Debugger STOP command PowerBASIC Peer Support Community (original) (raw)
Code:
' Detect Live DebugObjects.bas
' Get number of live DebugObjects on system (global debugger count) ' Tested and was able to detect Ollydbg , X32dbg and WinDbg ' However these debuggers must open this program and runs it before it ' gets detected.
#COMPILE EXE
#INCLUDE "win32api.inc" #INCLUDE "Detect_LiveDbg.inc"
'================================== FUNCTION PBMAIN () AS LONG
' Check for Live debuggers
LOCAL FlgLdbg AS LONG
Chk_LiveDebuggers(FlgLdbg)
? " No. of live debugger objects : " + STR$(FlgLdbg)END FUNCTION
Code:
' Detect_LiveDbg.inc
' Ability to get the number of live DebugObjects on system (global debugger count) ' Tested and was able to detect Ollydbg , X32dbg and WinDbg
' However these debuggers must open this test program and runs it before the
' debugger can get detected.
%ObjectTypeInformation = 2
%DEBUG_ALL_ACCESS = &h001F000FTYPE LSA_OBJECT_ATTRIBUTES Length AS LONG RootDirectory AS LONG ObjectName AS LONG Attributes AS LONG SecurityDescriptor AS LONG SecurityQualityOfService AS LONG END TYPE
TYPE UNICODE_STRING WORD Length AS WORD ' USHORT Length MaximumLength AS WORD ' USHORT MaximumLength Buffer AS WSTRINGZ PTR ' PWSTR Buffer END TYPE
TYPE PUBLIC_OBJECT_TYPE_INFORMATION DWORD TypeName AS UNICODE_STRING TotalNumberOfHandles AS DWORD TotalNumberOfObjects AS DWORD Reserved(60) AS DWORD '// must be big enough or NtQueryObject returns C0000005 END TYPE
DECLARE FUNCTION NtClose LIB "ntdll.dll" ALIAS "NtClose" (BYVAL hndl AS DWORD) AS LONG DECLARE FUNCTION NtQueryObject LIB "ntdll.dll" ALIAS "NtQueryObject" _ (BYVAL hndl AS DWORD, BYVAL funcnum AS DWORD, BYVAL lpData AS DWORD, _ BYVAL datalen AS DWORD, BYVAL num_bytes_for_function AS DWORD) AS DWORD DECLARE FUNCTION NtCreateDebugObject LIB "ntdll.dll" ALIAS "NtCreateDebugObject" ( _ BYREF DebugHandle AS LONG, BYVAL DesiredAccess AS LONG, _ BYREF ObjectAttributes AS LSA_OBJECT_ATTRIBUTES, _ BYVAL KillProcOnExit AS LONG) AS LONG
'==================== SUB Chk_LiveDebuggers( BYREF FlgLdbg AS LONG) LOCAL dwDbgObjCnt AS DWORD dwDbgObjCnt = LiveDebugObjectCount()
SELECT CASE dwDbgObjCnt
CASE 1 '
' "No active debug objects"
FlgLdbg = 0
CASE -1
' "Unexpected error, CreateDebugObject failed"
FlgLdbg = 0
CASE 0
' "Should never happen unless of anti-anti-debug tool"
' set to 1 as conservative assuming such a tool exist
FlgLdbg = 1
CASE ELSE
' "There are currently " & FORMAT$(dwDbgObjCnt-1) & " active debug objects"
FlgLdbg = dwDbgObjCnt-1
END SELECTEND SUB
'================================ FUNCTION LiveDebugObjectCount() AS LONG LOCAL hdebugObject AS DWORD LOCAL objattr AS LSA_OBJECT_ATTRIBUTES LOCAL objinfo AS PUBLIC_OBJECT_TYPE_INFORMATION
objattr.Length = SIZEOF(LSA_OBJECT_ATTRIBUTES) IF NtCreateDebugObject(BYREF hdebugObject, _ %DEBUG_ALL_ACCESS, objattr, 0) >= 0 THEN IF NtQueryObject(BYVAL hdebugObject, %ObjectTypeInformation,_ VARPTR(objinfo), SIZEOF(objinfo), 0) => 0 THEN FUNCTION = objinfo.TotalNumberOfObjects END IF NtClose (BYVAL hdebugObject) ELSE FUNCTION = -1 END IF
END FUNCTION