Code:
bool DisableBeingDebuggedFlag(HANDLE thread)
{
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_SEGMENTS;
if (!GetThreadContext(thread, &ctx))
{
error(FF "GetThreadContext(0x%08X)", FL, thread);
return false;
}
LDT_ENTRY sel;
if (!GetThreadSelectorEntry(thread, ctx.SegFs, &sel))
{
error(FF "GetThreadSelectorEntry(0x%08X)", FL, thread);
return false;
}
DWORD fsbase = (sel.HighWord.Bytes.BaseHi << 8| sel.HighWord.Bytes.BaseMid) << 16 | sel.BaseLow;
DWORD RVApeb;
SIZE_T numread;
if (!ReadProcessMemory(hproc, (LPCVOID)(fsbase + 0x30), &RVApeb, 4, &numread) || numread != 4)
{
error(FF "ReadProcessMemory(0x%08X, 0x%08X, 0x%08X, ...)", FL,
hproc, (fsbase + 0x30), &RVApeb);
return false;
}
WORD beingDebugged;
if (!ReadProcessMemory(hproc, (LPCVOID)(RVApeb + 2), &beingDebugged, 2, &numread) || numread != 2)
{
error(FF "ReadProcessMemory(0x%08X, 0x%08X, 0x%08X, ...)", FL,
hproc, RVApeb, &beingDebugged);
return false;
}
beingDebugged = 0;
if (!WriteProcessMemory(hproc, (LPVOID)(RVApeb + 2), &beingDebugged, 2, &numread) || numread != 2)
{
error(FF "ReadProcessMemory(0x%08X, 0x%08X, 0x%08X, ...)", FL,
hproc, RVApeb, &beingDebugged);
return false;
}
return true;
}
btw.... Shub-Nigurrath, is this needed for speed optimization or what ?:PPP