waliedassar

TEB.SuppressDebugMsg

Nov 22nd, 2012
496
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Upon receiving LOAD_DLL_DEBUG_EVENT debug events, debuggers save the value of
  4. //the "hFile" member of LOAD_DLL_DEBUG_INFO somewhere so that it can use it to read info and
  5. //then close it upon receiving the corresponding UNLOAD_DLL_DEBUG_INFO.
  6.  
  7. //Windbg and IDA Pro debuggers cache this handle and do not close it until the corresponding
  8. //UNLOAD_DLL_DEBUG_EVENT is received.
  9. //So, to detect these debuggers, we set TEB.SuppressDebugMsg just after LoadLibrary
  10. //has been called. This way the debugger will never receive UNLOAD_DLL_DEBUG_EVENT then any try to
  11. //acquire exclusive access to the Dll file after FreeLibrary will fail.
  12. //Executable can be found at:
  13. //http://code.google.com/p/ollytlscatch/downloads/detail?name=SuppressDebugMsg.exe
  14.  
  15. #include "stdafx.h"
  16. #include "windows.h"
  17. #include "stdio.h"
  18. #include "resource.h"
  19.  
  20. void main()
  21. {
  22.     HRSRC h=FindResource(0,MAKEINTRESOURCE(IDR_WALIED2),"WALIED");
  23.     if(h)
  24.     {
  25.         HGLOBAL hG=LoadResource(0,h);
  26.         if(hG)
  27.         {
  28.             void* pDll=LockResource(hG);
  29.             if(pDll)
  30.             {
  31.                 char path[MAX_PATH]={0};
  32.                 GetCurrentDirectory(MAX_PATH,path);
  33.                 unsigned long len=strlen(path);
  34.                 if(path[len-1]!='\\') path[len]='\\';
  35.                 strcat(path,"walied.dll");
  36.                 HANDLE hFile=CreateFile(path,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,OPEN_EXISTING,0,0);
  37.                 if(hFile==INVALID_HANDLE_VALUE)
  38.                 {
  39.                     hFile=CreateFile(path,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,CREATE_ALWAYS,0,0);
  40.                 }
  41.                 if(hFile==INVALID_HANDLE_VALUE) ExitProcess(0);
  42.                 else
  43.                 {
  44.                     unsigned long writ;
  45.                     WriteFile(hFile,pDll,SizeofResource(0,h),&writ,0);
  46.                     CloseHandle(hFile);
  47.                     HMODULE Base=LoadLibrary(path);
  48.                     __asm
  49.                     {
  50.                         pushad
  51.                         mov eax,dword ptr fs:[0x18]
  52.                         mov byte ptr[eax+0xFCA],0x80//This is the trick.
  53.                         popad
  54.                     }
  55.                     FreeLibrary(Base);
  56.                     hFile=0;
  57.                     hFile=CreateFile(path,GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
  58.                     if(hFile!=INVALID_HANDLE_VALUE)
  59.                     {
  60.                         MessageBox(0,"Expected behavior","waliedassar",0);
  61.                         CloseHandle(hFile);
  62.                     }
  63.                     else
  64.                     {
  65.                         MessageBox(0,"Debugger detected","waliedassar",0);
  66.                     }
  67.                     DeleteFile(path);
  68.                 }
  69.             }
  70.         }
  71.     }
  72. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×