Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Unseen Debugger Detection (Ollydbg)
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #8  
Old 09-29-2005, 10:46
upb's Avatar
upb upb is offline
Friend
  
Join Date: Apr 2002
Location: Elbonia
Posts: 63
Rept. Given: 5
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 0 Times in 0 Posts
upb Reputation: 0
yo
LPVOID AddrZwQueryInformationProcess = (LPVOID)-1;
BYTE SavedByteZwQueryInformationProcess = 0;

bool DisableZwQueryInformationProcessDebugPort(void)
{
DWORD numread;
BYTE bFE = 0xFE;
HMODULE ntdll = GetModuleHandle("ntdll.dll");
AddrZwQueryInformationProcess = GetProcAddress(ntdll, "NtQueryInformationProcess");
ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);
return true;
}

bool ZwQueryInformationProcessTracer(DEBUG_EVENT evt)
{
DWORD numread;
BYTE bFE = 0xFE;

ReadProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &bFE, 1, &numread);

return false; // end trace
}


in debug loop:
if (evt.u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_ILLEGAL_INSTRUCTION &&
evt.u.Exception.ExceptionRecord.ExceptionAddress == AddrZwQueryInformationProcess)
{
hthread = ThreadIdToHandle(evt.dwThreadId);

DWORD stack[6];
DWORD numread;
ReadProcessMemory(hproc, (LPVOID)ctx.Esp, &stack, sizeof(DWORD) * 6, &numread);
MsgBoxF("ZwQueryInformationProcess trapped >%08X (%08X, %08X, %08X)", stack[0], stack[1], stack[2], stack[3]);
if (stack[2] == 7)
{
DWORD d0 = 0;
WriteProcessMemory(hproc, (LPVOID)stack[3], &d0, 1, &numread);
d0 = ctx.Esp - 4 * 3;
WriteProcessMemory(hproc, (LPVOID)(ctx.Esp + 3 * 4), &d0, sizeof(DWORD), &numread);
}
WriteProcessMemory(hproc, AddrZwQueryInformationProcess, &SavedByteZwQueryInformationProcess, 1, &numread);
StartTrace(hthread, ZwQueryInformationProcessTracer);
ContinueStatus = DBG_CONTINUE;
} else

// note: plz do not rip this code 1:1 into any pulumbium tutorials
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
New OllyDbg detection by Armadillo? Maltese General Discussion 1 07-05-2005 11:14
Another way to detect OllyDbg and another debugger TQN General Discussion 2 08-03-2004 09:12


All times are GMT +8. The time now is 21:27.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )