TEB.SuppressDebugMsg

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //Upon receiving LOAD_DLL_DEBUG_EVENT debug events, debuggers save the value of
4. //the "hFile" member of LOAD_DLL_DEBUG_INFO somewhere so that it can use it to read info and
5. //then close it upon receiving the corresponding UNLOAD_DLL_DEBUG_INFO.
6.  
7. //Windbg and IDA Pro debuggers cache this handle and do not close it until the corresponding
8. //UNLOAD_DLL_DEBUG_EVENT is received.
9. //So, to detect these debuggers, we set TEB.SuppressDebugMsg just after LoadLibrary
10. //has been called. This way the debugger will never receive UNLOAD_DLL_DEBUG_EVENT then any try to
11. //acquire exclusive access to the Dll file after FreeLibrary will fail.
12. //Executable can be found at:
13. //http://code.google.com/p/ollytlscatch/downloads/detail?name=SuppressDebugMsg.exe
14.  
15. #include "stdafx.h"
16. #include "windows.h"
17. #include "stdio.h"
18. #include "resource.h"
19.  
20. void main()
21. {
22.     HRSRC h=FindResource(0,MAKEINTRESOURCE(IDR_WALIED2),"WALIED");
23.     if(h)
24.     {
25.         HGLOBAL hG=LoadResource(0,h);
26.         if(hG)
27.         {
28.             void* pDll=LockResource(hG);
29.             if(pDll)
30.             {
31.                 char path[MAX_PATH]={0};
32.                 GetCurrentDirectory(MAX_PATH,path);
33.                 unsigned long len=strlen(path);
34.                 if(path[len-1]!='\\') path[len]='\\';
35.                 strcat(path,"walied.dll");
36.                 HANDLE hFile=CreateFile(path,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,OPEN_EXISTING,0,0);
37.                 if(hFile==INVALID_HANDLE_VALUE)
38.                 {
39.                     hFile=CreateFile(path,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,0,CREATE_ALWAYS,0,0);
40.                 }
41.                 if(hFile==INVALID_HANDLE_VALUE) ExitProcess(0);
42.                 else
43.                 {
44.                     unsigned long writ;
45.                     WriteFile(hFile,pDll,SizeofResource(0,h),&writ,0);
46.                     CloseHandle(hFile);
47.                     HMODULE Base=LoadLibrary(path);
48.                     __asm
49.                     {
50.                         pushad
51.                         mov eax,dword ptr fs:[0x18]
52.                         mov byte ptr[eax+0xFCA],0x80//This is the trick.
53.                         popad
54.                     }
55.                     FreeLibrary(Base);
56.                     hFile=0;
57.                     hFile=CreateFile(path,GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
58.                     if(hFile!=INVALID_HANDLE_VALUE)
59.                     {
60.                         MessageBox(0,"Expected behavior","waliedassar",0);
61.                         CloseHandle(hFile);
62.                     }
63.                     else
64.                     {
65.                         MessageBox(0,"Debugger detected","waliedassar",0);
66.                     }
67.                     DeleteFile(path);
68.                 }
69.             }
70.         }
71.     }
72. }