Additional PEB.BeingDebugged Check

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. #include "stdafx.h"
4. #include "windows.h"
5. #include "iostream.h"
6.  
7.  
8. int main(int argc, char* argv[])
9. {
10.     unsigned long IsWow64=0;
11.     unsigned char BeingDebugged32=0;
12.     unsigned char BeingDebugged64=0;
13.     //--------The old check-----------------------
14.     __asm
15.     {
16.         pushad
17.         mov eax,dword ptr fs:[0xC0]
18.         mov IsWow64,eax
19.         mov eax,dword ptr fs:[0x30]
20.         mov al,byte ptr[eax+0x2]
21.         mov BeingDebugged32,al
22.         popad
23.     }
24.     if(BeingDebugged32)
25.     {
26.         cout<<"Being debugged.."<<endl; exit(0);
27.     }
28.     if(IsWow64)
29.     {
30.         __asm
31.         {
32.             pushad
33.             mov eax, dword ptr fs:[0x18]
34.             sub eax,0x2000 ;64bit TEB precedes 32bit TEB by 2 pages
35.             mov eax, dword ptr[eax+0x60] ;;At offset 0x60 you can find pointer to 64bit PEB
36.             mov al,byte ptr[eax+0x2]
37.             mov BeingDebugged64,al
38.             popad
39.         }
40.         if(BeingDebugged64)
41.         {
42.             cout<<"Being debugged..."<<endl; exit(0);
43.         }
44.     }
45.     return 0;
46. }