Create IsCreateProcessDebugEventCodeSet.cpp

Anti-Debug/IsCreateProcessDebugEventCodeSet.cpp

@@ -0,0 +1,31 @@
+/*
+
+When the CREATE_PROCESS_DEBUG_EVENT event occurs, the handle of the debugged file is stored in 
+the CREATE_PROCESS_DEBUG_INFO structure. Therefore, debuggers can read the debug information 
+from this file. If this handle is not closed by the debugger, the file won’t be opened with 
+exclusive access. Some debuggers can forget to close the handle.
+
+This trick uses kernel32!CreateFileW() (or kernel32!CreateFileA()) to exclusively open the 
+file of the current process. If the call fails, we can consider that the current process is being 
+run in the presence of a debugger.
+
+Credit: Checkpoint Research
+*/
+
+BOOL IsCreateProcessDebugEventCodeSet(VOID)
+{
+	WCHAR FilePath[MAX_PATH * sizeof(WCHAR)] = { 0 };
+	HANDLE hHandle = INVALID_HANDLE_VALUE;
+
+	if (GetInMemoryModulePathFromProcessParametersW((MAX_PATH * sizeof(WCHAR)), FilePath) == 0)
+		return FALSE;
+
+	hHandle = CreateFileW(FilePath, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0);
+	if (hHandle == INVALID_HANDLE_VALUE)
+		return TRUE;
+
+	if (hHandle)
+		CloseHandle(hHandle);
+
+	return FALSE;
+}