waliedassar

TEB.SuppressDebugMsg

Nov 22nd, 2012
548
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //Upon receiving LOAD_DLL_DEBUG_EVENT debug events, debuggers save the value of
  4. //the "hFile" member of LOAD_DLL_DEBUG_INFO somewhere so that it can use it to read info and
  5. //then close it upon receiving the corresponding UNLOAD_DLL_DEBUG_INFO.
  6.  
  7. //Windbg and IDA Pro debuggers cache this handle and do not close it until the corresponding
  8. //UNLOAD_DLL_DEBUG_EVENT is received.
  9. //So, to detect these debuggers, we set TEB.SuppressDebugMsg just after LoadLibrary
  10. //has been called. This way the debugger will never receive UNLOAD_DLL_DEBUG_EVENT then any try to
  11. //acquire exclusive access to the Dll file after FreeLibrary will fail.
  12. //Executable can be found at:
  13. //http://code.google.com/p/ollytlscatch/downloads/detail?name=SuppressDebugMsg.exe
  14.  
  15. #include "stdafx.h"
  16. #include "windows.h"
  17. #include "stdio.h"
  18. #include "resource.h"
  19.  
  20. void main()
  21. {
  22.     HRSRC h=FindResource(0,MAKEINTRESOURCE(IDR_WALIED2),"WALIED");
  23.     if(h)
  24.     {
  25.         HGLOBAL hG=LoadResource(0,h);
  26.         if(hG)
  27.         {
  28.             void* pDll=LockResource(hG);
  29.             if(pDll)
  30.             {
  31.                 char path[MAX_PATH]={0};
  32.                 GetCurrentDirectory(MAX_PATH,path);
  33.                 unsigned long len=strlen(path);
  34.                 if(path[len-1]!='\\') path[len]='\\';
  35.                 strcat(path,"walied.dll");
  36.                 HANDLE hFile=CreateFile(path,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,OPEN_EXISTING,0,0);
  37.                 if(hFile==INVALID_HANDLE_VALUE)
  38.                 {
  39.                     hFile=CreateFile(path,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,CREATE_ALWAYS,0,0);
  40.                 }
  41.                 if(hFile==INVALID_HANDLE_VALUE) ExitProcess(0);
  42.                 else
  43.                 {
  44.                     unsigned long writ;
  45.                     WriteFile(hFile,pDll,SizeofResource(0,h),&writ,0);
  46.                     CloseHandle(hFile);
  47.                     HMODULE Base=LoadLibrary(path);
  48.                     __asm
  49.                     {
  50.                         pushad
  51.                         mov eax,dword ptr fs:[0x18]
  52.                         mov byte ptr[eax+0xFCA],0x80//This is the trick.
  53.                         popad
  54.                     }
  55.                     FreeLibrary(Base);
  56.                     hFile=0;
  57.                     hFile=CreateFile(path,GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
  58.                     if(hFile!=INVALID_HANDLE_VALUE)
  59.                     {
  60.                         MessageBox(0,"Expected behavior","waliedassar",0);
  61.                         CloseHandle(hFile);
  62.                     }
  63.                     else
  64.                     {
  65.                         MessageBox(0,"Debugger detected","waliedassar",0);
  66.                     }
  67.                     DeleteFile(path);
  68.                 }
  69.             }
  70.         }
  71.     }
  72. }
RAW Paste Data