├── Anti-Attaching
    ├── DbgUiRemoteBreakin
    │   ├── DbgUiRemoteBreakin.cpp
    │   ├── DbgUiRemoteBreakin.dsp
    │   ├── DbgUiRemoteBreakin.dsw
    │   ├── DbgUiRemoteBreakin.ncb
    │   ├── DbgUiRemoteBreakin.opt
    │   ├── DbgUiRemoteBreakin.plg
    │   ├── Debug
    │   │   ├── DbgUiRemoteBreakin.exe
    │   │   ├── DbgUiRemoteBreakin.ilk
    │   │   ├── DbgUiRemoteBreakin.obj
    │   │   ├── DbgUiRemoteBreakin.pch
    │   │   ├── DbgUiRemoteBreakin.pdb
    │   │   ├── StdAfx.obj
    │   │   ├── vc60.idb
    │   │   └── vc60.pdb
    │   ├── ReadMe.txt
    │   ├── StdAfx.cpp
    │   └── StdAfx.h
    ├── DebugActiveProcess
    │   ├── Debug
    │   │   ├── DebugActiveProcess.exe
    │   │   ├── DebugActiveProcess.ilk
    │   │   ├── DebugActiveProcess.obj
    │   │   ├── DebugActiveProcess.pch
    │   │   ├── DebugActiveProcess.pdb
    │   │   ├── StdAfx.obj
    │   │   ├── vc60.idb
    │   │   └── vc60.pdb
    │   ├── DebugActiveProcess.cpp
    │   ├── DebugActiveProcess.dsp
    │   ├── DebugActiveProcess.dsw
    │   ├── DebugActiveProcess.ncb
    │   ├── DebugActiveProcess.opt
    │   ├── DebugActiveProcess.plg
    │   ├── ReadMe.txt
    │   ├── StdAfx.cpp
    │   └── StdAfx.h
    ├── PEBLoop
    │   ├── Debug
    │   │   ├── PEBLoop.exe
    │   │   ├── PEBLoop.obj
    │   │   ├── PEBLoop.pch
    │   │   ├── PEBLoop.pdb
    │   │   ├── StdAfx.obj
    │   │   ├── vc60.idb
    │   │   └── vc60.pdb
    │   ├── PEBLoop.cpp
    │   ├── PEBLoop.dsp
    │   ├── PEBLoop.dsw
    │   ├── PEBLoop.ncb
    │   ├── PEBLoop.opt
    │   ├── PEBLoop.plg
    │   ├── ReadMe.txt
    │   ├── StdAfx.cpp
    │   └── StdAfx.h
    ├── TLSCallback
    │   ├── Debug
    │   │   ├── StdAfx.obj
    │   │   ├── TLSCallback.exe
    │   │   ├── TLSCallback.obj
    │   │   ├── TLSCallback.pch
    │   │   ├── TLSCallback.pdb
    │   │   ├── vc60.idb
    │   │   └── vc60.pdb
    │   ├── ReadMe.txt
    │   ├── StdAfx.cpp
    │   ├── StdAfx.h
    │   ├── TLSCallback.cpp
    │   ├── TLSCallback.dsp
    │   ├── TLSCallback.dsw
    │   ├── TLSCallback.ncb
    │   ├── TLSCallback.opt
    │   ├── TLSCallback.plg
    │   └── structs.h
    └── ZwContinue
    │   ├── Debug
    │       ├── StdAfx.obj
    │       ├── ZwContinue.exe
    │       ├── ZwContinue.ilk
    │       ├── ZwContinue.obj
    │       ├── ZwContinue.pch
    │       ├── ZwContinue.pdb
    │       ├── vc60.idb
    │       └── vc60.pdb
    │   ├── ReadMe.txt
    │   ├── StdAfx.cpp
    │   ├── StdAfx.h
    │   ├── ZwContinue.cpp
    │   ├── ZwContinue.dsp
    │   ├── ZwContinue.dsw
    │   ├── ZwContinue.ncb
    │   ├── ZwContinue.opt
    │   ├── ZwContinue.plg
    │   ├── test.cpp
    │   ├── test.dsp
    │   ├── test.dsw
    │   ├── test.ncb
    │   ├── test.opt
    │   └── test.plg
├── Anti-Debugging
    └── TLSCallback
    │   ├── ReadMe.txt
    │   ├── StdAfx.cpp
    │   ├── StdAfx.h
    │   ├── pxm.cpp
    │   ├── pxm.dsp
    │   ├── pxm.dsw
    │   ├── pxm.ncb
    │   ├── pxm.opt
    │   └── pxm.plg
└── README.md


/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.cpp:
--------------------------------------------------------------------------------
 1 | // blog.cpp : Defines the entry point for the console application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | #include "windows.h"
 6 | #include "iostream.h"
 7 | 
 8 | 
 9 | int main(int argc, char* argv[])
10 | {
11 |   unsigned char* p=(unsigned char*)GetProcAddress(GetModuleHandle("ntdll.dll"),"DbgUiRemoteBreakin");
12 |  
13 |   unsigned long xxx=0;
14 |   VirtualProtect(p,6,PAGE_EXECUTE_READWRITE,&xxx);
15 | 
16 |  *p=0x68;  //opcodes for push
17 |  *(unsigned long*)(p+1)=(unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess");
18 |  *(p+5)=0xC3;  //opcode for retn
19 |   VirtualProtect(p,6,xxx,&xxx);
20 |  
21 |   int x=0;
22 |   while(1)
23 |   {
24 |   	Sleep(1000);
25 |   	cout<<"walied "<<x++<<endl;
26 |   }
27 |   return 0;
28 | }
29 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.dsp:
--------------------------------------------------------------------------------
  1 | # Microsoft Developer Studio Project File - Name="DbgUiRemoteBreakin" - Package Owner=<4>
  2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
  3 | # ** DO NOT EDIT **
  4 | 
  5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
  6 | 
  7 | CFG=DbgUiRemoteBreakin - Win32 Debug
  8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  9 | !MESSAGE use the Export Makefile command and run
 10 | !MESSAGE 
 11 | !MESSAGE NMAKE /f "DbgUiRemoteBreakin.mak".
 12 | !MESSAGE 
 13 | !MESSAGE You can specify a configuration when running NMAKE
 14 | !MESSAGE by defining the macro CFG on the command line. For example:
 15 | !MESSAGE 
 16 | !MESSAGE NMAKE /f "DbgUiRemoteBreakin.mak" CFG="DbgUiRemoteBreakin - Win32 Debug"
 17 | !MESSAGE 
 18 | !MESSAGE Possible choices for configuration are:
 19 | !MESSAGE 
 20 | !MESSAGE "DbgUiRemoteBreakin - Win32 Release" (based on "Win32 (x86) Console Application")
 21 | !MESSAGE "DbgUiRemoteBreakin - Win32 Debug" (based on "Win32 (x86) Console Application")
 22 | !MESSAGE 
 23 | 
 24 | # Begin Project
 25 | # PROP AllowPerConfigDependencies 0
 26 | # PROP Scc_ProjName ""
 27 | # PROP Scc_LocalPath ""
 28 | CPP=cl.exe
 29 | RSC=rc.exe
 30 | 
 31 | !IF  "$(CFG)" == "DbgUiRemoteBreakin - Win32 Release"
 32 | 
 33 | # PROP BASE Use_MFC 0
 34 | # PROP BASE Use_Debug_Libraries 0
 35 | # PROP BASE Output_Dir "Release"
 36 | # PROP BASE Intermediate_Dir "Release"
 37 | # PROP BASE Target_Dir ""
 38 | # PROP Use_MFC 0
 39 | # PROP Use_Debug_Libraries 0
 40 | # PROP Output_Dir "Release"
 41 | # PROP Intermediate_Dir "Release"
 42 | # PROP Target_Dir ""
 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 45 | # ADD BASE RSC /l 0x409 /d "NDEBUG"
 46 | # ADD RSC /l 0x409 /d "NDEBUG"
 47 | BSC32=bscmake.exe
 48 | # ADD BASE BSC32 /nologo
 49 | # ADD BSC32 /nologo
 50 | LINK32=link.exe
 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 53 | 
 54 | !ELSEIF  "$(CFG)" == "DbgUiRemoteBreakin - Win32 Debug"
 55 | 
 56 | # PROP BASE Use_MFC 0
 57 | # PROP BASE Use_Debug_Libraries 1
 58 | # PROP BASE Output_Dir "Debug"
 59 | # PROP BASE Intermediate_Dir "Debug"
 60 | # PROP BASE Target_Dir ""
 61 | # PROP Use_MFC 0
 62 | # PROP Use_Debug_Libraries 1
 63 | # PROP Output_Dir "Debug"
 64 | # PROP Intermediate_Dir "Debug"
 65 | # PROP Target_Dir ""
 66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 68 | # ADD BASE RSC /l 0x409 /d "_DEBUG"
 69 | # ADD RSC /l 0x409 /d "_DEBUG"
 70 | BSC32=bscmake.exe
 71 | # ADD BASE BSC32 /nologo
 72 | # ADD BSC32 /nologo
 73 | LINK32=link.exe
 74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 76 | 
 77 | !ENDIF 
 78 | 
 79 | # Begin Target
 80 | 
 81 | # Name "DbgUiRemoteBreakin - Win32 Release"
 82 | # Name "DbgUiRemoteBreakin - Win32 Debug"
 83 | # Begin Group "Source Files"
 84 | 
 85 | # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 86 | # Begin Source File
 87 | 
 88 | SOURCE=.\DbgUiRemoteBreakin.cpp
 89 | # End Source File
 90 | # Begin Source File
 91 | 
 92 | SOURCE=.\StdAfx.cpp
 93 | # ADD CPP /Yc"stdafx.h"
 94 | # End Source File
 95 | # End Group
 96 | # Begin Group "Header Files"
 97 | 
 98 | # PROP Default_Filter "h;hpp;hxx;hm;inl"
 99 | # Begin Source File
100 | 
101 | SOURCE=.\StdAfx.h
102 | # End Source File
103 | # End Group
104 | # Begin Group "Resource Files"
105 | 
106 | # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
107 | # End Group
108 | # Begin Source File
109 | 
110 | SOURCE=.\ReadMe.txt
111 | # End Source File
112 | # End Target
113 | # End Project
114 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "DbgUiRemoteBreakin"=".\DbgUiRemoteBreakin.dsp" - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.ncb


