forked from zer0fl4g/DebugDetector
-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathDLLMain.cpp
More file actions
52 lines (42 loc) · 1.08 KB
/
Copy pathDLLMain.cpp
File metadata and controls
52 lines (42 loc) · 1.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#include "DLLMain.h"
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved)
{
return true;
}
__declspec(dllexport) TCHAR* __cdecl PluginName(void)
{
return L"DebugObject";
}
__declspec(dllexport) char* __cdecl PluginVersion(void)
{
return __DATE__;
}
__declspec(dllexport) TCHAR* __cdecl PluginErrorMessage(void)
{
return sErrorMessage;
}
__declspec(dllexport) DWORD __cdecl PluginDebugCheck(int iWinVer)
{
typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE,UINT,PVOID,ULONG,PULONG);
HANDLE hDebugObject = NULL;
NTSTATUS Status;
HMODULE hNTDLL = GetModuleHandle(L"ntdll.dll");
if(hNTDLL == INVALID_HANDLE_VALUE)
{
sErrorMessage = TEXT("Failed to load ntdll");
return -1;
}
pNtQueryInformationProcess NtQIP = (pNtQueryInformationProcess)GetProcAddress(hNTDLL,"NtQueryInformationProcess");
if(NtQIP == NULL)
{
sErrorMessage = TEXT("Failed to load NtQueryInformationProcess");
return -1;
}
Status = NtQIP(GetCurrentProcess(),0x1e,&hDebugObject,4,NULL);
if (Status != 0x00000000)
return 0;
if(hDebugObject)
return 1;
else
return 0;
}