Anti-Debugging

[c0zy]

AntiDebug.h

Código:

#ifndef ANTIDEBUG_H
#define ANTIDEBUG_H


#include <windows.h>
#include "Misc.h"

bool CheckForDebugger_CRDP	(void);
bool CheckForDebugger_NQIP	(void);
bool CheckForDebugger_PEB	(void);
bool CheckForDebugger_EH	(void);

bool MonitorDebugRegisters	(void);

#endif

AntiDebug.cpp

Código:

#include "AntiDebug.h"

bool CheckForDebugger_CRDP(void)
{
	BOOL Present = false;
	CheckRemoteDebuggerPresent(GetCurrentProcess(),&Present);
	return Present;
}

bool CheckForDebugger_NQIP(void)
{
	HMODULE hModNTDLL;
	FARPROC _NQIP;

	hModNTDLL = LoadLibrary("ntdll.dll");
	_NQIP = GetProcAddress(hModNTDLL,"NtQueryInformationProcess");

	PVOID ProcessInfo;
	DWORD *ad_ = (DWORD*)&ProcessInfo;

	__asm
	{
		push NULL
		push 4
		push ad_
		push 0x07		//debug port ( if there is one, that's what we're checking )
		push -1			//current process
		call _NQIP
	}

	if(ProcessInfo != 0)
	{
		return true;
	}
	return false;
}

bool CheckForDebugger_PEB(void)
{
	TIB* tib;
	__asm
	{
		push eax

		mov eax,fs:[18h]
		mov tib,eax

		pop eax
	}
	
	if( tib->Peb->BeingDebugged == 1 )
	{
		return true;
	} else {
		return false;
	}
}

bool MonitorDebugRegisters(void)
{
	CONTEXT* ct;
	GetThreadContext(GetCurrentProcess(),ct);
	if(ct->Dr0 != 0 || ct->Dr1 != 0 || ct->Dr2 != 0 || ct->Dr3 != 0 || ct->Dr6 != 0 || ct->Dr7 != 0)
	{
		return true;
	}
	return false;
}

int set=0;
bool done = false;

void EHCheck()
{
	__try 
	{
		__asm
		{
				int 3h
		}
	}__except(EXCEPTION_EXECUTE_HANDLER)
	{
			set=1;
	}
	done = true;
}

bool CheckForDebugger_EH(void)
{
	HANDLE EHThread = CreateThread(0,0,(LPTHREAD_START_ROUTINE)EHCheck,0,0,0);
	if(done == true)
	{
		if(set != 1)
		{
			return true;
		}
	}
	return false;
}

Misc.h

Código:

#ifndef MISC_H
#define MISC_H


#include <windows.h>

struct PEB
{
	BOOLEAN InheritedAddressSpace;		    // 00
	BOOLEAN ReadImageFileExecOptions;		// 01
	BOOLEAN BeingDebugged;					// 02
	BOOLEAN SpareBool;						// 03
	HANDLE Mutant;							// 04
	HMODULE ImageBaseAddress;				// 08
	char* reserved1[4];						// 0c
	int Parameters;							// 10
	PVOID SubSystemData;					// 14
	HANDLE ProcessHeap;						// 18
	char* reserved3[4];						// 1c
	PVOID FastPebLockRoutine;				// 20
	PVOID FastPebUnlockRoutine;				// 24
	ULONG EnvironmentUpdateCount;			// 28
	PVOID KernelCallbackTable;				// 2c
	PVOID EventLogSection;					// 30
	PVOID EventLog;							// 34
	PVOID FreeList;							// 38
	ULONG TlsExpansionCounter;				// 3c
	char* reserved4[4];						// 40
	ULONG TlsBitmapBits[2];					// 44
	PVOID ReadOnlySharedMemoryBase;			// 4c
	PVOID ReadOnlySharedMemoryHeap;			// 50
	PVOID *ReadOnlyStaticServerData;		// 54
	PVOID AnsiCodePageData;					// 58
	PVOID OemCodePageData;					// 5c
	PVOID UnicodeCaseTableData;				// 60
	ULONG NumberOfProcessors;				// 64
	ULONG NtGlobalFlag;						// 68
	BYTE Spare2[4];							// 6c
	LARGE_INTEGER CriticalSectionTimeout;   // 70
	ULONG HeapSegmentReserve;				// 78
	ULONG HeapSegmentCommit;				// 7c
	ULONG HeapDeCommitTotalFreeTh;			// 80
	ULONG HeapDeCommitFreeBlockTh;			// 84
	ULONG NumberOfHeaps;				    // 88
	ULONG MaximumNumberOfHeaps;				// 8c
	PVOID *ProcessHeaps;					// 90
	PVOID GdiSharedHandleTable;				// 94
	PVOID ProcessStarterHelper;				// 98
	PVOID GdiDCAttributeList;				// 9c
	PVOID LoaderLock;						// a0
	ULONG OSMajorVersion;					// a4
	ULONG OSMinorVersion;					// a8
	ULONG OSBuildNumber;					// ac
	ULONG OSPlatformId;						// b0
	ULONG ImageSubSystem;					// b4
	ULONG ImageSubSystemMajorVersion;		// b8
	ULONG ImageSubSystemMinorVersion;		// bc
	ULONG ImageProcessAffinityMask;			// c0
	ULONG GdiHandleBuffer[34];				// c4
	ULONG PostProcessInitRoutine;			// 14c
	char* reserved5[4];						// 150
	ULONG TlsExpansionBitmapBits[32];		// 154
	ULONG SessionId;						// 1d4
};

struct TIB
{
	NT_TIB Tib;								// 000 Info block
	PVOID EnvironmentPointer;				// 01c
	DWORD processId;						// 20
	DWORD threadId;							// 24
	PVOID ActiveRpcHandle;					// 028
	PVOID ThreadLocalStoragePointer;		// 02c
	PEB *Peb;								// 030
	DWORD LastErrorValue;					// 034
	ULONG CountOfOwnedCriticalSections;		// 038
	PVOID CsrClientThread;					// 03c
	PVOID Win32ThreadInfo;					// 040
	ULONG Win32ClientInfo[0x1f];			// 044
	PVOID WOW32Reserved;					// 0c0
	ULONG CurrentLocale;					// 0c4
	ULONG FpSoftwareStatusRegister;			// 0c8
	PVOID SystemReserved1[54];				// 0cc
	PVOID Spare1;							// 1a4
	LONG ExceptionCode;						// 1a8
	BYTE SpareBytes1[40];					// 1ac
	PVOID SystemReserved2[10];				// 1d4
	DWORD num_async_io;						// 1fc
	ULONG_PTR dpmi_vif;						// 200
	DWORD vm86_pending;						// 204
	DWORD pad6[309];						// 208
	ULONG gdiRgn;							// 6dc
	ULONG gdiPen;							// 6e0
	ULONG gdiBrush;							// 6e4
	DWORD RealProcessId;					// 6e8
	DWORD RealThreadId;						// 6ec
	HANDLE GdiCachedProcessHandle;			// 6f0
	ULONG GdiClientPID;						// 6f4
	ULONG GdiClientTID;						// 6f8
	PVOID GdiThreadLocaleInfo;				// 6fc
	PVOID UserReserved[5];					// 700
	PVOID glDispachTable[280];				// 714
	ULONG glReserved1[26];					// b74
	PVOID glReserved2;						// bdc
	PVOID glSectionInfo;					// be0
	PVOID glSection;						// be4
	PVOID glTable;							// be8
	PVOID glCurrentRC;						// bec
	PVOID glContext;						// bf0
	ULONG LastStatusValue;					// bf4
	char* reserved1[214];					// bf8
	WCHAR StaticUnicodeBuffer[261];			// c00
	PVOID DeallocationStack;				// e0c
	PVOID TlsSlots[64];						// e10
	char* reserved2[8];						// f10
	PVOID Vdm;								// f18
	PVOID ReservedForNtRpc;					// f1c
	PVOID DbgSsReserved[2];					// f20
	ULONG HardErrorDisabled;				// f28
	PVOID Instrumentation[16];				// f2c
	PVOID WinSockData;						// f6c
	ULONG GdiBatchCount;					// f70
	ULONG Spare2;							// f74
	ULONG Spare3;							// f78
	ULONG Spare4;							// f7c
	PVOID ReservedForOle;					// f80
	ULONG WaitingOnLoaderLock;				// f84
	PVOID Reserved5[3];						// f88
	PVOID *TlsExpansionSlots;				// f94
};

#endif

Main.cpp

Código:

include <windows.h>

#include "AntiDebug.h"


void Thread()
{
	while(true)
	{
		if(CheckForDebugger_CRDP() || 
		   CheckForDebugger_NQIP() || 
		   CheckForDebugger_EH() ||
		   CheckForDebugger_PEB() ||
		   CheckForDebugger_EH() ||
		   MonitorDebugRegisters()
		   )
		{
				HANDLE handle = OpenProcess(PROCESS_QUERY_INFORMATION | 
											PROCESS_TERMINATE,
											0,
											GetCurrentProcessId()
											);

				TerminateProcess(handle,0);
		}
	}
}

bool __stdcall DllMain(HINSTANCE hInst,DWORD dwReason,void* lpReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH)
	{
		CreateThread(0,0,(LPTHREAD_START_ROUTINE)Thread,0,0,0);
	}
	return true;

Créditos:
void

[]'s

[DaniloAC]

interessante a quantidade de linha que você gasta em uma coisa simples.