ProcessInstrumentationCallback

1. //http://waleedassar.blogspot.com/
2. //http://www.twitter.com/waleedassar
3.  
4. //Certain information classes of the "ZwSetInformationProcess" function requires
5. // the "SeDebugPrivilege" privilege. If the caller's thread does not have this
6. //privilege, an error (0xC0000061) STATUS_PRIVILEGE_NOT_HELD is returned.
7. //OllyDbg has that privilege and passes it to its child processes i.e. debuggees.
8. //Thus, this information class can be used as an anti-debug trick. If 0xC0000061
9. //is not returned, then a debugger is present.
10.  
11. #include "stdafx.h"
12. #include "windows.h"
13. #include "stdio.h"
14.  
15. #define ProcessInstrumentationCallback 0x28
16.  
17. extern "C"
18. {
19.     int __stdcall ZwSetInformationProcess(HANDLE,unsigned long,unsigned long*,unsigned long);
20. }
21.  
22. int main()
23. {
24.     unsigned long PebAddress=0;
25.     unsigned long Value=0xCECEFEFE;
26.     int ret=ZwSetInformationProcess(GetCurrentProcess(),ProcessInstrumentationCallback,&Value,0x4);
27.     if(ret>=0)
28.     {
29.         __asm
30.         {
31.             mov eax,dword ptr fs:[0x30]
32.             mov PebAddress,eax
33.         }
34.         PebAddress+=0x254;
35.         if(*(unsigned long*)PebAddress==0xCECEFEFE) printf("Being debugged\r\n");
36.     }
37.     else if(ret==0xC0000061) printf("Expected\r\n");
38.     return 0;
39. }
40.  
41.  
42. //N.B. Also the "ProcessBreakOnTermination" information class requires this privilege. Nasty?!