64-Bit ZwQueryObject (Detect Debuggers)

//http://waleedassar.blogspot.com
//@waleedassar

//Using the "ZwQueryObject" function to detect debuggers
// 64-Bit code

#include "stdafx.h"
#include "windows.h"
#include "stdio.h"

struct UNICODE_STRING
{
    unsigned short Length;
    unsigned short MaxLength;
    unsigned long pad;
    wchar_t* Buffer;
};

struct _GENERIC_MAPPING_
{
   unsigned long GenericRead;
   unsigned long GenericWrite;
   unsigned long GenericExecute;
   unsigned long GenericAll;
};

struct SINGLE_OBJECT_BLOCK
{
    UNICODE_STRING     TypeName;
    unsigned long TotalNumberOfObjects;
    unsigned long TotalNumberOfHandles;
    unsigned long long pad0;
    unsigned long long pad1;
    unsigned long HighWaterNumberOfObjects;
    unsigned long HighWaterNumberOfHandles;
    unsigned long long pad3;
    unsigned long long pad4;
    unsigned long InvalidAttributes;
    _GENERIC_MAPPING_ GenericMapping;
    unsigned long ValidAccessMask;
    bool ObjectTypeFlags_SecurityRequired;
    bool ObjectTypeFlags_MaintainHandleCount;
    bool pad5;
    bool pad6;
    unsigned long PoolType;
    unsigned long DefaultPagedPoolCharge;
    unsigned long DefaultNonPagedPoolCharge;
    wchar_t  Name[0x20];
};


struct OBJECT_TYPE_ALL_INFO
{
    unsigned long long NumberOfObjectTypes;
    SINGLE_OBJECT_BLOCK Block[1];
};


extern "C"
{
    int ZwQueryObject(HANDLE hObject,unsigned long long InfoClass,void* pInfo,
                       unsigned long long InfoLength,unsigned long long* pResultLength);
}

int main(int argc, _TCHAR* argv[])
{
    unsigned long long reqLength=0;

    OBJECT_TYPE_ALL_INFO* pInfo=   (OBJECT_TYPE_ALL_INFO*)VirtualAlloc(0,0x10000,
                                   MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);

    int ret=ZwQueryObject(0,0x3,pInfo,0x10000,&reqLength);

    unsigned long i=0;
    SINGLE_OBJECT_BLOCK* pBlocks= &(pInfo->Block[0]);

    for(i=0;i<pInfo->NumberOfObjectTypes;i++)
    {
          unsigned long TypeNameLength=pBlocks->TypeName.MaxLength;
          wchar_t* pName=(wchar_t*)LocalAlloc(LMEM_ZEROINIT,TypeNameLength);
          wcsncpy(pName,pBlocks->TypeName.Buffer,(TypeNameLength-2)/2);
          wprintf(L"%d: Type Name: %s\r\n",i,pName);

          //-----------
          if(!wcscmp(pName,L"DebugObject"))
          {
              if(pBlocks->TotalNumberOfObjects)
              {
                 MessageBox(0,L"Debugger detected",L"waliedassar",0);
              }
          }
          LocalFree(pName);
          //-------

          wprintf(L"---TotalNumberOfObjects %x\r\n",pBlocks->TotalNumberOfObjects);

          wprintf(L"---TotalNumberOfHandles %x\r\n",pBlocks->TotalNumberOfHandles);

          wprintf(L"---InvalidAttributes %x\r\n",pBlocks->InvalidAttributes);

          wprintf(L"---GenericRead %x\r\n",pBlocks->GenericMapping.GenericRead);

          wprintf(L"---GenericWrite %x\r\n",pBlocks->GenericMapping.GenericWrite);

          wprintf(L"---GenericExecute %x\r\n",pBlocks->GenericMapping.GenericExecute);

          wprintf(L"---GenericAll %x\r\n",pBlocks->GenericMapping.GenericAll);

          wprintf(L"---ValidAccessMask %x\r\n",pBlocks->ValidAccessMask);

          wprintf(L"---Flag SecurityRequired %x\r\n",pBlocks->ObjectTypeFlags_SecurityRequired);

          wprintf(L"---Flag MaintainHandleCount %x\r\n",
                                pBlocks->ObjectTypeFlags_MaintainHandleCount);

                  wprintf(L"---PoolType %x\r\n",pBlocks->PoolType);

          wprintf(L"---DefaultPagedPoolCharge %x\r\n",pBlocks->DefaultPagedPoolCharge);

          wprintf(L"---DefaultNonPagedPoolCharge %x\r\n",pBlocks->DefaultNonPagedPoolCharge);
          //-------------------
          unsigned long long pX= ((((unsigned long long)
                  (pBlocks->TypeName.Buffer))+TypeNameLength)+0x7)&0xFFFFFFFFFFFFFFF8;
          pBlocks=(SINGLE_OBJECT_BLOCK*)pX;
    }
    return 0;
}