API tools faq
paste
Advertisement
waliedassar

Detect OllyDbg v1.10 & v2.x

waliedassar
Aug 11th, 2012
247
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.39 KB | None | 0 0
raw download clone embed print report
  1. // http://waleedassar.blogspot.com -  (@waleedassar)
  2. #include "stdafx.h"
  3. #include "windows.h"
  4.  
  5. typedef struct _PROCESS_BASIC_INFORMATION {
  6.     unsigned long Reserved1;
  7.     unsigned long PebBaseAddress;
  8.     unsigned long Reserved2[2];
  9.     unsigned long UniqueProcessId;
  10.     unsigned long ParentProcessId;
  11. }PROCESS_BASIC_INFORMATION;
  12. extern "C"
  13. {
  14.     int __stdcall ZwQueryInformationProcess(HANDLE,int,PROCESS_BASIC_INFORMATION*,int,unsigned long*);
  15. }
  16.  
  17. int main(int argc, char* argv[])
  18. {
  19.     //---------------Get parent process's PID----------------------------------
  20.     PROCESS_BASIC_INFORMATION PBI={0};
  21.     ZwQueryInformationProcess(GetCurrentProcess(),0,&PBI,sizeof(PBI),0);
  22.     HANDLE h=OpenProcess(PROCESS_VM_READ,FALSE,PBI.ParentProcessId);
  23.     if(!h) return 0;
  24.     //----------------Get Info about parent------------------------------------
  25.     ZwQueryInformationProcess(h,0,&PBI,sizeof(PBI),0);
  26.     unsigned long parent_IB=0;
  27.     ReadProcessMemory(h,(void*)((PBI.PebBaseAddress)+0x8),&parent_IB,4,0);
  28.     //---------------Start reading from PE header of parent process------------
  29.     IMAGE_DOS_HEADER DOS={0};
  30.     ReadProcessMemory(h,(void*)parent_IB,&DOS,sizeof(DOS),0);
  31.     IMAGE_NT_HEADERS INH={0};
  32.     if(ReadProcessMemory(h,(void*)(parent_IB+DOS.e_lfanew),&INH,sizeof(INH),0))
  33.     {
  34.         if((INH.OptionalHeader.DataDirectory[2].VirtualAddress)==0) return 0;
  35.  
  36.         unsigned long addr=parent_IB+INH.OptionalHeader.DataDirectory[2].VirtualAddress; //resource data directory
  37.        
  38.         IMAGE_RESOURCE_DIRECTORY IRSD={0};
  39.         if(ReadProcessMemory(h,(void*)addr,&IRSD,sizeof(IRSD),0))
  40.         {
  41.             if((IRSD.NumberOfNamedEntries+IRSD.NumberOfIdEntries)==0 ) return 0;  //no entries found.
  42.             //----Get the first entry---------------------
  43.             IMAGE_RESOURCE_DIRECTORY_ENTRY IRSE={0};
  44.             if(ReadProcessMemory(h,(void*)(addr+sizeof(IRSD)),&IRSE,sizeof(IRSE),0))
  45.             {
  46.                 if(IRSE.NameIsString)
  47.                 {
  48.                     unsigned long sz=0;
  49.                     unsigned str_addr=addr+IRSE.NameOffset;
  50.                     if(ReadProcessMemory(h,(void*)str_addr,&sz,0x2,0))
  51.                     {
  52.                           if(sz)
  53.                           {
  54.                               wchar_t* pStr=(wchar_t*)LocalAlloc(LMEM_ZEROINIT,(sz+1)*2);
  55.                               if(ReadProcessMemory(h,(void*)(str_addr+2),pStr,sz*2,0))
  56.                               {
  57.                                    if(!lstrcmpiW(pStr,L"KNOWNRESTYPE"))
  58.                                    {
  59.                                        MessageBox(0,"OllyDbg detected","waliedassar",0);
  60.                                    }
  61.                               }
  62.                               LocalFree(pStr);
  63.                           }
  64.                     }
  65.                 }
  66.             }
  67.         }
  68.     }
  69.     return 0;
  70. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!