalFlag64!=NtGlobalFlag) || (NtGlobalFlag64!=NtGlobalFlag32) )
  66.         {
  67.              printf("Being Debugged\r\n");
  68.              ExitProcess(0);
  69.         }
  70.     }
  71. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×