Insid3Code Team: [C/C++] Using "csrss.exe" ProcessId to detect debugger.

Code Snippet:

#include <windows.h>
#include <ntdll.h>

#ifdef _WIN64
#define captionMsg L"64-bit Application"
#else
#define captionMsg L"32-bit Application"
#endif

int WINAPI iWinMain() {

    HANDLE ProcessHandle = NULL;
    OBJECT_ATTRIBUTES ObjectAttributes;
    CLIENT_ID ClientId;

    ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
    ObjectAttributes.RootDirectory = 0;
    ObjectAttributes.ObjectName = NULL;
    ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
    ObjectAttributes.SecurityDescriptor = NULL;
    ObjectAttributes.SecurityQualityOfService = NULL;

    ClientId.UniqueProcess = CsrGetProcessId(); // getting "csrss.exe" ProcessId.
    ClientId.UniqueThread = 0;

    NtOpenProcess(
        &ProcessHandle,
        PROCESS_ALL_ACCESS, // This parameter need SeDebugPrivilege.
        &ObjectAttributes,
        &ClientId);

    if (ProcessHandle != NULL)
        memset(NULL, 0, 1); //<-- BOOM! PADA BOOM!!!

    MessageBoxW(
        NULL,
        L"Nothing!",
        captionMsg,
        MB_ICONINFORMATION);
    return 0;
}

Source:
http://www.mediafire.com/download/uqm9shm64trv2q6/csrssDBG.rar

Pages

Friday, May 22, 2015

[C/C++] Using "csrss.exe" ProcessId to detect debugger.

My Favorites