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.opt


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/DbgUiRemoteBreakin.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: DbgUiRemoteBreakin - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSPEBFF.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/DbgUiRemoteBreakin.pch" /Yu"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /GZ  /c 
12 | "H:\microsoft visual studio\VC6\MyProjects\DbgUiRemoteBreakin\DbgUiRemoteBreakin.cpp"
13 | ]
14 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSPEBFF.tmp" 
15 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSPEC00.tmp" with contents
16 | [
17 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/DbgUiRemoteBreakin.pch" /Yc"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /GZ  /c 
18 | "H:\microsoft visual studio\VC6\MyProjects\DbgUiRemoteBreakin\StdAfx.cpp"
19 | ]
20 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSPEC00.tmp" 
21 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSPEC01.tmp" with contents
22 | [
23 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:yes /pdb:"Debug/DbgUiRemoteBreakin.pdb" /debug /machine:I386 /out:"Debug/DbgUiRemoteBreakin.exe" /pdbtype:sept 
24 | ".\Debug\StdAfx.obj"
25 | ".\Debug\DbgUiRemoteBreakin.obj"
26 | ]
27 | Creating command line "link.exe @C:\Users\walied\AppData\Local\Temp\RSPEC01.tmp"
28 | <h3>Output Window</h3>
29 | Compiling...
30 | StdAfx.cpp
31 | Compiling...
32 | DbgUiRemoteBreakin.cpp
33 | Linking...
34 | 
35 | 
36 | 
37 | <h3>Results</h3>
38 | DbgUiRemoteBreakin.exe - 0 error(s), 0 warning(s)
39 | </pre>
40 | </body>
41 | </html>
42 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.exe


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.ilk


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.obj


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.pch


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/DbgUiRemoteBreakin.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/StdAfx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/StdAfx.obj


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/vc60.idb


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DbgUiRemoteBreakin/Debug/vc60.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |        CONSOLE APPLICATION : DbgUiRemoteBreakin
 3 | ========================================================================
 4 | 
 5 | 
 6 | AppWizard has created this DbgUiRemoteBreakin application for you.  
 7 | 
 8 | This file contains a summary of what you will find in each of the files that
 9 | make up your DbgUiRemoteBreakin application.
10 | 
11 | DbgUiRemoteBreakin.dsp
12 |     This file (the project file) contains information at the project level and
13 |     is used to build a single project or subproject. Other users can share the
14 |     project (.dsp) file, but they should export the makefiles locally.
15 | 
16 | DbgUiRemoteBreakin.cpp
17 |     This is the main application source file.
18 | 
19 | 
20 | /////////////////////////////////////////////////////////////////////////////
21 | Other standard files:
22 | 
23 | StdAfx.h, StdAfx.cpp
24 |     These files are used to build a precompiled header (PCH) file
25 |     named DbgUiRemoteBreakin.pch and a precompiled types file named StdAfx.obj.
26 | 
27 | 
28 | /////////////////////////////////////////////////////////////////////////////
29 | Other notes:
30 | 
31 | AppWizard uses "TODO:" to indicate parts of the source code you
32 | should add to or customize.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/StdAfx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | //	DbgUiRemoteBreakin.pch will be the pre-compiled header
3 | //	stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DbgUiRemoteBreakin/StdAfx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | //  or project specific include files that are used frequently, but
 3 | //      are changed infrequently
 4 | //
 5 | 
 6 | #if !defined(AFX_STDAFX_H__026D215B_9E4E_432E_B5FA_E0BAA5F1F2EB__INCLUDED_)
 7 | #define AFX_STDAFX_H__026D215B_9E4E_432E_B5FA_E0BAA5F1F2EB__INCLUDED_
 8 | 
 9 | #if _MSC_VER > 1000
10 | #pragma once
11 | #endif // _MSC_VER > 1000
12 | 
13 | 
14 | // TODO: reference additional headers your program requires here
15 | 
16 | //{{AFX_INSERT_LOCATION}}
17 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line.
18 | 
19 | #endif // !defined(AFX_STDAFX_H__026D215B_9E4E_432E_B5FA_E0BAA5F1F2EB__INCLUDED_)
20 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.exe


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.ilk


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.obj


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.pch


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/DebugActiveProcess.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/StdAfx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/StdAfx.obj


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/vc60.idb


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/Debug/vc60.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.cpp:
--------------------------------------------------------------------------------
 1 | // block2.cpp : Defines the entry point for the console application.
 2 | //
 3 |  
 4 | #include "stdafx.h"
 5 | #include "windows.h"
 6 | #include "iostream.h"
 7 |  
 8 | 
 9 | char* GetDebugEventName(unsigned long DebugEventCode)
10 | {
11 | 	if(DebugEventCode == 1) return "EXCEPTION_DEBUG_EVENT";
12 | 	else if(DebugEventCode == 2) return "CREATE_THREAD_DEBUG_EVENT";
13 | 	else if(DebugEventCode == 3) return "CREATE_PROCESS_DEBUG_EVENT";
14 | 	else if(DebugEventCode == 4) return "EXIT_THREAD_DEBUG_EVENT";
15 | 	else if(DebugEventCode == 5) return "EXIT_PROCESS_DEBUG_EVENT";
16 | 	else if(DebugEventCode == 6) return "LOAD_DLL_DEBUG_EVENT";
17 | 	else if(DebugEventCode == 7) return "UNLOAD_DLL_DEBUG_EVENT";
18 | 	else if(DebugEventCode == 8) return "OUTPUT_DEBUG_STRING_EVENT";
19 | 	else if(DebugEventCode == 9) return "RIP_EVENT";
20 | 	
21 | 	return "UNKNOWN";
22 | }
23 | 
24 | 
25 | //This demo spawns calc.exe in debugged mode. Any attempt to debug calc.exe will fail.
26 | 
27 | int main(int argc, char* argv[])
28 | {
29 |     
30 |     //cout<<"Enter process id (PID) ";
31 |     //unsigned char x[6]={0};
32 |     //cin>>x;
33 |  
34 |     //long xx=atol((char*)x);
35 |  
36 |     STARTUPINFO SI={sizeof(STARTUPINFO)};
37 |     PROCESS_INFORMATION PI;
38 |     CreateProcess(0,"calc.exe",0,0,FALSE,0,0,0,&SI,&PI);
39 |  
40 |     if(DebugActiveProcess(PI.dwProcessId))
41 |     {
42 |    	 bool ss=true;
43 |    	 DEBUG_EVENT DE={0};
44 |    	 while(ss)
45 |    	 {
46 |    		 WaitForDebugEvent(&DE,INFINITE);
47 |    		 cout<<"Debug Event: "<<GetDebugEventName(DE.dwDebugEventCode)<<endl;
48 |    		 switch(DE.dwDebugEventCode)
49 |    		 {
50 |    		 case EXIT_PROCESS_DEBUG_EVENT:
51 |    			 ss=false;
52 |    			 break;
53 | 		 case EXCEPTION_DEBUG_EVENT:
54 | 			 ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_EXCEPTION_NOT_HANDLED);
55 |    		 }
56 |    		 ContinueDebugEvent(DE.dwProcessId,DE.dwThreadId,DBG_CONTINUE);
57 |    	 }
58 |     }
59 |  
60 |     MessageBox(0,"Process terminated!","walied Debugger",0);
61 |     return 0;
62 | }
63 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.dsp:
--------------------------------------------------------------------------------
  1 | # Microsoft Developer Studio Project File - Name="DebugActiveProcess" - Package Owner=<4>
  2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
  3 | # ** DO NOT EDIT **
  4 | 
  5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
  6 | 
  7 | CFG=DebugActiveProcess - Win32 Debug
  8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  9 | !MESSAGE use the Export Makefile command and run
 10 | !MESSAGE 
 11 | !MESSAGE NMAKE /f "DebugActiveProcess.mak".
 12 | !MESSAGE 
 13 | !MESSAGE You can specify a configuration when running NMAKE
 14 | !MESSAGE by defining the macro CFG on the command line. For example:
 15 | !MESSAGE 
 16 | !MESSAGE NMAKE /f "DebugActiveProcess.mak" CFG="DebugActiveProcess - Win32 Debug"
 17 | !MESSAGE 
 18 | !MESSAGE Possible choices for configuration are:
 19 | !MESSAGE 
 20 | !MESSAGE "DebugActiveProcess - Win32 Release" (based on "Win32 (x86) Console Application")
 21 | !MESSAGE "DebugActiveProcess - Win32 Debug" (based on "Win32 (x86) Console Application")
 22 | !MESSAGE 
 23 | 
 24 | # Begin Project
 25 | # PROP AllowPerConfigDependencies 0
 26 | # PROP Scc_ProjName ""
 27 | # PROP Scc_LocalPath ""
 28 | CPP=cl.exe
 29 | RSC=rc.exe
 30 | 
 31 | !IF  "$(CFG)" == "DebugActiveProcess - Win32 Release"
 32 | 
 33 | # PROP BASE Use_MFC 0
 34 | # PROP BASE Use_Debug_Libraries 0
 35 | # PROP BASE Output_Dir "Release"
 36 | # PROP BASE Intermediate_Dir "Release"
 37 | # PROP BASE Target_Dir ""
 38 | # PROP Use_MFC 0
 39 | # PROP Use_Debug_Libraries 0
 40 | # PROP Output_Dir "Release"
 41 | # PROP Intermediate_Dir "Release"
 42 | # PROP Target_Dir ""
 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 45 | # ADD BASE RSC /l 0x409 /d "NDEBUG"
 46 | # ADD RSC /l 0x409 /d "NDEBUG"
 47 | BSC32=bscmake.exe
 48 | # ADD BASE BSC32 /nologo
 49 | # ADD BSC32 /nologo
 50 | LINK32=link.exe
 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 53 | 
 54 | !ELSEIF  "$(CFG)" == "DebugActiveProcess - Win32 Debug"
 55 | 
 56 | # PROP BASE Use_MFC 0
 57 | # PROP BASE Use_Debug_Libraries 1
 58 | # PROP BASE Output_Dir "Debug"
 59 | # PROP BASE Intermediate_Dir "Debug"
 60 | # PROP BASE Target_Dir ""
 61 | # PROP Use_MFC 0
 62 | # PROP Use_Debug_Libraries 1
 63 | # PROP Output_Dir "Debug"
 64 | # PROP Intermediate_Dir "Debug"
 65 | # PROP Target_Dir ""
 66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 68 | # ADD BASE RSC /l 0x409 /d "_DEBUG"
 69 | # ADD RSC /l 0x409 /d "_DEBUG"
 70 | BSC32=bscmake.exe
 71 | # ADD BASE BSC32 /nologo
 72 | # ADD BSC32 /nologo
 73 | LINK32=link.exe
 74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 76 | 
 77 | !ENDIF 
 78 | 
 79 | # Begin Target
 80 | 
 81 | # Name "DebugActiveProcess - Win32 Release"
 82 | # Name "DebugActiveProcess - Win32 Debug"
 83 | # Begin Group "Source Files"
 84 | 
 85 | # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 86 | # Begin Source File
 87 | 
 88 | SOURCE=.\DebugActiveProcess.cpp
 89 | # End Source File
 90 | # Begin Source File
 91 | 
 92 | SOURCE=.\StdAfx.cpp
 93 | # ADD CPP /Yc"stdafx.h"
 94 | # End Source File
 95 | # End Group
 96 | # Begin Group "Header Files"
 97 | 
 98 | # PROP Default_Filter "h;hpp;hxx;hm;inl"
 99 | # Begin Source File
100 | 
101 | SOURCE=.\StdAfx.h
102 | # End Source File
103 | # End Group
104 | # Begin Group "Resource Files"
105 | 
106 | # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
107 | # End Group
108 | # Begin Source File
109 | 
110 | SOURCE=.\ReadMe.txt
111 | # End Source File
112 | # End Target
113 | # End Project
114 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "DebugActiveProcess"=".\DebugActiveProcess.dsp" - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.ncb


