added new method, renamed heavens gate to wow64peb

Ricardonacif · Ricardonacif · commit 92d2678ce248 · 2020-07-01T01:33:18.000-03:00
diff --git a/.vs/anti-debugging/v16/.suo b/.vs/anti-debugging/v16/.suo
diff --git a/Methods/MethodThreadHideFromDebugger.h b/Methods/MethodThreadHideFromDebugger.h
@@ -0,0 +1,35 @@
+#pragma once
+
+#include <windows.h>
+#include <iostream>
+
+THREADINFOCLASS ThreadHideFromDebugger = (THREADINFOCLASS)0x11;
+bool hasNtSetInformationThreadRun = false;
+
+typedef NTSTATUS(WINAPI* NtSetInformationThread_t)(HANDLE, THREADINFOCLASS, PVOID, ULONG);
+typedef NTSTATUS (WINAPI *NtQueryInformationThread_t)(HANDLE, THREADINFOCLASS, PVOID, ULONG, PULONG);
+
+NtSetInformationThread_t fnNtSetInformationThread = NULL;
+NtQueryInformationThread_t fnNtQueryInformationThread = NULL;
+
+
+bool MethodThreadHideFromDebugger() {
+
+    HANDLE hThread = GetCurrentThread();
+    fnNtSetInformationThread = (NtSetInformationThread_t)GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtSetInformationThread");
+    fnNtQueryInformationThread = (NtQueryInformationThread_t)GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryInformationThread");
+
+	if (hasNtSetInformationThreadRun == false)
+	{
+        NTSTATUS errorCode = fnNtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
+        hasNtSetInformationThreadRun = true;        
+	}
+
+    unsigned char lHideThreadQuery = false;
+    ULONG lRet = 0;
+
+    NTSTATUS errorCode = fnNtQueryInformationThread(hThread, ThreadHideFromDebugger, &lHideThreadQuery, sizeof(lHideThreadQuery), &lRet);
+    CloseHandle(hThread);
+
+	return false; //it will crash if its detected anyway 
+}
diff --git a/Methods/MethodUnhandledException.h b/Methods/MethodUnhandledException.h
@@ -7,7 +7,6 @@
 bool hasADbgAttached = true;
 
 LONG WINAPI GetExecutedOnUnhandledException(EXCEPTION_POINTERS * pExceptionInfo) {
-    std::cout << "DJaskldjsLKdjasKDLj skaLDjsakldj saKLd a";
     hasADbgAttached = false;
 
     // thx @mambda for this tip!
diff --git a/Methods/MethodWow64PEB.hpp b/Methods/MethodWow64PEB.hpp
@@ -4,7 +4,7 @@
 
 extern "C" bool check_x64_peb( );
 
-bool MethodHeavensGate( )
+bool MethodWow64PEB( )
 {
 	//auto peb32 = (char*)__readfsdword( 0x30 );
 	//*( peb32 + 2 ) = 0;
diff --git a/anti-debugging.cpp b/anti-debugging.cpp
@@ -12,8 +12,8 @@
 #include "Methods/MethodPEBBeingDebugged.h"
 #include "Methods/MethodNtGlobalFlag.h"
 #include "Methods/MethodGetParentProcess.h"
-#include "Methods/HeavensGateStuff.hpp"
-
+#include "Methods/MethodWow64PEB.hpp"
+#include "Methods/MethodThreadHideFromDebugger.h"
 
 LRESULT CALLBACK WindowProcedure( HWND, UINT, WPARAM, LPARAM );
 
@@ -151,7 +151,8 @@ void AddControls( HWND hWnd ) {
 	AddMethod( MethodCheckRemoteDebuggerPresent, "CheckRemoteDebuggerPresent()" );
 	AddMethod( MethodGetParentProcess, "Check Parent Process (CreateToolhelp32Snapshot)" );
 	AddMethod( MethodUnhandledException, "UnhandledExceptionFilter" );
-	AddMethod( MethodHeavensGate, "Heaven's Gate" );
+	AddMethod( MethodWow64PEB, "WoW64 PEB->BeingDebugged" );
+	AddMethod( MethodThreadHideFromDebugger, "ThreadHideFromDebugger (will crash if debugged)" );
 
 	hLogo = CreateWindowA( "static", NULL, WS_VISIBLE | WS_CHILD | SS_BITMAP, -10, 0, 100, 100, hWnd, NULL, NULL, NULL );
 	SendMessageA( hLogo, STM_SETIMAGE, IMAGE_BITMAP, ( LPARAM )hLogoImage );

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`
`5`	`5`	`extern "C" bool check_x64_peb( );`
`6`	`6`
`7`		`-bool MethodHeavensGate( )`
	`7`	`+bool MethodWow64PEB( )`
`8`	`8`	`{`
`9`	`9`	`//auto peb32 = (char*)__readfsdword( 0x30 );`
`10`	`10`	`//*( peb32 + 2 ) = 0;`