DebugActiveProcess(-1)

1. //http://waleedassar.blogspot.com
2. //http://www.twitter.com/waleedassar
3. //This code shows how to use the DebugActiveProcess(-1) as anti-stepping/anti-tracing trick.
4. //N.B. For fear to lose any unsaved work, don't use it on your production system since it freezes the whole system.
5.  
6. #include "stdafx.h"
7. #include "windows.h"
8. #include "stdio.h"
9.  
10. struct UNICODE_STRING
11. {
12.     unsigned short len;        //length in bytes
13.     unsigned short max_len;    //length in bytes + 2 null zeros
14.     wchar_t* pStr;
15. };
16.  
17. struct OBJECT_ATTRIBUTES
18. {
19.   unsigned long      Length;
20.   HANDLE          RootDirectory;
21.   UNICODE_STRING* ObjectName;
22.   unsigned long           Attributes;
23.   void*           SecurityDescriptor;
24.   void*           SecurityQualityOfService;
25. };
26.  
27. extern "C"
28. {
29.     int __stdcall DebugActiveProcessStop(unsigned long);
30.     BOOL __stdcall DebugSetProcessKillOnExit(BOOL);
31.     int __stdcall ZwCreateDebugObject(void*,unsigned long,OBJECT_ATTRIBUTES*,BOOL);
32.     int __stdcall ZwClose(unsigned long);
33.     int __stdcall ZwDebugActiveProcess(unsigned long handle,unsigned long debugObject);
34. }
35.  
36. BOOL Debug()
37. {
38.    
39.     LUID X;
40.     if(!LookupPrivilegeValue(0,"SeDebugPrivilege",&X))
41.     {
42.            return FALSE;
43.     }
44.     HANDLE hToken;
45.     if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
46.     {
47.         return FALSE;
48.     }
49.     TOKEN_PRIVILEGES T={0};
50.     T.PrivilegeCount=1;
51.     T.Privileges[0].Luid=X;
52.     T.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
53.  
54.     if(!AdjustTokenPrivileges(hToken,FALSE,&T,0,0,0) )
55.     {
56.         return FALSE;
57.     }
58.     return TRUE;
59. }
60.  
61. int main(int argc, char* argv[])
62. {
63.     unsigned long teb=0;
64.     __asm
65.     {
66. self:
67.       jmp self
68.     }
69.     Debug();
70.     DebugSetProcessKillOnExit(FALSE);
71.  
72.     unsigned long exception_code=0;
73.     unsigned long f=0;
74.     DEBUG_EVENT DE={0};
75.     if(DebugActiveProcess(-1))
76.     {
77.       while(9)
78.       {
79.         WaitForDebugEvent(&DE,0x32);
80.         switch(DE.dwDebugEventCode)
81.         {
82.         case CREATE_PROCESS_DEBUG_EVENT:
83.             f++;
84.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
85.             break;
86.         case CREATE_THREAD_DEBUG_EVENT:
87.             f++;
88.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
89.             break;
90.         case EXCEPTION_DEBUG_EVENT:
91.             f++;
92.             exception_code=DE.u.Exception.ExceptionRecord.ExceptionCode;
93.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
94.             break;
95.         default:
96.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
97.             break;
98.         }
99.         if(f>=3)
100.         {
101.               DebugActiveProcessStop(-1);
102.               break;
103.         }
104.       }
105.     }
106.     MessageBox(0,"Congrats","waliedassar",0);
107.     return 0;
108. }