mirror of
https://github.com/vxunderground/VX-API
synced 2024-06-30 18:51:17 +00:00
Create IsCreateProcessDebugEventCodeSet.cpp
This commit is contained in:
parent
15f3a59d17
commit
6f45f7b538
31
Anti-Debug/IsCreateProcessDebugEventCodeSet.cpp
Normal file
31
Anti-Debug/IsCreateProcessDebugEventCodeSet.cpp
Normal file
@ -0,0 +1,31 @@
|
||||
/*
|
||||
|
||||
When the CREATE_PROCESS_DEBUG_EVENT event occurs, the handle of the debugged file is stored in
|
||||
the CREATE_PROCESS_DEBUG_INFO structure. Therefore, debuggers can read the debug information
|
||||
from this file. If this handle is not closed by the debugger, the file won’t be opened with
|
||||
exclusive access. Some debuggers can forget to close the handle.
|
||||
|
||||
This trick uses kernel32!CreateFileW() (or kernel32!CreateFileA()) to exclusively open the
|
||||
file of the current process. If the call fails, we can consider that the current process is being
|
||||
run in the presence of a debugger.
|
||||
|
||||
Credit: Checkpoint Research
|
||||
*/
|
||||
|
||||
BOOL IsCreateProcessDebugEventCodeSet(VOID)
|
||||
{
|
||||
WCHAR FilePath[MAX_PATH * sizeof(WCHAR)] = { 0 };
|
||||
HANDLE hHandle = INVALID_HANDLE_VALUE;
|
||||
|
||||
if (GetInMemoryModulePathFromProcessParametersW((MAX_PATH * sizeof(WCHAR)), FilePath) == 0)
|
||||
return FALSE;
|
||||
|
||||
hHandle = CreateFileW(FilePath, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0);
|
||||
if (hHandle == INVALID_HANDLE_VALUE)
|
||||
return TRUE;
|
||||
|
||||
if (hHandle)
|
||||
CloseHandle(hHandle);
|
||||
|
||||
return FALSE;
|
||||
}
|
Loading…
Reference in New Issue
Block a user