Skip to content

Instantly share code, notes, and snippets.

@OsandaMalith

OsandaMalith/ZwQueryInformationProcess.c

Last active February 24, 2016 16:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save OsandaMalith/b90ef42f7ebbb9e2648c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save OsandaMalith/b90ef42f7ebbb9e2648c to your computer and use it in GitHub Desktop.
Download ZIP
Checking if the process is being debugged using by a ring3 debugger using the kernel mode ZwQueryInformationProcess API
Raw
ZwQueryInformationProcess.c
#pragma hdrstop
#pragma argsused
#include <windows.h>
#include <tchar.h>
#include <stdio.h>
/* »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* Title: Checking if the process is being debugged using by a ring3 debugger
* using the kernel mode ZwQueryInformationProcess API
*
* Author: Osanda Malith Jayathissa (@OsandaMalith)
* ««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««««
*/
int _tmain(int argc, _TCHAR* argv[]) {
typedef unsigned long(__stdcall *pfnZwQueryInformationProcess)
(
IN HANDLE,
IN unsigned int,
OUT PVOID,
IN ULONG,
OUT PULONG
);
const int ProcessDbgPort = 7;
pfnZwQueryInformationProcess ZwQueryInfoProcess = NULL;
unsigned long Ret;
unsigned long IsRemotePresent = 0;
HMODULE hNtDll = LoadLibrary(_T("ntdll.dll"));
if (hNtDll == NULL) { }
ZwQueryInfoProcess = (pfnZwQueryInformationProcess) GetProcAddress(hNtDll,
"ZwQueryInformationProcess");
if (ZwQueryInfoProcess == NULL) { }
Ret = ZwQueryInfoProcess(GetCurrentProcess(), ProcessDbgPort,
&IsRemotePresent, sizeof(unsigned long), NULL);
if (Ret == 0x00000000 && IsRemotePresent != 0) {
MessageBox(NULL, "Debugger Found :p", "Status", 0);
ExitProcess(0);
}
else MessageBox(NULL, "Debugger Not Found :D", "Status", 0);
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment