Jo Hyun-Suk evernick
evernick
/ DirectPEB_ZwQueryInformationProcess.cpp
Created
June 18, 2015 09:14
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _WIN32_WINNT 0x0501 | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <Winternl.h> | |
| typedef DWORD (WINAPI *PFZWQUERYINFORMATIONPROCESS) ( | |
| HANDLE ProcessHandle, | |
| DWORD ProcessInformationClass, // Origianl : _PROCESS_INFORMATION_CLASS | |
| PVOID ProcessInformation, | |
| ULONG ProcessInformationLength, |
evernick
/ GetSystemTime.cpp
Created
June 18, 2015 09:08
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| BOOL anti_debug(SYSTEMTIME s_time1, FILETIME f_time1) | |
| { | |
| SYSTEMTIME s_time2; | |
| FILETIME f_time2; | |
| GetSystemTime(&s_time2); | |
| SystemTimeToFileTime(&s_time2, &f_time2); | |
| if ((f_time2.dwLowDateTime - f_time1.dwLowDateTime)/10000 > 1000) { |
evernick
/ timeGetTime.cpp
Created
June 18, 2015 09:06
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "winmm.lib") | |
| BOOL anti_debug(DWORD time1) | |
| { | |
| DWORD time2; | |
| time2 = timeGetTime(); | |
| if ((time2-time1) > 0x10) { | |
| return 1; |
evernick
/ GetTickCount.cpp
Created
June 18, 2015 09:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "winmm.lib") | |
| BOOL anti_debug(DWORD count1) | |
| { | |
| DWORD count2; | |
| count2 = GetTickCount(); | |
| if ((count2-count1) > 0x10) { | |
| return 1; | |
| } |
evernick
/ NtQueryPerformanceCounter.cpp
Created
June 18, 2015 09:02
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| BOOL anti_debug(LARGE_INTEGER cnt1) | |
| { | |
| LARGE_INTEGER cnt2; | |
| QueryPerformanceCounter (&cnt2); | |
| if ((cnt2.QuadPart-cnt1.QuadPart) > 0xFF) { | |
| return 1; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <intrin.h> | |
| BOOL anti_debug(unsigned __int64 cnt1) | |
| { | |
| unsigned __int64 cnt2; | |
| cnt2 = __rdtsc(); | |
| if ((cnt2-cnt1) > 0xFF) { | |
| return 1; | |
| } |
evernick
/ SelfDebugging_DebugActiveProcess.cpp
Created
June 18, 2015 08:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| void self_debug() | |
| { | |
| char result = FALSE; | |
| char szCmdLine[MAX_PATH]; | |
| char szCurrPath[MAX_PATH]; | |
| char pid_str[12]; |
evernick
/ BlockInput.cpp
Created
June 18, 2015 08:55
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <Winable.h> | |
| int main() | |
| { | |
| char str[100]; | |
| BlockInput(TRUE); | |
| printf("Input String: "); |
evernick
/ ParentProcess.cpp
Created
June 18, 2015 08:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <tlhelp32.h> | |
| #include <psapi.h> | |
| #pragma comment(lib, "psapi.lib") | |
| int GetProcssName(DWORD PID, char *buff, int size) | |
| { | |
| int len = 0; |
evernick
/ ZwQueryInformationProcess_ProcessDebugFlags.cpp
Created
June 18, 2015 08:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include<windows.h> | |
| #include<stdio.h> | |
| typedef DWORD (WINAPI *PFZWQUERYINFORMATIONPROCESS) ( | |
| HANDLE ProcessHandle, | |
| DWORD ProcessInformationClass, // Origianl : _PROCESS_INFORMATION_CLASS | |
| PVOID ProcessInformation, | |
| ULONG ProcessInformationLength, | |
| PULONG ReturnLength |