SHARE
TWEET

Typical Sequence Of Antidebug Tricks

waliedassar Jul 28th, 2012 598 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. #include "stdafx.h"
  4. #include "windows.h"
  5. #include "iostream.h"
  6.  
  7.  
  8. extern "C"
  9. {
  10.        int __stdcall ZwSetInformationThread(HANDLE,int,unsigned long*,unsigned long);
  11.        int __stdcall ZwQueryInformationProcess(HANDLE,int,unsigned long*,unsigned long,unsigned long*);
  12. }
  13.  
  14. #define ThreadHideFromDebugger 0x11
  15. #define ProcessDebugPort   0x7
  16. #define ProcessDebugObjectHandle 0x1E
  17. #define ProcessDebugFlags 0x1F
  18.  
  19. int main(int argc, char* argv[])
  20. {
  21.         //------------------------------------
  22.         unsigned long _port_=0;
  23.         ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugPort,&_port_,0x4,0);
  24.         if(_port_)
  25.         {
  26.                 MessageBox(0,"BeingDebugged","waliedassar",0);
  27.                 ExitProcess(-1);
  28.         }
  29.         //------------------------------------
  30.         unsigned long DbgObjHand=0;
  31.         int ret=ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugObjectHandle,&DbgObjHand,0x4,0);
  32.         if(ret>=0 || DbgObjHand)
  33.         {
  34.                 MessageBox(0,"BeingDebugged","waliedassar",0);
  35.                 ExitProcess(-2);
  36.         }
  37.         //------------------------------------
  38.         unsigned long DbgFlags=0;
  39.         ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugFlags,&DbgFlags,0x4,0);
  40.         if(DbgFlags==0)
  41.         {
  42.             //Only if Process was spawned by the "DEBUG_ONLY_THIS_PROCESS" flag of
  43.             //The "CreateProcess" function i.e. No Child Debugging.
  44.             //Does not harm you code, though.
  45.             MessageBox(0,"BeingDebugged","waliedassar",0);
  46.                 ExitProcess(-2);
  47.         }
  48.         //------------------------------------
  49.         ZwSetInformationThread(GetCurrentThread(),ThreadHideFromDebugger,0,0);
  50.        
  51.  
  52.         MessageBox(0,"Can you see me under debugger","waliedassar",0);
  53.         return 0;
  54. }
RAW Paste Data
Top