Mirrors/vxug-VXAPI
6
0
Fork 0
mirror of https://github.com/vxunderground/VX-API synced 2024-06-28 17:51:16 +00:00
Code Issues Projects Releases Wiki Activity
e200726ca0
vxug-VXAPI/Anti-Debug/AdfIsCreateProcessDebugEventCodeSet.cpp

32 lines
1.0 KiB
C++
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
When the CREATE_PROCESS_DEBUG_EVENT event occurs, the handle of the debugged file is stored in
the CREATE_PROCESS_DEBUG_INFO structure. Therefore, debuggers can read the debug information
from this file. If this handle is not closed by the debugger, the file wont be opened with
exclusive access. Some debuggers can forget to close the handle.
This trick uses kernel32!CreateFileW() (or kernel32!CreateFileA()) to exclusively open the
file of the current process. If the call fails, we can consider that the current process is being
run in the presence of a debugger.
Credit: Checkpoint Research
*/
BOOL AdfIsCreateProcessDebugEventCodeSet(VOID)
{
WCHAR FilePath[MAX_PATH * sizeof(WCHAR)] = { 0 };
HANDLE hHandle = INVALID_HANDLE_VALUE;
if (GetInMemoryModulePathFromProcessParametersW((MAX_PATH * sizeof(WCHAR)), FilePath) == 0)
return FALSE;
hHandle = CreateFileW(FilePath, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, 0);
if (hHandle == INVALID_HANDLE_VALUE)
return TRUE;
if (hHandle)
CloseHandle(hHandle);
return FALSE;
}
Reference in New Issue View Git Blame Copy Permalink