Advertisement
waliedassar

NtGlobalFlag As Anti-Debug Trick

Jun 4th, 2013
896
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 1.77 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //Comparing the returned NtGlobalFlag value of NtQuerySystemInformation(SystemFlagsInformation,..); with the
  5. //values of NtGlobalFlag in Process Environment Blocks (PEB's). This can be used to detect debuggers.
  6. //Stealthy tools mistakenly do following:
  7. // 1) Set to zero the "NtGlobalFlag" field of PEB, erasing other flags e.g. 0x400.
  8. // 2) Set to zero the "NtGlobalFlag" field of 32Bit Peb only, forgetting the 64Bit Peb in Wow64 processes.
  9.  
  10. //N.B. Tested With Win7 SP1 64Bit.
  11.  
  12. #include "stdafx.h"
  13. #include "windows.h"
  14. #include "stdio.h"
  15.  
  16. #define SystemFlagsInformation 0x9
  17.  
  18.  
  19. extern "C"
  20. {
  21.      int __stdcall ZwQuerySystemInformation(unsigned long  SystemInformationClass,
  22.                                     unsigned long* SystemInformation,
  23.                                 unsigned long  SystemInformationLength,
  24.                         unsigned long* pResultLength);
  25. }
  26.  
  27. void main()
  28. {
  29.    
  30.     unsigned long NtGlobalFlag=0;
  31.  
  32.     int ret = ZwQuerySystemInformation(SystemFlagsInformation,& NtGlobalFlag,0x4,0);
  33.     printf("Return Value is %x NtGlobalFlag is %x\r\n",ret,NtGlobalFlag);
  34.  
  35.  
  36.     unsigned long IsWow64=0;
  37.     unsigned long NtGlobalFlag32=0;
  38.     unsigned long NtGlobalFlag64=0;
  39.     __asm
  40.     {
  41.         mov eax,dword ptr fs:[0xC0]
  42.         mov IsWow64,eax
  43.  
  44.         mov eax,dword ptr fs:[0x30]
  45.         mov ebx,dword ptr[eax+0x68]
  46.         mov NtGlobalFlag32,ebx
  47.     }
  48.  
  49.     if(NtGlobalFlag32 != NtGlobalFlag)
  50.     {
  51.         printf("Being Debugged\r\n");
  52.         ExitProcess(0);
  53.     }
  54.  
  55.     if(IsWow64)
  56.     {
  57.         __asm
  58.         {
  59.             mov eax,dword ptr fs:[0x30]
  60.             add eax,0x1000
  61.             mov ebx,dword ptr[eax+0xBC]
  62.             mov NtGlobalFlag64,ebx
  63.         }
  64.  
  65.         if( (NtGlobalFlag64!=NtGlobalFlag) || (NtGlobalFlag64!=NtGlobalFlag32) )
  66.         {
  67.              printf("Being Debugged\r\n");
  68.              ExitProcess(0);
  69.         }
  70.     }
  71. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement