AntiDebug.h
Código:
#ifndef ANTIDEBUG_H
#define ANTIDEBUG_H
#include <windows.h>
#include "Misc.h"
bool CheckForDebugger_CRDP (void);
bool CheckForDebugger_NQIP (void);
bool CheckForDebugger_PEB (void);
bool CheckForDebugger_EH (void);
bool MonitorDebugRegisters (void);
#endif
AntiDebug.cpp
Código:
#include "AntiDebug.h"
bool CheckForDebugger_CRDP(void)
{
BOOL Present = false;
CheckRemoteDebuggerPresent(GetCurrentProcess(),&Present);
return Present;
}
bool CheckForDebugger_NQIP(void)
{
HMODULE hModNTDLL;
FARPROC _NQIP;
hModNTDLL = LoadLibrary("ntdll.dll");
_NQIP = GetProcAddress(hModNTDLL,"NtQueryInformationProcess");
PVOID ProcessInfo;
DWORD *ad_ = (DWORD*)&ProcessInfo;
__asm
{
push NULL
push 4
push ad_
push 0x07 //debug port ( if there is one, that's what we're checking )
push -1 //current process
call _NQIP
}
if(ProcessInfo != 0)
{
return true;
}
return false;
}
bool CheckForDebugger_PEB(void)
{
TIB* tib;
__asm
{
push eax
mov eax,fs:[18h]
mov tib,eax
pop eax
}
if( tib->Peb->BeingDebugged == 1 )
{
return true;
} else {
return false;
}
}
bool MonitorDebugRegisters(void)
{
CONTEXT* ct;
GetThreadContext(GetCurrentProcess(),ct);
if(ct->Dr0 != 0 || ct->Dr1 != 0 || ct->Dr2 != 0 || ct->Dr3 != 0 || ct->Dr6 != 0 || ct->Dr7 != 0)
{
return true;
}
return false;
}
int set=0;
bool done = false;
void EHCheck()
{
__try
{
__asm
{
int 3h
}
}__except(EXCEPTION_EXECUTE_HANDLER)
{
set=1;
}
done = true;
}
bool CheckForDebugger_EH(void)
{
HANDLE EHThread = CreateThread(0,0,(LPTHREAD_START_ROUTINE)EHCheck,0,0,0);
if(done == true)
{
if(set != 1)
{
return true;
}
}
return false;
}
Misc.h
Código:
#ifndef MISC_H
#define MISC_H
#include <windows.h>
struct PEB
{
BOOLEAN InheritedAddressSpace; // 00
BOOLEAN ReadImageFileExecOptions; // 01
BOOLEAN BeingDebugged; // 02
BOOLEAN SpareBool; // 03
HANDLE Mutant; // 04
HMODULE ImageBaseAddress; // 08
char* reserved1[4]; // 0c
int Parameters; // 10
PVOID SubSystemData; // 14
HANDLE ProcessHeap; // 18
char* reserved3[4]; // 1c
PVOID FastPebLockRoutine; // 20
PVOID FastPebUnlockRoutine; // 24
ULONG EnvironmentUpdateCount; // 28
PVOID KernelCallbackTable; // 2c
PVOID EventLogSection; // 30
PVOID EventLog; // 34
PVOID FreeList; // 38
ULONG TlsExpansionCounter; // 3c
char* reserved4[4]; // 40
ULONG TlsBitmapBits[2]; // 44
PVOID ReadOnlySharedMemoryBase; // 4c
PVOID ReadOnlySharedMemoryHeap; // 50
PVOID *ReadOnlyStaticServerData; // 54
PVOID AnsiCodePageData; // 58
PVOID OemCodePageData; // 5c
PVOID UnicodeCaseTableData; // 60
ULONG NumberOfProcessors; // 64
ULONG NtGlobalFlag; // 68
BYTE Spare2[4]; // 6c
LARGE_INTEGER CriticalSectionTimeout; // 70
ULONG HeapSegmentReserve; // 78
ULONG HeapSegmentCommit; // 7c
ULONG HeapDeCommitTotalFreeTh; // 80
ULONG HeapDeCommitFreeBlockTh; // 84
ULONG NumberOfHeaps; // 88
ULONG MaximumNumberOfHeaps; // 8c
PVOID *ProcessHeaps; // 90
PVOID GdiSharedHandleTable; // 94
PVOID ProcessStarterHelper; // 98
PVOID GdiDCAttributeList; // 9c
PVOID LoaderLock; // a0
ULONG OSMajorVersion; // a4
ULONG OSMinorVersion; // a8
ULONG OSBuildNumber; // ac
ULONG OSPlatformId; // b0
ULONG ImageSubSystem; // b4
ULONG ImageSubSystemMajorVersion; // b8
ULONG ImageSubSystemMinorVersion; // bc
ULONG ImageProcessAffinityMask; // c0
ULONG GdiHandleBuffer[34]; // c4
ULONG PostProcessInitRoutine; // 14c
char* reserved5[4]; // 150
ULONG TlsExpansionBitmapBits[32]; // 154
ULONG SessionId; // 1d4
};
struct TIB
{
NT_TIB Tib; // 000 Info block
PVOID EnvironmentPointer; // 01c
DWORD processId; // 20
DWORD threadId; // 24
PVOID ActiveRpcHandle; // 028
PVOID ThreadLocalStoragePointer; // 02c
PEB *Peb; // 030
DWORD LastErrorValue; // 034
ULONG CountOfOwnedCriticalSections; // 038
PVOID CsrClientThread; // 03c
PVOID Win32ThreadInfo; // 040
ULONG Win32ClientInfo[0x1f]; // 044
PVOID WOW32Reserved; // 0c0
ULONG CurrentLocale; // 0c4
ULONG FpSoftwareStatusRegister; // 0c8
PVOID SystemReserved1[54]; // 0cc
PVOID Spare1; // 1a4
LONG ExceptionCode; // 1a8
BYTE SpareBytes1[40]; // 1ac
PVOID SystemReserved2[10]; // 1d4
DWORD num_async_io; // 1fc
ULONG_PTR dpmi_vif; // 200
DWORD vm86_pending; // 204
DWORD pad6[309]; // 208
ULONG gdiRgn; // 6dc
ULONG gdiPen; // 6e0
ULONG gdiBrush; // 6e4
DWORD RealProcessId; // 6e8
DWORD RealThreadId; // 6ec
HANDLE GdiCachedProcessHandle; // 6f0
ULONG GdiClientPID; // 6f4
ULONG GdiClientTID; // 6f8
PVOID GdiThreadLocaleInfo; // 6fc
PVOID UserReserved[5]; // 700
PVOID glDispachTable[280]; // 714
ULONG glReserved1[26]; // b74
PVOID glReserved2; // bdc
PVOID glSectionInfo; // be0
PVOID glSection; // be4
PVOID glTable; // be8
PVOID glCurrentRC; // bec
PVOID glContext; // bf0
ULONG LastStatusValue; // bf4
char* reserved1[214]; // bf8
WCHAR StaticUnicodeBuffer[261]; // c00
PVOID DeallocationStack; // e0c
PVOID TlsSlots[64]; // e10
char* reserved2[8]; // f10
PVOID Vdm; // f18
PVOID ReservedForNtRpc; // f1c
PVOID DbgSsReserved[2]; // f20
ULONG HardErrorDisabled; // f28
PVOID Instrumentation[16]; // f2c
PVOID WinSockData; // f6c
ULONG GdiBatchCount; // f70
ULONG Spare2; // f74
ULONG Spare3; // f78
ULONG Spare4; // f7c
PVOID ReservedForOle; // f80
ULONG WaitingOnLoaderLock; // f84
PVOID Reserved5[3]; // f88
PVOID *TlsExpansionSlots; // f94
};
#endif
Main.cpp
Código:
include <windows.h>
#include "AntiDebug.h"
void Thread()
{
while(true)
{
if(CheckForDebugger_CRDP() ||
CheckForDebugger_NQIP() ||
CheckForDebugger_EH() ||
CheckForDebugger_PEB() ||
CheckForDebugger_EH() ||
MonitorDebugRegisters()
)
{
HANDLE handle = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_TERMINATE,
0,
GetCurrentProcessId()
);
TerminateProcess(handle,0);
}
}
}
bool __stdcall DllMain(HINSTANCE hInst,DWORD dwReason,void* lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
CreateThread(0,0,(LPTHREAD_START_ROUTINE)Thread,0,0,0);
}
return true;
Créditos:
void
[]'s