Typical Sequence Of Antidebug Tricks

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. #include "stdafx.h"
4. #include "windows.h"
5. #include "iostream.h"
6.  
7.  
8. extern "C"
9. {
10.        int __stdcall ZwSetInformationThread(HANDLE,int,unsigned long*,unsigned long);
11.        int __stdcall ZwQueryInformationProcess(HANDLE,int,unsigned long*,unsigned long,unsigned long*);
12. }
13.  
14. #define ThreadHideFromDebugger 0x11
15. #define ProcessDebugPort   0x7
16. #define ProcessDebugObjectHandle 0x1E
17. #define ProcessDebugFlags 0x1F
18.  
19. int main(int argc, char* argv[])
20. {
21.     //------------------------------------
22.     unsigned long _port_=0;
23.     ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugPort,&_port_,0x4,0);
24.     if(_port_)
25.     {
26.         MessageBox(0,"BeingDebugged","waliedassar",0);
27.         ExitProcess(-1);
28.     }
29.     //------------------------------------
30.     unsigned long DbgObjHand=0;
31.     int ret=ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugObjectHandle,&DbgObjHand,0x4,0);
32.     if(ret>=0 || DbgObjHand)
33.     {
34.         MessageBox(0,"BeingDebugged","waliedassar",0);
35.         ExitProcess(-2);
36.     }
37.     //------------------------------------
38.     unsigned long DbgFlags=0;
39.     ZwQueryInformationProcess(GetCurrentProcess(),ProcessDebugFlags,&DbgFlags,0x4,0);
40.     if(DbgFlags==0)
41.     {
42.             //Only if Process was spawned by the "DEBUG_ONLY_THIS_PROCESS" flag of
43.             //The "CreateProcess" function i.e. No Child Debugging.
44.             //Does not harm you code, though.
45.         MessageBox(0,"BeingDebugged","waliedassar",0);
46.         ExitProcess(-2);
47.     }
48.     //------------------------------------
49.     ZwSetInformationThread(GetCurrentThread(),ThreadHideFromDebugger,0,0);
50.    
51.  
52.     MessageBox(0,"Can you see me under debugger","waliedassar",0);
53.     return 0;
54. }