Advertisement
waliedassar

DebugActiveProcess(-1)

Oct 15th, 2012
543
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.50 KB | None | 0 0
  1. //http://waleedassar.blogspot.com
  2. //http://www.twitter.com/waleedassar
  3. //This code shows how to use the DebugActiveProcess(-1) as anti-stepping/anti-tracing trick.
  4. //N.B. For fear to lose any unsaved work, don't use it on your production system since it freezes the whole system.
  5.  
  6. #include "stdafx.h"
  7. #include "windows.h"
  8. #include "stdio.h"
  9.  
  10. struct UNICODE_STRING
  11. {
  12.     unsigned short len;        //length in bytes
  13.     unsigned short max_len;    //length in bytes + 2 null zeros
  14.     wchar_t* pStr;
  15. };
  16.  
  17. struct OBJECT_ATTRIBUTES
  18. {
  19.   unsigned long      Length;
  20.   HANDLE          RootDirectory;
  21.   UNICODE_STRING* ObjectName;
  22.   unsigned long           Attributes;
  23.   void*           SecurityDescriptor;
  24.   void*           SecurityQualityOfService;
  25. };
  26.  
  27. extern "C"
  28. {
  29.     int __stdcall DebugActiveProcessStop(unsigned long);
  30.     BOOL __stdcall DebugSetProcessKillOnExit(BOOL);
  31.     int __stdcall ZwCreateDebugObject(void*,unsigned long,OBJECT_ATTRIBUTES*,BOOL);
  32.     int __stdcall ZwClose(unsigned long);
  33.     int __stdcall ZwDebugActiveProcess(unsigned long handle,unsigned long debugObject);
  34. }
  35.  
  36. BOOL Debug()
  37. {
  38.    
  39.     LUID X;
  40.     if(!LookupPrivilegeValue(0,"SeDebugPrivilege",&X))
  41.     {
  42.            return FALSE;
  43.     }
  44.     HANDLE hToken;
  45.     if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
  46.     {
  47.         return FALSE;
  48.     }
  49.     TOKEN_PRIVILEGES T={0};
  50.     T.PrivilegeCount=1;
  51.     T.Privileges[0].Luid=X;
  52.     T.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
  53.  
  54.     if(!AdjustTokenPrivileges(hToken,FALSE,&T,0,0,0) )
  55.     {
  56.         return FALSE;
  57.     }
  58.     return TRUE;
  59. }
  60.  
  61. int main(int argc, char* argv[])
  62. {
  63.     unsigned long teb=0;
  64.     __asm
  65.     {
  66. self:
  67.       jmp self
  68.     }
  69.     Debug();
  70.     DebugSetProcessKillOnExit(FALSE);
  71.  
  72.     unsigned long exception_code=0;
  73.     unsigned long f=0;
  74.     DEBUG_EVENT DE={0};
  75.     if(DebugActiveProcess(-1))
  76.     {
  77.       while(9)
  78.       {
  79.         WaitForDebugEvent(&DE,0x32);
  80.         switch(DE.dwDebugEventCode)
  81.         {
  82.         case CREATE_PROCESS_DEBUG_EVENT:
  83.             f++;
  84.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  85.             break;
  86.         case CREATE_THREAD_DEBUG_EVENT:
  87.             f++;
  88.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  89.             break;
  90.         case EXCEPTION_DEBUG_EVENT:
  91.             f++;
  92.             exception_code=DE.u.Exception.ExceptionRecord.ExceptionCode;
  93.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  94.             break;
  95.         default:
  96.             ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
  97.             break;
  98.         }
  99.         if(f>=3)
  100.         {
  101.               DebugActiveProcessStop(-1);
  102.               break;
  103.         }
  104.       }
  105.     }
  106.     MessageBox(0,"Congrats","waliedassar",0);
  107.     return 0;
  108. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement