waliedassar

DebugActiveProcess(ParentProcessPid) Trick

Dec 2nd, 2012
191
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3. //This code shows how to use the DebugActiveProcess(parent_process_pid)
  4. //as anti-stepping/anti-tracing trick.
  5. //N.B. For fear to lose any unsaved work, don't use it on your production system.
  6.  
  7. #include "stdafx.h"
  8. #include "windows.h"
  9. #include "stdio.h"
  10.  
  11.  
  12.  
  13. typedef struct _PROCESS_BASIC_INFORMATION {
  14.     unsigned long Reserved1;
  15.     unsigned long PebBaseAddress;
  16.     unsigned long Reserved2[2];
  17.     unsigned long UniqueProcessId;
  18.     unsigned long ParentProcessId;
  19. }PROCESS_BASIC_INFORMATION;
  20.  
  21. extern "C"
  22. {
  23.     int __stdcall ZwQueryInformationProcess(HANDLE,unsigned long,PROCESS_BASIC_INFORMATION*,unsigned long,void*);
  24. }
  25.  
  26. struct UNICODE_STRING
  27. {
  28.     unsigned short len;        //length in bytes
  29.     unsigned short max_len;    //length in bytes + 2 null zeros
  30.     wchar_t* pStr;
  31. };
  32.  
  33. struct OBJECT_ATTRIBUTES
  34. {
  35.   unsigned long      Length;
  36.   HANDLE          RootDirectory;
  37.   UNICODE_STRING* ObjectName;
  38.   unsigned long           Attributes;
  39.   void*           SecurityDescriptor;
  40.   void*           SecurityQualityOfService;
  41. };
  42.  
  43. extern "C"
  44. {
  45.     int __stdcall DebugActiveProcessStop(unsigned long);
  46.     BOOL __stdcall DebugSetProcessKillOnExit(BOOL);
  47.     int __stdcall ZwCreateDebugObject(void*,unsigned long,OBJECT_ATTRIBUTES*,BOOL);
  48.     int __stdcall ZwClose(unsigned long);
  49.     int __stdcall ZwDebugActiveProcess(unsigned long handle,unsigned long debugObject);
  50. }
  51.  
  52. BOOL Debug()
  53. {
  54.    
  55.     LUID X;
  56.     if(!LookupPrivilegeValue(0,"SeDebugPrivilege",&X))
  57.     {
  58.            return FALSE;
  59.     }
  60.     HANDLE hToken;
  61.     if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
  62.     {
  63.         return FALSE;
  64.     }
  65.     TOKEN_PRIVILEGES T={0};
  66.     T.PrivilegeCount=1;
  67.     T.Privileges[0].Luid=X;
  68.     T.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
  69.  
  70.     if(!AdjustTokenPrivileges(hToken,FALSE,&T,0,0,0) )
  71.     {
  72.         return FALSE;
  73.     }
  74.     return TRUE;
  75. }
  76.  
  77. int main(int argc, char* argv[])
  78. {
  79.     unsigned long teb=0;
  80.     Debug(); //Acquire SeDebugPrivilege
  81.     DebugSetProcessKillOnExit(FALSE); //Detach upon debugger exit.
  82.  
  83.     PROCESS_BASIC_INFORMATION PBI={0};
  84.     int ret=ZwQueryInformationProcess(GetCurrentProcess(),0,&PBI,sizeof(PBI),0);
  85.     if(ret<0) return 0;
  86.  
  87.  
  88.     unsigned long exception_code=0;
  89.     unsigned long f=0;
  90.     DEBUG_EVENT DE={0};
  91.     if(DebugActiveProcess(PBI.ParentProcessId))
  92.     {
  93.       while(9)
  94.       {
  95.         WaitForDebugEvent(&DE,0x32);
  96.         switch(DE.dwDebugEventCode)
  97.         {
  98.         case CREATE_PROCESS_DEBUG_EVENT:
  99.             f++;
  100.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  101.             break;
  102.         case CREATE_THREAD_DEBUG_EVENT:
  103.             f++;
  104.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  105.             break;
  106.         case EXCEPTION_DEBUG_EVENT:
  107.             f++;
  108.             exception_code=DE.u.Exception.ExceptionRecord.ExceptionCode;
  109.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  110.             break;
  111.         default:
  112.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  113.             break;
  114.         }
  115.         if(f>=3)
  116.         {
  117.               DebugActiveProcessStop(PBI.ParentProcessId);
  118.               break;
  119.         }
  120.       }
  121.     }
  122.     MessageBox(0,"Congrats","waliedassar",0);
  123.     ExitProcess(0);
  124.     return 0;
  125. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×