DebugActiveProcess(ParentProcessPid) Trick

1. //http://waleedassar.blogspot.com/
2. //http://www.twitter.com/waleedassar
3. //This code shows how to use the DebugActiveProcess(parent_process_pid)
4. //as anti-stepping/anti-tracing trick.
5. //N.B. For fear to lose any unsaved work, don't use it on your production system.
6.  
7. #include "stdafx.h"
8. #include "windows.h"
9. #include "stdio.h"
10.  
11.  
12.  
13. typedef struct _PROCESS_BASIC_INFORMATION {
14.     unsigned long Reserved1;
15.     unsigned long PebBaseAddress;
16.     unsigned long Reserved2[2];
17.     unsigned long UniqueProcessId;
18.     unsigned long ParentProcessId;
19. }PROCESS_BASIC_INFORMATION;
20.  
21. extern "C"
22. {
23.     int __stdcall ZwQueryInformationProcess(HANDLE,unsigned long,PROCESS_BASIC_INFORMATION*,unsigned long,void*);
24. }
25.  
26. struct UNICODE_STRING
27. {
28.     unsigned short len;        //length in bytes
29.     unsigned short max_len;    //length in bytes + 2 null zeros
30.     wchar_t* pStr;
31. };
32.  
33. struct OBJECT_ATTRIBUTES
34. {
35.   unsigned long      Length;
36.   HANDLE          RootDirectory;
37.   UNICODE_STRING* ObjectName;
38.   unsigned long           Attributes;
39.   void*           SecurityDescriptor;
40.   void*           SecurityQualityOfService;
41. };
42.  
43. extern "C"
44. {
45.     int __stdcall DebugActiveProcessStop(unsigned long);
46.     BOOL __stdcall DebugSetProcessKillOnExit(BOOL);
47.     int __stdcall ZwCreateDebugObject(void*,unsigned long,OBJECT_ATTRIBUTES*,BOOL);
48.     int __stdcall ZwClose(unsigned long);
49.     int __stdcall ZwDebugActiveProcess(unsigned long handle,unsigned long debugObject);
50. }
51.  
52. BOOL Debug()
53. {
54.    
55.     LUID X;
56.     if(!LookupPrivilegeValue(0,"SeDebugPrivilege",&X))
57.     {
58.            return FALSE;
59.     }
60.     HANDLE hToken;
61.     if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
62.     {
63.         return FALSE;
64.     }
65.     TOKEN_PRIVILEGES T={0};
66.     T.PrivilegeCount=1;
67.     T.Privileges[0].Luid=X;
68.     T.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
69.  
70.     if(!AdjustTokenPrivileges(hToken,FALSE,&T,0,0,0) )
71.     {
72.         return FALSE;
73.     }
74.     return TRUE;
75. }
76.  
77. int main(int argc, char* argv[])
78. {
79.     unsigned long teb=0;
80.     Debug(); //Acquire SeDebugPrivilege
81.     DebugSetProcessKillOnExit(FALSE); //Detach upon debugger exit.
82.  
83.     PROCESS_BASIC_INFORMATION PBI={0};
84.     int ret=ZwQueryInformationProcess(GetCurrentProcess(),0,&PBI,sizeof(PBI),0);
85.     if(ret<0) return 0;
86.  
87.  
88.     unsigned long exception_code=0;
89.     unsigned long f=0;
90.     DEBUG_EVENT DE={0};
91.     if(DebugActiveProcess(PBI.ParentProcessId))
92.     {
93.       while(9)
94.       {
95.         WaitForDebugEvent(&DE,0x32);
96.         switch(DE.dwDebugEventCode)
97.         {
98.         case CREATE_PROCESS_DEBUG_EVENT:
99.             f++;
100.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
101.             break;
102.         case CREATE_THREAD_DEBUG_EVENT:
103.             f++;
104.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
105.             break;
106.         case EXCEPTION_DEBUG_EVENT:
107.             f++;
108.             exception_code=DE.u.Exception.ExceptionRecord.ExceptionCode;
109.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
110.             break;
111.         default:
112.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
113.             break;
114.         }
115.         if(f>=3)
116.         {
117.               DebugActiveProcessStop(PBI.ParentProcessId);
118.               break;
119.         }
120.       }
121.     }
122.     MessageBox(0,"Congrats","waliedassar",0);
123.     ExitProcess(0);
124.     return 0;
125. }