Last active
February 15, 2016 12:11
-
-
Save OsandaMalith/a257e27363aeddb9afa0 to your computer and use it in GitHub Desktop.
Checking if the process is being debugged using by a ring3 debugger using the kernel mode ZwQueryInformationProcess API
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .386 | |
| .model flat, stdcall | |
| option casemap :none | |
| ; »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» | |
| ; Title: Checking if the process is being debugged by a ring3 debugger | |
| ; using the kernel mode ZwQueryInformationProcess API | |
| ; | |
| ; Author: Osanda Malith Jayathissa (@OsandaMalith) | |
| ; ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««« | |
| include windows.inc | |
| include user32.inc | |
| include kernel32.inc | |
| includelib user32.lib | |
| includelib kernel32.lib | |
| .data | |
| Caption db "Status:", 0h | |
| NotFound db "Debugger not found!", 0h | |
| Found db "Debugger found!", 0h | |
| ntdll db "ntdll.dll", 0h | |
| ZwIP db "ZwQueryInformationProcess", 0h | |
| MinusOne dd -1 | |
| .data? | |
| NtAddr dd ? | |
| .code | |
| start: | |
| invoke LoadLibrary, offset ntdll | |
| invoke GetProcAddress, eax, offset ZwIP | |
| mov [NtAddr], eax | |
| mov eax, offset MinusOne | |
| push eax | |
| mov ebx, dword ptr esp | |
| push 0 | |
| push 4 | |
| push ebx | |
| push 7 | |
| push dword ptr[eax] | |
| call [NtAddr] | |
| .if dword ptr [esp] == -1 | |
| invoke MessageBox, 0, offset Found, offset Caption, MB_ICONERROR + MB_OK | |
| .elseif | |
| invoke MessageBox, 0, offset NotFound, offset Caption, MB_ICONINFORMATION + MB_OK | |
| .endif | |
| invoke ExitProcess, 1 | |
| end start |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment