waliedassar

DebugActiveProcess(-1)

Oct 15th, 2012
261
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //This code shows how to use the DebugActiveProcess(-1) as anti-stepping/anti-tracing trick.
  4. //N.B. For fear to lose any unsaved work, don't use it on your production system since it freezes the whole system.
  5.  
  6. #include "stdafx.h"
  7. #include "windows.h"
  8. #include "stdio.h"
  9.  
  10. struct UNICODE_STRING
  11. {
  12.     unsigned short len;        //length in bytes
  13.     unsigned short max_len;    //length in bytes + 2 null zeros
  14.     wchar_t* pStr;
  15. };
  16.  
  17. struct OBJECT_ATTRIBUTES
  18. {
  19.   unsigned long      Length;
  20.   HANDLE          RootDirectory;
  21.   UNICODE_STRING* ObjectName;
  22.   unsigned long           Attributes;
  23.   void*           SecurityDescriptor;
  24.   void*           SecurityQualityOfService;
  25. };
  26.  
  27. extern "C"
  28. {
  29.     int __stdcall DebugActiveProcessStop(unsigned long);
  30.     BOOL __stdcall DebugSetProcessKillOnExit(BOOL);
  31.     int __stdcall ZwCreateDebugObject(void*,unsigned long,OBJECT_ATTRIBUTES*,BOOL);
  32.     int __stdcall ZwClose(unsigned long);
  33.     int __stdcall ZwDebugActiveProcess(unsigned long handle,unsigned long debugObject);
  34. }
  35.  
  36. BOOL Debug()
  37. {
  38.    
  39.     LUID X;
  40.     if(!LookupPrivilegeValue(0,"SeDebugPrivilege",&X))
  41.     {
  42.            return FALSE;
  43.     }
  44.     HANDLE hToken;
  45.     if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
  46.     {
  47.         return FALSE;
  48.     }
  49.     TOKEN_PRIVILEGES T={0};
  50.     T.PrivilegeCount=1;
  51.     T.Privileges[0].Luid=X;
  52.     T.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
  53.  
  54.     if(!AdjustTokenPrivileges(hToken,FALSE,&T,0,0,0) )
  55.     {
  56.         return FALSE;
  57.     }
  58.     return TRUE;
  59. }
  60.  
  61. int main(int argc, char* argv[])
  62. {
  63.     unsigned long teb=0;
  64.     __asm
  65.     {
  66. self:
  67.       jmp self
  68.     }
  69.     Debug();
  70.     DebugSetProcessKillOnExit(FALSE);
  71.  
  72.     unsigned long exception_code=0;
  73.     unsigned long f=0;
  74.     DEBUG_EVENT DE={0};
  75.     if(DebugActiveProcess(-1))
  76.     {
  77.       while(9)
  78.       {
  79.         WaitForDebugEvent(&DE,0x32);
  80.         switch(DE.dwDebugEventCode)
  81.         {
  82.         case CREATE_PROCESS_DEBUG_EVENT:
  83.             f++;
  84.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  85.             break;
  86.         case CREATE_THREAD_DEBUG_EVENT:
  87.             f++;
  88.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  89.             break;
  90.         case EXCEPTION_DEBUG_EVENT:
  91.             f++;
  92.             exception_code=DE.u.Exception.ExceptionRecord.ExceptionCode;
  93.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  94.             break;
  95.         default:
  96.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  97.             break;
  98.         }
  99.         if(f>=3)
  100.         {
  101.               DebugActiveProcessStop(-1);
  102.               break;
  103.         }
  104.       }
  105.     }
  106.     MessageBox(0,"Congrats","waliedassar",0);
  107.     return 0;
  108. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×