Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //http://waleedassar.blogspot.com
- //http://www.twitter.com/waleedassar
- //Comparing the returned NtGlobalFlag value of NtQuerySystemInformation(SystemFlagsInformation,..); with the
- //values of NtGlobalFlag in Process Environment Blocks (PEB's). This can be used to detect debuggers.
- //Stealthy tools mistakenly do following:
- // 1) Set to zero the "NtGlobalFlag" field of PEB, erasing other flags e.g. 0x400.
- // 2) Set to zero the "NtGlobalFlag" field of 32Bit Peb only, forgetting the 64Bit Peb in Wow64 processes.
- //N.B. Tested With Win7 SP1 64Bit.
- #include "stdafx.h"
- #include "windows.h"
- #include "stdio.h"
- #define SystemFlagsInformation 0x9
- extern "C"
- {
- int __stdcall ZwQuerySystemInformation(unsigned long SystemInformationClass,
- unsigned long* SystemInformation,
- unsigned long SystemInformationLength,
- unsigned long* pResultLength);
- }
- void main()
- {
- unsigned long NtGlobalFlag=0;
- int ret = ZwQuerySystemInformation(SystemFlagsInformation,& NtGlobalFlag,0x4,0);
- printf("Return Value is %x NtGlobalFlag is %x\r\n",ret,NtGlobalFlag);
- unsigned long IsWow64=0;
- unsigned long NtGlobalFlag32=0;
- unsigned long NtGlobalFlag64=0;
- __asm
- {
- mov eax,dword ptr fs:[0xC0]
- mov IsWow64,eax
- mov eax,dword ptr fs:[0x30]
- mov ebx,dword ptr[eax+0x68]
- mov NtGlobalFlag32,ebx
- }
- if(NtGlobalFlag32 != NtGlobalFlag)
- {
- printf("Being Debugged\r\n");
- ExitProcess(0);
- }
- if(IsWow64)
- {
- __asm
- {
- mov eax,dword ptr fs:[0x30]
- add eax,0x1000
- mov ebx,dword ptr[eax+0xBC]
- mov NtGlobalFlag64,ebx
- }
- if( (NtGlobalFlag64!=NtGlobalFlag) || (NtGlobalFlag64!=NtGlobalFlag32) )
- {
- printf("Being Debugged\r\n");
- ExitProcess(0);
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
