09-28-2011، 06:18 PM
کد:
#include <windows.h>
#include <intrin.h>
int DebugBit = 0;
int countExceptions = 0;
int DebugBreakBit = 0;
HANDLE vehPtr;
DWORD_PTR *GetBeingDebugged( )
{
DWORD_PTR *BeingDebuggedBit;
#ifdef _M_IX86
BeingDebuggedBit = ( DWORD_PTR * ) __readfsdword( 0x30 );
#elif _M_X64
BeingDebuggedBit = ( DWORD_PTR * ) __readgsqword( 0x60 );
#endif
return( ( DWORD_PTR * ) *BeingDebuggedBit );
}
DWORD_PTR *GetNtGlobalFlags( )
{
DWORD_PTR *NtGlobalFlags;
#ifdef _M_IX86
DWORD_PTR *PEB = ( DWORD_PTR * ) __readfsdword( 0x30 ) + 0x68;
NtGlobalFlags = ( DWORD_PTR * ) *PEB + 0x68;
#elif _M_X64
DWORD_PTR *PEB = ( DWORD_PTR * ) __readgsqword( 0x60 ) + 0xD0;
NtGlobalFlags = ( DWORD_PTR * ) *PEB + 0xD0;
#endif
return( ( DWORD_PTR * ) NtGlobalFlags );
}
DWORD_PTR *GetHeapFlags( )
{
DWORD *HeapFlags;
#ifdef _M_IX86
HeapFlags = ( DWORD_PTR * ) __readfsdword( 0x30 );
HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x18 );
HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x10 );
#elif _M_X64
HeapFlags = ( DWORD_PTR * ) __readgsqword( 0x60 );
HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x30 );
HeapFlags = ( DWORD_PTR * ) *( &HeapFlags + 0x20 );
#endif
return ( ( DWORD_PTR * ) HeapFlags );
}
LONG WINAPI vehCheck( PEXCEPTION_POINTERS pExecpPointers )
{
SetUnhandledExceptionFilter( ( LPTOP_LEVEL_EXCEPTION_FILTER ) pExecpPointers->ContextRecord->Eax );
#ifdef _M_IX86
pExecpPointers->ContextRecord->Eip += 2;
#elif _M_X64
pExecpPointers->ContextRecord->Rip += 4;
#endif
countExceptions++;
if( DebugBreakBit == 1 )
return( EXCEPTION_CONTINUE_EXECUTION );
else
return( EXCEPTION_EXECUTE_HANDLER );
}
void pseudoExit( int exitCode )
{
BlockInput( TRUE );
MessageBox( 0, "Please close all active debuggers, and relaunch the application.", "Fatal Error", MB_OK );
ExitProcess( exitCode );
}
unsigned int GetDebugRegisters( )
{
unsigned int i = 0;
CONTEXT ctx;
ZeroMemory( &ctx, sizeof( CONTEXT ) );
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
if( GetThreadContext( GetCurrentThread( ), &ctx ) == 0 )
pseudoExit( 0x789DABCF );
if( ctx.Dr0 != 0 )
i++;
if( ctx.Dr1 != 0 )
i++;
if( ctx.Dr2 != 0 )
i++;
if( ctx.Dr3 != 0 )
i++;
return( i );
}
LONG WINAPI suefDebugCheck( struct _EXCEPTION_POINTERS *excInfo ) {
DebugBit = 1;
SetUnhandledExceptionFilter( ( LPTOP_LEVEL_EXCEPTION_FILTER ) excInfo->ContextRecord->Eax );
#ifdef _M_IX86
excInfo->ContextRecord->Eip += 2;
#elif _M_X64
excInfo->ContextRecord->Rip += 4;
#endif
return( EXCEPTION_CONTINUE_EXECUTION );
}
void __inline antiDebug( void )
{
DWORD beginTime = GetTickCount( );
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize = sizeof( OSVERSIONINFO );
GetVersionEx( &osvi );
SetUnhandledExceptionFilter( suefDebugCheck );
DWORD_PTR *forceError = 0x00000000;
*forceError = 0;
if( DebugBit == 0 )
pseudoExit( 0x99673135 );
vehPtr = AddVectoredExceptionHandler( 1, ( PVECTORED_EXCEPTION_HANDLER ) vehCheck );
if( osvi.dwMajorVersion >= 6 )
{
if( GetHeapFlags( ) > ( void * ) 0x00800000 )
pseudoExit( 0xFFFF0000 );
}
if( GetHeapFlags( ) > ( void * ) 0x10000000 )
pseudoExit( 0xFFFFFFFE );
if( GetBeingDebugged( ) == ( void * ) 0x00010000 )
pseudoExit( 0x04012AD0 );
if( GetNtGlobalFlags( ) == ( void * ) 0x00000070 )
pseudoExit( 0x0F6E1A44 );
if( IsDebuggerPresent( ) != 0 )
pseudoExit( 0x21473361 );
CheckRemoteDebuggerPresent( GetCurrentProcess( ), ( PBOOL ) &DebugBit );
if( DebugBit != 0 )
pseudoExit( 0xC0000005 );
#ifdef _M_IX86
__asm
{
PUSH SS
POP SS
MOV EAX, 0
XOR EDX, EDX
}
#endif
// Windows NT 5.X or earlier features
if( osvi.dwMajorVersion < 6 )
{
SetLastError( 0xC0000005 );
OutputDebugString( "%s%s" );
if( GetLastError( ) == 0xC0000005 )
pseudoExit( 0x5148234F );
}
else
{
try {
OutputDebugString( "%s%s" );
}
catch( ... )
{
DebugBit = TRUE;
}
}
// Verifies if SeDebugPrivilege is given
typedef DWORD_PTR ( NTAPI *CGPID )( );
CGPID CsrGetProcessId = ( CGPID ) GetProcAddress( GetModuleHandle( "ntdll.dll" ), "CsrGetProcessId" );
if( OpenProcess( PROCESS_ALL_ACCESS, FALSE, CsrGetProcessId( ) ) > 0 )
pseudoExit( 0xFF41ECAB );
// End experimental trick
#ifdef _M_IX86
try {
__asm {
__emit 0xF3;
__emit 0x64;
__emit 0xF1;
};
}
catch ( ... ) {
DebugBit = FALSE;
}
if( DebugBit == TRUE )
pseudoExit( 0xAAAAAAAC );
#endif
if( GetDebugRegisters( ) > 0 )
pseudoExit( 0x29342180 );
// Requires admin access
typedef NTSTATUS ( NTAPI *NSIT )( HANDLE, UINT, PVOID, ULONG );
NSIT NtSetInformationThread = ( NSIT )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtSetInformationThread" );
NtSetInformationThread( GetCurrentProcess( ), 0x11, 0, 0 );
// End required admin access
try {
CloseHandle( ( HANDLE ) -1 );
}
catch( ... ) {
pseudoExit( 0x00000006 );
}
DebugBreakBit = 1;
__debugbreak();
DebugBreak( );
if( GetTickCount( ) == beginTime )
pseudoExit( 0xD000BE05 );
typedef NTSTATUS ( WINAPI *NQIP )( HANDLE, LONG, PVOID, ULONG, PULONG );
NQIP NtQueryInformationProcess = ( NQIP )GetProcAddress( GetModuleHandle( "ntdll.dll" ), "NtQueryInformationProcess" );
int returnValue = 0;
NtQueryInformationProcess( GetCurrentProcess( ), 0x7, &returnValue, 4, 0 );
if( returnValue != 0 )
pseudoExit( 0xCCCCCCCC );
NtQueryInformationProcess( GetCurrentProcess( ), 0x1E, &returnValue, 4, 0 );
if( returnValue != 0 )
pseudoExit( 0xEFEFEFEF );
}
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
// Begin anti-debug..
antiDebug( );
if( DebugBit == 1 )
pseudoExit( 0xFFFFFFFF );
try {
RemoveVectoredExceptionHandler( vehPtr );
if( countExceptions != 3 )
pseudoExit( 0x21522153 );
}
catch( ... )
{
pseudoExit( 0x55235151 );
}
// End anti-debug
MessageBox( 0, "Debugger not found.", "Success?", MB_OK );
return( EXIT_SUCCESS );
}