Skip to content

Commit 6942572

Browse files
axxo1337axxo1337
committed
Update antidebug.cpp
1 parent 2a0631c commit 6942572

File tree

1 file changed

+21
-5
lines changed

1 file changed

+21
-5
lines changed

antidebug.cpp

Lines changed: 21 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,11 @@
66
//
77

88
#define ADD_ANTI_DEBUG_OPTION(name, default_enabled, callback) AntiDebug::AntiDebugOption(name, default_enabled, AntiDebug::callback)
9+
#define ProcessDebugHandle 30
910

10-
using TNtQueryInformationProcess = NTSTATUS(WINAPI*)(HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
11-
using TNtQuerySystemInformation = NTSTATUS(WINAPI*)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
11+
using TNtQueryInformationProcess = NTSTATUS(__stdcall*)(HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
12+
using TNtQuerySystemInformation = NTSTATUS(__stdcall*)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
13+
using TNtQueryObject = NTSTATUS(__stdcall*)(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG);
1214

1315
typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
1416
{
@@ -75,6 +77,20 @@ TNtQuerySystemInformation getNtQuerySystemInformation()
7577
return nt_query;
7678
}
7779

80+
TNtQueryObject getNtQueryObject()
81+
{
82+
static TNtQueryObject nt_query{};
83+
84+
if (!nt_query)
85+
{
86+
HMODULE h_ntdll{ GetModuleHandleA("ntdll.dll") };
87+
if (h_ntdll)
88+
nt_query = reinterpret_cast<TNtQueryObject>(GetProcAddress(h_ntdll, "NtQueryObject"));
89+
}
90+
91+
return nt_query;
92+
}
93+
7894
//
7995
// [SECTION] Functions (Callbacks)
8096
//
@@ -125,7 +141,7 @@ void AntiDebug::callbackNtQueryInformationProcessProcessDebugFlags(AntiDebugOpti
125141
void AntiDebug::callbackNtQueryInformationProcessProcessDebugHandle(AntiDebugOption& option)
126142
{
127143
HANDLE debug_object{};
128-
if (NT_SUCCESS(getNtQueryInformationProcess()(GetCurrentProcess(), 30, &debug_object, sizeof(debug_object), nullptr)) && debug_object != 0)
144+
if (NT_SUCCESS(getNtQueryInformationProcess()(GetCurrentProcess(), ProcessDebugHandle, &debug_object, sizeof(debug_object), nullptr)) && debug_object != 0)
129145
option.detected = true;
130146
else
131147
option.detected = false;
@@ -168,7 +184,7 @@ void AntiDebug::callbackGetThreadContext(AntiDebugOption& option)
168184
{
169185
CONTEXT ctx{};
170186
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
171-
option.detected = GetThreadContext(GetCurrentThread(), &ctx) && (ctx.Dr0 || ctx.Dr1 || ctx.Dr2 || ctx.Dr3);
187+
option.detected = (ctx.Dr0 != 0) || (ctx.Dr1 != 0) || (ctx.Dr2 != 0) || (ctx.Dr3 != 0) || (ctx.Dr6 != 0) || (ctx.Dr7 & 0xFF);
172188
}
173189

174190
// By kenanwastaken, some turkish kid (unable to make PRs)
@@ -207,4 +223,4 @@ void AntiDebug::callbackDbgPrint(AntiDebugOption& option)
207223
{
208224
option.detected = false;
209225
}
210-
}
226+
}

0 commit comments

Comments
 (0)