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.opt


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/DebugActiveProcess.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: DebugActiveProcess - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP118A.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/DebugActiveProcess.pch" /Yu"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /GZ  /c 
12 | "H:\microsoft visual studio\VC6\MyProjects\DebugActiveProcess\DebugActiveProcess.cpp"
13 | ]
14 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSP118A.tmp" 
15 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP118B.tmp" with contents
16 | [
17 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:yes /pdb:"Debug/DebugActiveProcess.pdb" /debug /machine:I386 /out:"Debug/DebugActiveProcess.exe" /pdbtype:sept 
18 | ".\Debug\StdAfx.obj"
19 | ".\Debug\DebugActiveProcess.obj"
20 | ]
21 | Creating command line "link.exe @C:\Users\walied\AppData\Local\Temp\RSP118B.tmp"
22 | <h3>Output Window</h3>
23 | Compiling...
24 | DebugActiveProcess.cpp
25 | Linking...
26 | 
27 | 
28 | 
29 | <h3>Results</h3>
30 | DebugActiveProcess.exe - 0 error(s), 0 warning(s)
31 | </pre>
32 | </body>
33 | </html>
34 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |        CONSOLE APPLICATION : DebugActiveProcess
 3 | ========================================================================
 4 | 
 5 | 
 6 | AppWizard has created this DebugActiveProcess application for you.  
 7 | 
 8 | This file contains a summary of what you will find in each of the files that
 9 | make up your DebugActiveProcess application.
10 | 
11 | DebugActiveProcess.dsp
12 |     This file (the project file) contains information at the project level and
13 |     is used to build a single project or subproject. Other users can share the
14 |     project (.dsp) file, but they should export the makefiles locally.
15 | 
16 | DebugActiveProcess.cpp
17 |     This is the main application source file.
18 | 
19 | 
20 | /////////////////////////////////////////////////////////////////////////////
21 | Other standard files:
22 | 
23 | StdAfx.h, StdAfx.cpp
24 |     These files are used to build a precompiled header (PCH) file
25 |     named DebugActiveProcess.pch and a precompiled types file named StdAfx.obj.
26 | 
27 | 
28 | /////////////////////////////////////////////////////////////////////////////
29 | Other notes:
30 | 
31 | AppWizard uses "TODO:" to indicate parts of the source code you
32 | should add to or customize.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/StdAfx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | //	DebugActiveProcess.pch will be the pre-compiled header
3 | //	stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Anti-Attaching/DebugActiveProcess/StdAfx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | //  or project specific include files that are used frequently, but
 3 | //      are changed infrequently
 4 | //
 5 | 
 6 | #if !defined(AFX_STDAFX_H__9A870820_AC09_4FD0_8A76_DA1237E95DE5__INCLUDED_)
 7 | #define AFX_STDAFX_H__9A870820_AC09_4FD0_8A76_DA1237E95DE5__INCLUDED_
 8 | 
 9 | #if _MSC_VER > 1000
10 | #pragma once
11 | #endif // _MSC_VER > 1000
12 | 
13 | 
14 | // TODO: reference additional headers your program requires here
15 | 
16 | //{{AFX_INSERT_LOCATION}}
17 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line.
18 | 
19 | #endif // !defined(AFX_STDAFX_H__9A870820_AC09_4FD0_8A76_DA1237E95DE5__INCLUDED_)
20 | 


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/Debug/PEBLoop.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/Debug/PEBLoop.exe


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/Debug/PEBLoop.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/Debug/PEBLoop.obj


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/Debug/PEBLoop.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/Debug/PEBLoop.pch


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/Debug/PEBLoop.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/Debug/PEBLoop.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/Debug/StdAfx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/Debug/StdAfx.obj


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/Debug/vc60.idb


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/Debug/vc60.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/PEBLoop.cpp:
--------------------------------------------------------------------------------
 1 | // PEBLoop.cpp : Defines the entry point for the console application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | #include "windows.h"
 6 | 
 7 | 
 8 | int main(int argc, char* argv[])
 9 | {
10 | 	unsigned long start = 0;
11 | 	unsigned long imagebase = 0;
12 | 
13 | 	__asm
14 | 	{
15 | 		mov eax,dword ptr fs:[0x30]
16 | 		mov eax,dword ptr [eax+0xC]
17 | 		add eax,0x14
18 | 		mov dword ptr [ebp-0x4],eax
19 | 		mov eax,dword ptr[eax]
20 | here:
21 | 		mov ebx,dword ptr[eax+0x10]
22 | 		mov dword ptr[ebp-0x8],ebx
23 | 		mov ecx,eax
24 | 		mov eax,dword ptr[eax]
25 | 		cmp eax,dword ptr[ebp-0x4]
26 | 		jnz here
27 | 	}
28 | 	while(9)
29 | 	{
30 | 		Sleep(1000);
31 | 	}
32 | 	return 0;
33 | }
34 | 


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/PEBLoop.dsp:
--------------------------------------------------------------------------------
  1 | # Microsoft Developer Studio Project File - Name="PEBLoop" - Package Owner=<4>
  2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
  3 | # ** DO NOT EDIT **
  4 | 
  5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
  6 | 
  7 | CFG=PEBLoop - Win32 Debug
  8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  9 | !MESSAGE use the Export Makefile command and run
 10 | !MESSAGE 
 11 | !MESSAGE NMAKE /f "PEBLoop.mak".
 12 | !MESSAGE 
 13 | !MESSAGE You can specify a configuration when running NMAKE
 14 | !MESSAGE by defining the macro CFG on the command line. For example:
 15 | !MESSAGE 
 16 | !MESSAGE NMAKE /f "PEBLoop.mak" CFG="PEBLoop - Win32 Debug"
 17 | !MESSAGE 
 18 | !MESSAGE Possible choices for configuration are:
 19 | !MESSAGE 
 20 | !MESSAGE "PEBLoop - Win32 Release" (based on "Win32 (x86) Console Application")
 21 | !MESSAGE "PEBLoop - Win32 Debug" (based on "Win32 (x86) Console Application")
 22 | !MESSAGE 
 23 | 
 24 | # Begin Project
 25 | # PROP AllowPerConfigDependencies 0
 26 | # PROP Scc_ProjName ""
 27 | # PROP Scc_LocalPath ""
 28 | CPP=cl.exe
 29 | RSC=rc.exe
 30 | 
 31 | !IF  "$(CFG)" == "PEBLoop - Win32 Release"
 32 | 
 33 | # PROP BASE Use_MFC 0
 34 | # PROP BASE Use_Debug_Libraries 0
 35 | # PROP BASE Output_Dir "Release"
 36 | # PROP BASE Intermediate_Dir "Release"
 37 | # PROP BASE Target_Dir ""
 38 | # PROP Use_MFC 0
 39 | # PROP Use_Debug_Libraries 0
 40 | # PROP Output_Dir "Release"
 41 | # PROP Intermediate_Dir "Release"
 42 | # PROP Target_Dir ""
 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 45 | # ADD BASE RSC /l 0x409 /d "NDEBUG"
 46 | # ADD RSC /l 0x409 /d "NDEBUG"
 47 | BSC32=bscmake.exe
 48 | # ADD BASE BSC32 /nologo
 49 | # ADD BSC32 /nologo
 50 | LINK32=link.exe
 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 53 | 
 54 | !ELSEIF  "$(CFG)" == "PEBLoop - Win32 Debug"
 55 | 
 56 | # PROP BASE Use_MFC 0
 57 | # PROP BASE Use_Debug_Libraries 1
 58 | # PROP BASE Output_Dir "Debug"
 59 | # PROP BASE Intermediate_Dir "Debug"
 60 | # PROP BASE Target_Dir ""
 61 | # PROP Use_MFC 0
 62 | # PROP Use_Debug_Libraries 1
 63 | # PROP Output_Dir "Debug"
 64 | # PROP Intermediate_Dir "Debug"
 65 | # PROP Ignore_Export_Lib 0
 66 | # PROP Target_Dir ""
 67 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 68 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 69 | # ADD BASE RSC /l 0x409 /d "_DEBUG"
 70 | # ADD RSC /l 0x409 /d "_DEBUG"
 71 | BSC32=bscmake.exe
 72 | # ADD BASE BSC32 /nologo
 73 | # ADD BSC32 /nologo
 74 | LINK32=link.exe
 75 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 76 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /entry:"main" /subsystem:console /incremental:no /machine:I386 /nodefaultlib /pdbtype:sept
 77 | # SUBTRACT LINK32 /pdb:none
 78 | 
 79 | !ENDIF 
 80 | 
 81 | # Begin Target
 82 | 
 83 | # Name "PEBLoop - Win32 Release"
 84 | # Name "PEBLoop - Win32 Debug"
 85 | # Begin Group "Source Files"
 86 | 
 87 | # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 88 | # Begin Source File
 89 | 
 90 | SOURCE=.\PEBLoop.cpp
 91 | # End Source File
 92 | # Begin Source File
 93 | 
 94 | SOURCE=.\StdAfx.cpp
 95 | # ADD CPP /Yc"stdafx.h"
 96 | # End Source File
 97 | # End Group
 98 | # Begin Group "Header Files"
 99 | 
100 | # PROP Default_Filter "h;hpp;hxx;hm;inl"
101 | # Begin Source File
102 | 
103 | SOURCE=.\StdAfx.h
104 | # End Source File
105 | # End Group
106 | # Begin Group "Resource Files"
107 | 
108 | # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
109 | # End Group
110 | # Begin Source File
111 | 
112 | SOURCE=.\ReadMe.txt
113 | # End Source File
114 | # End Target
115 | # End Project
116 | 


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/PEBLoop.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "PEBLoop"=".\PEBLoop.dsp" - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/PEBLoop.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/PEBLoop.ncb


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/PEBLoop.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/PEBLoop/PEBLoop.opt


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/PEBLoop.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: PEBLoop - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP3D10.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/PEBLoop.pch" /Yu"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /c 
12 | "H:\microsoft visual studio\VC6\MyProjects\PEBLoop\PEBLoop.cpp"
13 | ]
14 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSP3D10.tmp" 
15 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP3D11.tmp" with contents
16 | [
17 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /entry:"main" /subsystem:console /incremental:no /pdb:"Debug/PEBLoop.pdb" /machine:I386 /nodefaultlib /out:"Debug/PEBLoop.exe" /pdbtype:sept 
18 | ".\Debug\StdAfx.obj"
19 | ".\Debug\PEBLoop.obj"
20 | ]
21 | Creating command line "link.exe @C:\Users\walied\AppData\Local\Temp\RSP3D11.tmp"
22 | <h3>Output Window</h3>
23 | Compiling...
24 | PEBLoop.cpp
25 | Linking...
26 | LINK : warning LNK4075: ignoring /EDITANDCONTINUE due to /INCREMENTAL:NO specification
27 | 
28 | 
29 | 
30 | <h3>Results</h3>
31 | PEBLoop.exe - 0 error(s), 1 warning(s)
32 | </pre>
33 | </body>
34 | </html>
35 | 


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |        CONSOLE APPLICATION : PEBLoop
 3 | ========================================================================
 4 | 
 5 | 
 6 | AppWizard has created this PEBLoop application for you.  
 7 | 
 8 | This file contains a summary of what you will find in each of the files that
 9 | make up your PEBLoop application.
10 | 
11 | PEBLoop.dsp
12 |     This file (the project file) contains information at the project level and
13 |     is used to build a single project or subproject. Other users can share the
14 |     project (.dsp) file, but they should export the makefiles locally.
15 | 
16 | PEBLoop.cpp
17 |     This is the main application source file.
18 | 
19 | 
20 | /////////////////////////////////////////////////////////////////////////////
21 | Other standard files:
22 | 
23 | StdAfx.h, StdAfx.cpp
24 |     These files are used to build a precompiled header (PCH) file
25 |     named PEBLoop.pch and a precompiled types file named StdAfx.obj.
26 | 
27 | 
28 | /////////////////////////////////////////////////////////////////////////////
29 | Other notes:
30 | 
31 | AppWizard uses "TODO:" to indicate parts of the source code you
32 | should add to or customize.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | 


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/StdAfx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | //	PEBLoop.pch will be the pre-compiled header
3 | //	stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Anti-Attaching/PEBLoop/StdAfx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | //  or project specific include files that are used frequently, but
 3 | //      are changed infrequently
 4 | //
 5 | 
 6 | #if !defined(AFX_STDAFX_H__A44FB2ED_3380_455C_ABD7_BF09E472737C__INCLUDED_)
 7 | #define AFX_STDAFX_H__A44FB2ED_3380_455C_ABD7_BF09E472737C__INCLUDED_
 8 | 
 9 | #if _MSC_VER > 1000
10 | #pragma once
11 | #endif // _MSC_VER > 1000
12 | 
13 | 
14 | // TODO: reference additional headers your program requires here
15 | 
16 | //{{AFX_INSERT_LOCATION}}
17 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line.
18 | 
19 | #endif // !defined(AFX_STDAFX_H__A44FB2ED_3380_455C_ABD7_BF09E472737C__INCLUDED_)
20 | 


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/Debug/StdAfx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/Debug/StdAfx.obj


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/Debug/TLSCallback.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/Debug/TLSCallback.exe


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/Debug/TLSCallback.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/Debug/TLSCallback.obj


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/Debug/TLSCallback.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/Debug/TLSCallback.pch


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/Debug/TLSCallback.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/Debug/TLSCallback.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/Debug/vc60.idb


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/Debug/vc60.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/ReadMe.txt:
--------------------------------------------------------------------------------
1 | Tested on XP Only


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/StdAfx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | //	TLSCallback.pch will be the pre-compiled header
3 | //	stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/StdAfx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | //  or project specific include files that are used frequently, but
 3 | //      are changed infrequently
 4 | //
 5 | 
 6 | #if !defined(AFX_STDAFX_H__DC9D77B0_4EED_4753_B72F_88AE88C877A0__INCLUDED_)
 7 | #define AFX_STDAFX_H__DC9D77B0_4EED_4753_B72F_88AE88C877A0__INCLUDED_
 8 | 
 9 | #if _MSC_VER > 1000
10 | #pragma once
11 | #endif // _MSC_VER > 1000
12 | 
13 | 
14 | // TODO: reference additional headers your program requires here
15 | 
16 | //{{AFX_INSERT_LOCATION}}
17 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line.
18 | 
19 | #endif // !defined(AFX_STDAFX_H__DC9D77B0_4EED_4753_B72F_88AE88C877A0__INCLUDED_)
20 | 


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/TLSCallback.cpp:
--------------------------------------------------------------------------------
  1 | #include "stdafx.h"
  2 | #include "stdio.h"
  3 | #include "windows.h"
  4 | #include "structs.h"
  5 | 
  6 | #pragma comment(lib,"ntdll.lib")
  7 | #pragma comment(lib,"msvcrt.lib")
  8 | #pragma comment(linker,"/entry:main")
  9 | 
 10 | 
 11 | #define SystemProcessesAndThreadsInformation 0x5
 12 | #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
 13 | 
 14 | 
 15 | extern "C"
 16 | {
 17 |    int __stdcall ZwQuerySystemInformation(int,void*,int,void*);
 18 | }
 19 | 
 20 | 
 21 | //---------prototypes-----------------
 22 | unsigned long addr;
 23 | void __stdcall clb(void*,int,void*);
 24 | //------------------------------------
 25 | //This is the TLS structure.
 26 | struct BLAH_BLAH
 27 | {
 28 | 	int A,B;
 29 | 	int* pIndex;
 30 | 	void(__stdcall **f)(void*,int,void*);
 31 | 	int C,D;
 32 | };
 33 | //-------------------------------------------
 34 | int x[2]={1,0};
 35 | void(__stdcall *ft[3])(void*,int,void*)={&clb,0,0};
 36 | //-------------------------------------------
 37 | 
 38 | unsigned long y=0;
 39 | void __stdcall clb(void*,int reason,void*)
 40 | {
 41 |   if(reason==DLL_THREAD_ATTACH)
 42 |   {
 43 | 	MessageBox(0,"walied","assar",0);
 44 | 	unsigned long cbBuffer=0x5000;
 45 | 	void* Buffer=(void*)LocalAlloc(0,cbBuffer);
 46 | 	if(!Buffer) return;
 47 | 	bool x=false;
 48 | 	while(x==false)
 49 | 	{
 50 | 	    int ret=ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,Buffer,cbBuffer,0);
 51 | 		if(ret<0)
 52 | 		{
 53 | 			if(ret==STATUS_INFO_LENGTH_MISMATCH)
 54 | 			{
 55 | 				cbBuffer=cbBuffer+cbBuffer;
 56 | 				LocalFree(Buffer);
 57 | 				Buffer=(void*)LocalAlloc(0,cbBuffer);
 58 | 				if(!Buffer) return;
 59 | 				x=false;
 60 | 			}
 61 | 			else return;
 62 | 		}
 63 | 		else x=true;
 64 | 	}
 65 | 	SYSTEM_PROCESS_INFORMATION* p=(SYSTEM_PROCESS_INFORMATION*)Buffer;	
 66 | 	while(1)
 67 | 	{
 68 | 			if(p->ProcessId==GetCurrentProcessId())
 69 | 			{
 70 | 				for(int i=0;i<p->ThreadCount;i++)
 71 | 				{
 72 | 					if(GetCurrentThreadId()==p->Threads[i].ClientId .UniqueThread)
 73 | 					{
 74 | 						if(addr==p->Threads[i].StartAddress)
 75 | 						{
 76 | 							MessageBox(0,"A7a, are you trying to attach to me","walied",0);
 77 | 						    ExitProcess(10);
 78 | 						}
 79 | 					}
 80 | 				}
 81 | 			}
 82 | 			if(p->NextEntryDelta==0) break;
 83 | 			p=(SYSTEM_PROCESS_INFORMATION*)((unsigned char*)p+(p->NextEntryDelta));
 84 | 		}
 85 |   }
 86 | }
 87 | //----------------------------------------------------------
 88 | extern "C"
 89 | {
 90 | 	/* object name must be _tls_used */
 91 | 	BLAH_BLAH _tls_used={0,0,x,ft,0,0};
 92 | }
 93 | 
 94 | int main(int argc, char* argv[])
 95 | {
 96 | 	addr=(unsigned long)GetProcAddress(GetModuleHandle("ntdll.dll"),"DbgUiRemoteBreakin");
 97 | 
 98 | 	int ssss=0;
 99 | 	while(1)
100 | 	{
101 | 		Sleep(1000);
102 | 		printf("walied %X\r\n",ssss++);
103 | 	}
104 | 	return 0;
105 | }
106 | 


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/TLSCallback.dsp:
--------------------------------------------------------------------------------
  1 | # Microsoft Developer Studio Project File - Name="TLSCallback" - Package Owner=<4>
  2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
  3 | # ** DO NOT EDIT **
  4 | 
  5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
  6 | 
  7 | CFG=TLSCallback - Win32 Debug
  8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  9 | !MESSAGE use the Export Makefile command and run
 10 | !MESSAGE 
 11 | !MESSAGE NMAKE /f "TLSCallback.mak".
 12 | !MESSAGE 
 13 | !MESSAGE You can specify a configuration when running NMAKE
 14 | !MESSAGE by defining the macro CFG on the command line. For example:
 15 | !MESSAGE 
 16 | !MESSAGE NMAKE /f "TLSCallback.mak" CFG="TLSCallback - Win32 Debug"
 17 | !MESSAGE 
 18 | !MESSAGE Possible choices for configuration are:
 19 | !MESSAGE 
 20 | !MESSAGE "TLSCallback - Win32 Release" (based on "Win32 (x86) Console Application")
 21 | !MESSAGE "TLSCallback - Win32 Debug" (based on "Win32 (x86) Console Application")
 22 | !MESSAGE 
 23 | 
 24 | # Begin Project
 25 | # PROP AllowPerConfigDependencies 0
 26 | # PROP Scc_ProjName ""
 27 | # PROP Scc_LocalPath ""
 28 | CPP=cl.exe
 29 | RSC=rc.exe
 30 | 
 31 | !IF  "$(CFG)" == "TLSCallback - Win32 Release"
 32 | 
 33 | # PROP BASE Use_MFC 0
 34 | # PROP BASE Use_Debug_Libraries 0
 35 | # PROP BASE Output_Dir "Release"
 36 | # PROP BASE Intermediate_Dir "Release"
 37 | # PROP BASE Target_Dir ""
 38 | # PROP Use_MFC 0
 39 | # PROP Use_Debug_Libraries 0
 40 | # PROP Output_Dir "Release"
 41 | # PROP Intermediate_Dir "Release"
 42 | # PROP Target_Dir ""
 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 45 | # ADD BASE RSC /l 0x409 /d "NDEBUG"
 46 | # ADD RSC /l 0x409 /d "NDEBUG"
 47 | BSC32=bscmake.exe
 48 | # ADD BASE BSC32 /nologo
 49 | # ADD BSC32 /nologo
 50 | LINK32=link.exe
 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 53 | 
 54 | !ELSEIF  "$(CFG)" == "TLSCallback - Win32 Debug"
 55 | 
 56 | # PROP BASE Use_MFC 0
 57 | # PROP BASE Use_Debug_Libraries 1
 58 | # PROP BASE Output_Dir "Debug"
 59 | # PROP BASE Intermediate_Dir "Debug"
 60 | # PROP BASE Target_Dir ""
 61 | # PROP Use_MFC 0
 62 | # PROP Use_Debug_Libraries 1
 63 | # PROP Output_Dir "Debug"
 64 | # PROP Intermediate_Dir "Debug"
 65 | # PROP Ignore_Export_Lib 0
 66 | # PROP Target_Dir ""
 67 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ /c
 68 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 69 | # ADD BASE RSC /l 0x409 /d "_DEBUG"
 70 | # ADD RSC /l 0x409 /d "_DEBUG"
 71 | BSC32=bscmake.exe
 72 | # ADD BASE BSC32 /nologo
 73 | # ADD BSC32 /nologo
 74 | LINK32=link.exe
 75 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 76 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:no /machine:I386 /nodefaultlib /pdbtype:sept
 77 | # SUBTRACT LINK32 /debug
 78 | 
 79 | !ENDIF 
 80 | 
 81 | # Begin Target
 82 | 
 83 | # Name "TLSCallback - Win32 Release"
 84 | # Name "TLSCallback - Win32 Debug"
 85 | # Begin Group "Source Files"
 86 | 
 87 | # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 88 | # Begin Source File
 89 | 
 90 | SOURCE=.\StdAfx.cpp
 91 | # ADD CPP /Yc"stdafx.h"
 92 | # End Source File
 93 | # Begin Source File
 94 | 
 95 | SOURCE=.\TLSCallback.cpp
 96 | # End Source File
 97 | # End Group
 98 | # Begin Group "Header Files"
 99 | 
100 | # PROP Default_Filter "h;hpp;hxx;hm;inl"
101 | # Begin Source File
102 | 
103 | SOURCE=.\StdAfx.h
104 | # End Source File
105 | # End Group
106 | # Begin Group "Resource Files"
107 | 
108 | # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
109 | # End Group
110 | # Begin Source File
111 | 
112 | SOURCE=.\ReadMe.txt
113 | # End Source File
114 | # End Target
115 | # End Project
116 | 


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/TLSCallback.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "TLSCallback"=".\TLSCallback.dsp" - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/TLSCallback.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/TLSCallback.ncb


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/TLSCallback.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/TLSCallback/TLSCallback.opt


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/TLSCallback.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: TLSCallback - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP3DB9.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/TLSCallback.pch" /Yu"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /c 
12 | "H:\microsoft visual studio\VC6\MyProjects\TLSCallback\TLSCallback.cpp"
13 | ]
14 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSP3DB9.tmp" 
15 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP3DBA.tmp" with contents
16 | [
17 | kernel32.lib user32.lib gdi32.lib ntdll.lib msvcrt.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:no /pdb:"Debug/TLSCallback.pdb" /machine:I386 /nodefaultlib /out:"Debug/TLSCallback.exe" /pdbtype:sept 
18 | ".\Debug\StdAfx.obj"
19 | ".\Debug\TLSCallback.obj"
20 | ]
21 | Creating command line "link.exe @C:\Users\walied\AppData\Local\Temp\RSP3DBA.tmp"
22 | <h3>Output Window</h3>
23 | Compiling...
24 | TLSCallback.cpp
25 | H:\microsoft visual studio\VC6\MyProjects\TLSCallback\TLSCallback.cpp(70) : warning C4018: '<' : signed/unsigned mismatch
26 | Linking...
27 | LINK : warning LNK4075: ignoring /EDITANDCONTINUE due to /INCREMENTAL:NO specification
28 | 
29 | 
30 | 
31 | <h3>Results</h3>
32 | TLSCallback.exe - 0 error(s), 2 warning(s)
33 | </pre>
34 | </body>
35 | </html>
36 | 


--------------------------------------------------------------------------------
/Anti-Attaching/TLSCallback/structs.h:
--------------------------------------------------------------------------------
 1 | struct CLIENT_ID
 2 | {
 3 |      unsigned long UniqueProcess;
 4 |      unsigned long UniqueThread;
 5 | };
 6 | 
 7 | struct UNICODE_STRING
 8 | {
 9 |  unsigned short Length;
10 |  unsigned short MaximumLength;
11 |  wchar_t*  Buffer;
12 | };
13 | 
14 | struct VM_COUNTERS
15 | {
16 |     unsigned long PeakVirtualSize;
17 |     unsigned long VirtualSize;
18 |     unsigned long PageFaultCount;
19 |     unsigned long PeakWorkingSetSize;
20 |     unsigned long WorkingSetSize;
21 |     unsigned long QuotaPeakPagedPoolUsage;
22 |     unsigned long QuotaPagedPoolUsage;
23 |     unsigned long QuotaPeakNonPagedPoolUsage;
24 |     unsigned long QuotaNonPagedPoolUsage;
25 |     unsigned long PagefileUsage;
26 |     unsigned long PeakPagefileUsage;
27 | };
28 | 
29 | struct IO_COUNTERS
30 | {
31 |   ULONGLONG ReadOperationCount;
32 |   ULONGLONG WriteOperationCount;
33 |   ULONGLONG OtherOperationCount;
34 |   ULONGLONG ReadTransferCount;
35 |   ULONGLONG WriteTransferCount;
36 |   ULONGLONG OtherTransferCount;
37 | };
38 | 
39 | struct SYSTEM_THREAD_INFORMATION
40 | {
41 |     LARGE_INTEGER KernelTime;
42 |     LARGE_INTEGER UserTime;
43 |     LARGE_INTEGER CreateTime;
44 |     unsigned long WaitTime;
45 |     unsigned long StartAddress;
46 |     CLIENT_ID ClientId;
47 |     long Priority;
48 |     long BasePriority;
49 |     unsigned long ContextSwitchCount;
50 |     long State;
51 |     long WaitReason;
52 | };
53 | 
54 | 
55 | struct SYSTEM_PROCESS_INFORMATION {
56 | unsigned long NextEntryDelta;
57 | unsigned long ThreadCount;
58 | unsigned long Reserved1[6];
59 | LARGE_INTEGER CreateTime;
60 | LARGE_INTEGER UserTime;
61 | LARGE_INTEGER KernelTime;
62 | UNICODE_STRING ProcessName;
63 | long BasePriority;
64 | unsigned long ProcessId;
65 | unsigned long InheritedFromProcessId;
66 | unsigned long HandleCount;
67 | unsigned long Reserved2[2];
68 | VM_COUNTERS VmCounters;
69 | IO_COUNTERS IoCounters;
70 | SYSTEM_THREAD_INFORMATION Threads[5]; //Here, 5 is a random number
71 | };


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/StdAfx.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/StdAfx.obj


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/ZwContinue.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/ZwContinue.exe


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/ZwContinue.ilk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/ZwContinue.ilk


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/ZwContinue.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/ZwContinue.obj


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/ZwContinue.pch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/ZwContinue.pch


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/ZwContinue.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/ZwContinue.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/vc60.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/vc60.idb


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/Debug/vc60.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/Debug/vc60.pdb


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |        CONSOLE APPLICATION : ZwContinue
 3 | ========================================================================
 4 | 
 5 | 
 6 | AppWizard has created this ZwContinue application for you.  
 7 | 
 8 | This file contains a summary of what you will find in each of the files that
 9 | make up your ZwContinue application.
10 | 
11 | ZwContinue.dsp
12 |     This file (the project file) contains information at the project level and
13 |     is used to build a single project or subproject. Other users can share the
14 |     project (.dsp) file, but they should export the makefiles locally.
15 | 
16 | ZwContinue.cpp
17 |     This is the main application source file.
18 | 
19 | 
20 | /////////////////////////////////////////////////////////////////////////////
21 | Other standard files:
22 | 
23 | StdAfx.h, StdAfx.cpp
24 |     These files are used to build a precompiled header (PCH) file
25 |     named ZwContinue.pch and a precompiled types file named StdAfx.obj.
26 | 
27 | 
28 | /////////////////////////////////////////////////////////////////////////////
29 | Other notes:
30 | 
31 | AppWizard uses "TODO:" to indicate parts of the source code you
32 | should add to or customize.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/StdAfx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | //	ZwContinue.pch will be the pre-compiled header
3 | //	stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/StdAfx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | //  or project specific include files that are used frequently, but
 3 | //      are changed infrequently
 4 | //
 5 | 
 6 | #if !defined(AFX_STDAFX_H__15ABBDA8_2083_4372_AFC9_354F403A3017__INCLUDED_)
 7 | #define AFX_STDAFX_H__15ABBDA8_2083_4372_AFC9_354F403A3017__INCLUDED_
 8 | 
 9 | #if _MSC_VER > 1000
10 | #pragma once
11 | #endif // _MSC_VER > 1000
12 | 
13 | 
14 | // TODO: reference additional headers your program requires here
15 | 
16 | //{{AFX_INSERT_LOCATION}}
17 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line.
18 | 
19 | #endif // !defined(AFX_STDAFX_H__15ABBDA8_2083_4372_AFC9_354F403A3017__INCLUDED_)
20 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/ZwContinue.cpp:
--------------------------------------------------------------------------------
  1 | //http://waleedassar.blogspot.com - (@waleedassar)
  2 | //This code shows how to hook the "ZwContinue" function in order to detect debuggers trying to attach.
  3 | //Tested with Windows XP SP2/SP3 and Windows 7 SP1.
  4 | #include "stdafx.h"
  5 | #include "windows.h"
  6 | #include "stdio.h"
  7 |  
  8 | unsigned long relativeOffset(unsigned long from,unsigned long to)
  9 | {
 10 |         unsigned long diff=0;
 11 |         if(from>to)
 12 |         {
 13 | 			//5-byte jump instruction
 14 | 			diff=((unsigned long)from+5)-(unsigned long)to;
 15 | 			diff=-diff;
 16 |         }
 17 |         else
 18 |         {
 19 | 			diff=(unsigned long)to-((unsigned long)from+5);
 20 |         }
 21 |         return diff;
 22 | }
 23 |  
 24 | struct OSVERSIONINFOEx
 25 | {
 26 |   DWORD dwOSVersionInfoSize;
 27 |   DWORD dwMajorVersion;
 28 |   DWORD dwMinorVersion;
 29 |   DWORD dwBuildNumber;
 30 |   DWORD dwPlatformId;
 31 |   TCHAR szCSDVersion[128];
 32 |   WORD  wServicePackMajor;
 33 |   WORD  wServicePackMinor;
 34 |   WORD  wSuiteMask;
 35 |   BYTE  wProductType;
 36 |   BYTE  wReserved;
 37 | };
 38 |  
 39 | unsigned long ver;   //0 if XP, 1 if win7, -1 otherwise.
 40 | unsigned char* p;  //holds address of ZwContinue
 41 | unsigned long addr_Dbg;   //holds address of DbgUiRemoteBreakin
 42 | unsigned long addr_DbgPnt;   //holds address of DbgBreakPoint
 43 | unsigned long addr_RtlUserThreadStart; ////holds address of RtlUserThreadStart
 44 |  
 45 | char* backup;    //here we backup the first 5 bytes of ZwContinue.
 46 |  
 47 | void HookFunc(char* pCOntext)
 48 | {
 49 |            unsigned long eip_=*(unsigned long*)(pCOntext+0xB8);   //StartAddress
 50 |            unsigned long eax_=*(unsigned long*)(pCOntext+0xB0);   //Win32StartAddress
 51 |            if(ver==0)  //xp
 52 |            {
 53 |                    //Since the attaching thread is created via RtlCreateUserThread, then eip should be DbgUiRemoteBreakin and eax should be zero
 54 |                    if(eip_==addr_Dbg) ExitProcess(0);
 55 |                    //Heuristics (Smart guy may use DbgBreakPoint instead of DbgUiRemoteBreakin
 56 |                    if(eip_==addr_DbgPnt) ExitProcess(0);
 57 |                    //Smarter guy may manipulate DebugActiveProcess and replace RtlCreateUserThread with CreateRemoteThread
 58 |                    if(eax_==addr_Dbg || eax_==addr_DbgPnt) ExitProcess(0);
 59 |            }
 60 |            else if(ver==1)  //Win7
 61 |            {
 62 |                    //No matter whether RtlCreateUserThread or CreateRemoteThread is used, the eip is ntdll.RtlUserThreadStart and eax is thread entrypoint
 63 |                    if(eip_==addr_RtlUserThreadStart)
 64 |                    {
 65 |                            if(eax_==addr_Dbg || eax_==addr_DbgPnt) ExitProcess(0);
 66 |                    }
 67 |            }
 68 |  
 69 |            //For this to work, plz don't optimize
 70 |            __asm
 71 |            {
 72 |                    leave
 73 |                    jmp dword ptr[backup]
 74 |            }
 75 | }
 76 | int main(int argc, char* argv[])
 77 | {
 78 |         //---------------version info---------------------------------------
 79 |         OSVERSIONINFOEx OSI={sizeof(OSI)};
 80 |         GetVersionEx((OSVERSIONINFO*)&OSI);
 81 |         if(OSI.dwMajorVersion==5 && OSI.dwMinorVersion==1) ver=0;
 82 |         else if(OSI.dwMajorVersion==6 && OSI.dwMinorVersion==1) ver=1;
 83 |         else ver=-1;
 84 |         //------------------------------------------------------------------
 85 |         addr_RtlUserThreadStart=(unsigned long)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlUserThreadStart");
 86 |         addr_Dbg=(unsigned long)GetProcAddress(GetModuleHandle("ntdll.dll"),"DbgUiRemoteBreakin");
 87 |         addr_DbgPnt=(unsigned long)GetProcAddress(GetModuleHandle("ntdll.dll"),"DbgBreakPoint");
 88 |         p=(unsigned char*)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwContinue");
 89 |         unsigned long old;
 90 |  
 91 |         backup=(char*)VirtualAlloc(0,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 92 |         memcpy(backup,p,0x5);
 93 |         backup[0x5]=0x68;  //push
 94 |         *(unsigned long*)(&backup[0x6])=(unsigned long)(p+0x5);
 95 |         backup[0xA]=0xC3;  //retn
 96 |  
 97 |         VirtualProtect(p,5,PAGE_EXECUTE_READWRITE,&old);
 98 |         *p=0xE9;  //opcode for jmp
 99 |         *(unsigned long*)(p+1)=relativeOffset((unsigned long)p,(unsigned long)&HookFunc);
100 |  
101 |         VirtualProtect(p,5,old,&old);
102 |         //----------------------Shitty stuff------------------------------------
103 |         int x=0;
104 |         while(1)
105 |         {
106 | 			Sleep(1000);
107 | 			printf("%s %d\r\n","walied",x);
108 |             x++;
109 |         }
110 | 		return 0;
111 | }


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/ZwContinue.dsp:
--------------------------------------------------------------------------------
  1 | # Microsoft Developer Studio Project File - Name="ZwContinue" - Package Owner=<4>
  2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
  3 | # ** DO NOT EDIT **
  4 | 
  5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
  6 | 
  7 | CFG=ZwContinue - Win32 Debug
  8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  9 | !MESSAGE use the Export Makefile command and run
 10 | !MESSAGE 
 11 | !MESSAGE NMAKE /f "ZwContinue.mak".
 12 | !MESSAGE 
 13 | !MESSAGE You can specify a configuration when running NMAKE
 14 | !MESSAGE by defining the macro CFG on the command line. For example:
 15 | !MESSAGE 
 16 | !MESSAGE NMAKE /f "ZwContinue.mak" CFG="ZwContinue - Win32 Debug"
 17 | !MESSAGE 
 18 | !MESSAGE Possible choices for configuration are:
 19 | !MESSAGE 
 20 | !MESSAGE "ZwContinue - Win32 Release" (based on "Win32 (x86) Console Application")
 21 | !MESSAGE "ZwContinue - Win32 Debug" (based on "Win32 (x86) Console Application")
 22 | !MESSAGE 
 23 | 
 24 | # Begin Project
 25 | # PROP AllowPerConfigDependencies 0
 26 | # PROP Scc_ProjName ""
 27 | # PROP Scc_LocalPath ""
 28 | CPP=cl.exe
 29 | RSC=rc.exe
 30 | 
 31 | !IF  "$(CFG)" == "ZwContinue - Win32 Release"
 32 | 
 33 | # PROP BASE Use_MFC 0
 34 | # PROP BASE Use_Debug_Libraries 0
 35 | # PROP BASE Output_Dir "Release"
 36 | # PROP BASE Intermediate_Dir "Release"
 37 | # PROP BASE Target_Dir ""
 38 | # PROP Use_MFC 0
 39 | # PROP Use_Debug_Libraries 0
 40 | # PROP Output_Dir "Release"
 41 | # PROP Intermediate_Dir "Release"
 42 | # PROP Target_Dir ""
 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 45 | # ADD BASE RSC /l 0x409 /d "NDEBUG"
 46 | # ADD RSC /l 0x409 /d "NDEBUG"
 47 | BSC32=bscmake.exe
 48 | # ADD BASE BSC32 /nologo
 49 | # ADD BSC32 /nologo
 50 | LINK32=link.exe
 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 53 | 
 54 | !ELSEIF  "$(CFG)" == "ZwContinue - Win32 Debug"
 55 | 
 56 | # PROP BASE Use_MFC 0
 57 | # PROP BASE Use_Debug_Libraries 1
 58 | # PROP BASE Output_Dir "Debug"
 59 | # PROP BASE Intermediate_Dir "Debug"
 60 | # PROP BASE Target_Dir ""
 61 | # PROP Use_MFC 0
 62 | # PROP Use_Debug_Libraries 1
 63 | # PROP Output_Dir "Debug"
 64 | # PROP Intermediate_Dir "Debug"
 65 | # PROP Target_Dir ""
 66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 68 | # ADD BASE RSC /l 0x409 /d "_DEBUG"
 69 | # ADD RSC /l 0x409 /d "_DEBUG"
 70 | BSC32=bscmake.exe
 71 | # ADD BASE BSC32 /nologo
 72 | # ADD BSC32 /nologo
 73 | LINK32=link.exe
 74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 76 | 
 77 | !ENDIF 
 78 | 
 79 | # Begin Target
 80 | 
 81 | # Name "ZwContinue - Win32 Release"
 82 | # Name "ZwContinue - Win32 Debug"
 83 | # Begin Group "Source Files"
 84 | 
 85 | # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 86 | # Begin Source File
 87 | 
 88 | SOURCE=.\StdAfx.cpp
 89 | # ADD CPP /Yc"stdafx.h"
 90 | # End Source File
 91 | # Begin Source File
 92 | 
 93 | SOURCE=.\ZwContinue.cpp
 94 | # End Source File
 95 | # End Group
 96 | # Begin Group "Header Files"
 97 | 
 98 | # PROP Default_Filter "h;hpp;hxx;hm;inl"
 99 | # Begin Source File
100 | 
101 | SOURCE=.\StdAfx.h
102 | # End Source File
103 | # End Group
104 | # Begin Group "Resource Files"
105 | 
106 | # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
107 | # End Group
108 | # Begin Source File
109 | 
110 | SOURCE=.\ReadMe.txt
111 | # End Source File
112 | # End Target
113 | # End Project
114 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/ZwContinue.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "ZwContinue"=".\ZwContinue.dsp" - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/ZwContinue.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/ZwContinue.ncb


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/ZwContinue.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/ZwContinue.opt


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/ZwContinue.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: ZwContinue - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP3D2C.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/ZwContinue.pch" /Yu"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /GZ  /c 
12 | "H:\microsoft visual studio\VC6\MyProjects\ZwContinue\ZwContinue.cpp"
13 | ]
14 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSP3D2C.tmp" 
15 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP3D2D.tmp" with contents
16 | [
17 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/ZwContinue.pch" /Yc"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /GZ  /c 
18 | "H:\microsoft visual studio\VC6\MyProjects\ZwContinue\StdAfx.cpp"
19 | ]
20 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSP3D2D.tmp" 
21 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSP3D2E.tmp" with contents
22 | [
23 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:yes /pdb:"Debug/ZwContinue.pdb" /debug /machine:I386 /out:"Debug/ZwContinue.exe" /pdbtype:sept 
24 | ".\Debug\StdAfx.obj"
25 | ".\Debug\ZwContinue.obj"
26 | ]
27 | Creating command line "link.exe @C:\Users\walied\AppData\Local\Temp\RSP3D2E.tmp"
28 | <h3>Output Window</h3>
29 | Compiling...
30 | StdAfx.cpp
31 | Compiling...
32 | ZwContinue.cpp
33 | H:\microsoft visual studio\VC6\MyProjects\ZwContinue\ZwContinue.cpp(15) : warning C4146: unary minus operator applied to unsigned type, result still unsigned
34 | H:\microsoft visual studio\VC6\MyProjects\ZwContinue\ZwContinue.cpp(95) : warning C4305: '=' : truncation from 'const int' to 'char'
35 | H:\microsoft visual studio\VC6\MyProjects\ZwContinue\ZwContinue.cpp(95) : warning C4309: '=' : truncation of constant value
36 | Linking...
37 | 
38 | 
39 | 
40 | <h3>Results</h3>
41 | ZwContinue.exe - 0 error(s), 3 warning(s)
42 | </pre>
43 | </body>
44 | </html>
45 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/test.cpp:
--------------------------------------------------------------------------------
  1 | //http://waleedassar.blogspot.com - (@waleedassar)
  2 | //This code shows how to hook the "ZwContinue" function in order to detect debuggers trying to attach.
  3 | //Tested with Windows XP SP2/SP3 and Windows 7 SP1.
  4 | #include "stdafx.h"
  5 | #include "windows.h"
  6 | #include "stdio.h"
  7 |  
  8 | unsigned long relativeOffset(unsigned long from,unsigned long to)
  9 | {
 10 |         unsigned long diff=0;
 11 |         if(from>to)
 12 |         {
 13 | 			//5-byte jump instruction
 14 | 			diff=((unsigned long)from+5)-(unsigned long)to;
 15 | 			diff=-diff;
 16 |         }
 17 |         else
 18 |         {
 19 | 			diff=(unsigned long)to-((unsigned long)from+5);
 20 |         }
 21 |         return diff;
 22 | }
 23 |  
 24 | struct OSVERSIONINFOEx
 25 | {
 26 |   DWORD dwOSVersionInfoSize;
 27 |   DWORD dwMajorVersion;
 28 |   DWORD dwMinorVersion;
 29 |   DWORD dwBuildNumber;
 30 |   DWORD dwPlatformId;
 31 |   TCHAR szCSDVersion[128];
 32 |   WORD  wServicePackMajor;
 33 |   WORD  wServicePackMinor;
 34 |   WORD  wSuiteMask;
 35 |   BYTE  wProductType;
 36 |   BYTE  wReserved;
 37 | };
 38 |  
 39 | unsigned long ver;   //0 if XP, 1 if win7, -1 otherwise.
 40 | unsigned char* p;  //holds address of ZwContinue
 41 | unsigned long addr_Dbg;   //holds address of DbgUiRemoteBreakin
 42 | unsigned long addr_DbgPnt;   //holds address of DbgBreakPoint
 43 | unsigned long addr_RtlUserThreadStart; ////holds address of RtlUserThreadStart
 44 |  
 45 | char* backup;    //here we backup the first 5 bytes of ZwContinue.
 46 |  
 47 | void HookFunc(char* pCOntext)
 48 | {
 49 |            unsigned long eip_=*(unsigned long*)(pCOntext+0xB8);   //StartAddress
 50 |            unsigned long eax_=*(unsigned long*)(pCOntext+0xB0);   //Win32StartAddress
 51 |            if(ver==0)  //xp
 52 |            {
 53 |                    //Since the attaching thread is created via RtlCreateUserThread, then eip should be DbgUiRemoteBreakin and eax should be zero
 54 |                    if(eip_==addr_Dbg) ExitProcess(0);
 55 |                    //Heuristics (Smart guy may use DbgBreakPoint instead of DbgUiRemoteBreakin
 56 |                    if(eip_==addr_DbgPnt) ExitProcess(0);
 57 |                    //Smarter guy may manipulate DebugActiveProcess and replace RtlCreateUserThread with CreateRemoteThread
 58 |                    if(eax_==addr_Dbg || eax_==addr_DbgPnt) ExitProcess(0);
 59 |            }
 60 |            else if(ver==1)  //Win7
 61 |            {
 62 |                    //No matter whether RtlCreateUserThread or CreateRemoteThread is used, the eip is ntdll.RtlUserThreadStart and eax is thread entrypoint
 63 |                    if(eip_==addr_RtlUserThreadStart)
 64 |                    {
 65 |                            if(eax_==addr_Dbg || eax_==addr_DbgPnt) ExitProcess(0);
 66 |                    }
 67 |            }
 68 |  
 69 |            //For this to work, plz don't optimize
 70 |            __asm
 71 |            {
 72 |                    leave
 73 |                    jmp dword ptr[backup]
 74 |            }
 75 | }
 76 | int main(int argc, char* argv[])
 77 | {
 78 |         //---------------version info---------------------------------------
 79 |         OSVERSIONINFOEx OSI={sizeof(OSI)};
 80 |         GetVersionEx((OSVERSIONINFO*)&OSI);
 81 |         if(OSI.dwMajorVersion==5 && OSI.dwMinorVersion==1) ver=0;
 82 |         else if(OSI.dwMajorVersion==6 && OSI.dwMinorVersion==1) ver=1;
 83 |         else ver=-1;
 84 |         //------------------------------------------------------------------
 85 |         addr_RtlUserThreadStart=(unsigned long)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlUserThreadStart");
 86 |         addr_Dbg=(unsigned long)GetProcAddress(GetModuleHandle("ntdll.dll"),"DbgUiRemoteBreakin");
 87 |         addr_DbgPnt=(unsigned long)GetProcAddress(GetModuleHandle("ntdll.dll"),"DbgBreakPoint");
 88 |         p=(unsigned char*)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwContinue");
 89 |         unsigned long old;
 90 |  
 91 |         backup=(char*)VirtualAlloc(0,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 92 |         memcpy(backup,p,0x5);
 93 |         backup[0x5]=0x68;  //push
 94 |         *(unsigned long*)(&backup[0x6])=(unsigned long)(p+0x5);
 95 |         backup[0xA]=0xC3;  //retn
 96 |  
 97 |         VirtualProtect(p,5,PAGE_EXECUTE_READWRITE,&old);
 98 |         *p=0xE9;  //opcode for jmp
 99 |         *(unsigned long*)(p+1)=relativeOffset((unsigned long)p,(unsigned long)&HookFunc);
100 |  
101 |         VirtualProtect(p,5,old,&old);
102 |         //----------------------Shitty stuff------------------------------------
103 |         int x=0;
104 |         while(1)
105 |         {
106 | 			Sleep(1000);
107 | 			printf("%s %d\r\n","walied",x);
108 |             x++;
109 |         }
110 | 		return 0;
111 | }


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/test.dsp:
--------------------------------------------------------------------------------
  1 | # Microsoft Developer Studio Project File - Name="test" - Package Owner=<4>
  2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
  3 | # ** DO NOT EDIT **
  4 | 
  5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
  6 | 
  7 | CFG=test - Win32 Debug
  8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  9 | !MESSAGE use the Export Makefile command and run
 10 | !MESSAGE 
 11 | !MESSAGE NMAKE /f "test.mak".
 12 | !MESSAGE 
 13 | !MESSAGE You can specify a configuration when running NMAKE
 14 | !MESSAGE by defining the macro CFG on the command line. For example:
 15 | !MESSAGE 
 16 | !MESSAGE NMAKE /f "test.mak" CFG="test - Win32 Debug"
 17 | !MESSAGE 
 18 | !MESSAGE Possible choices for configuration are:
 19 | !MESSAGE 
 20 | !MESSAGE "test - Win32 Release" (based on "Win32 (x86) Console Application")
 21 | !MESSAGE "test - Win32 Debug" (based on "Win32 (x86) Console Application")
 22 | !MESSAGE 
 23 | 
 24 | # Begin Project
 25 | # PROP AllowPerConfigDependencies 0
 26 | # PROP Scc_ProjName ""
 27 | # PROP Scc_LocalPath ""
 28 | CPP=cl.exe
 29 | RSC=rc.exe
 30 | 
 31 | !IF  "$(CFG)" == "test - Win32 Release"
 32 | 
 33 | # PROP BASE Use_MFC 0
 34 | # PROP BASE Use_Debug_Libraries 0
 35 | # PROP BASE Output_Dir "Release"
 36 | # PROP BASE Intermediate_Dir "Release"
 37 | # PROP BASE Target_Dir ""
 38 | # PROP Use_MFC 0
 39 | # PROP Use_Debug_Libraries 0
 40 | # PROP Output_Dir "Release"
 41 | # PROP Intermediate_Dir "Release"
 42 | # PROP Target_Dir ""
 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 45 | # ADD BASE RSC /l 0x409 /d "NDEBUG"
 46 | # ADD RSC /l 0x409 /d "NDEBUG"
 47 | BSC32=bscmake.exe
 48 | # ADD BASE BSC32 /nologo
 49 | # ADD BSC32 /nologo
 50 | LINK32=link.exe
 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 53 | 
 54 | !ELSEIF  "$(CFG)" == "test - Win32 Debug"
 55 | 
 56 | # PROP BASE Use_MFC 0
 57 | # PROP BASE Use_Debug_Libraries 1
 58 | # PROP BASE Output_Dir "Debug"
 59 | # PROP BASE Intermediate_Dir "Debug"
 60 | # PROP BASE Target_Dir ""
 61 | # PROP Use_MFC 0
 62 | # PROP Use_Debug_Libraries 1
 63 | # PROP Output_Dir "Debug"
 64 | # PROP Intermediate_Dir "Debug"
 65 | # PROP Target_Dir ""
 66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 68 | # ADD BASE RSC /l 0x409 /d "_DEBUG"
 69 | # ADD RSC /l 0x409 /d "_DEBUG"
 70 | BSC32=bscmake.exe
 71 | # ADD BASE BSC32 /nologo
 72 | # ADD BSC32 /nologo
 73 | LINK32=link.exe
 74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 76 | 
 77 | !ENDIF 
 78 | 
 79 | # Begin Target
 80 | 
 81 | # Name "test - Win32 Release"
 82 | # Name "test - Win32 Debug"
 83 | # Begin Group "Source Files"
 84 | 
 85 | # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 86 | # Begin Source File
 87 | 
 88 | SOURCE=.\StdAfx.cpp
 89 | # ADD CPP /Yc"stdafx.h"
 90 | # End Source File
 91 | # Begin Source File
 92 | 
 93 | SOURCE=.\test.cpp
 94 | # End Source File
 95 | # End Group
 96 | # Begin Group "Header Files"
 97 | 
 98 | # PROP Default_Filter "h;hpp;hxx;hm;inl"
 99 | # Begin Source File
100 | 
101 | SOURCE=.\StdAfx.h
102 | # End Source File
103 | # End Group
104 | # Begin Group "Resource Files"
105 | 
106 | # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
107 | # End Group
108 | # Begin Source File
109 | 
110 | SOURCE=.\ReadMe.txt
111 | # End Source File
112 | # End Target
113 | # End Project
114 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/test.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "test"=".\test.dsp" - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/test.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/test.ncb


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/test.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Attaching/ZwContinue/test.opt


--------------------------------------------------------------------------------
/Anti-Attaching/ZwContinue/test.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: test - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSPC47B.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/test.pch" /Yu"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /GZ /c 
12 | "H:\microsoft visual studio\VC6\MyProjects\test\test.cpp"
13 | ]
14 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSPC47B.tmp" 
15 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSPC47C.tmp" with contents
16 | [
17 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/test.pch" /Yc"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /GZ /c 
18 | "H:\microsoft visual studio\VC6\MyProjects\test\StdAfx.cpp"
19 | ]
20 | Creating command line "cl.exe @C:\Users\walied\AppData\Local\Temp\RSPC47C.tmp" 
21 | Creating temporary file "C:\Users\walied\AppData\Local\Temp\RSPC47D.tmp" with contents
22 | [
23 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /incremental:yes /pdb:"Debug/test.pdb" /debug /machine:I386 /out:"Debug/test.exe" /pdbtype:sept 
24 | ".\Debug\StdAfx.obj"
25 | ".\Debug\test.obj"
26 | ]
27 | Creating command line "link.exe @C:\Users\walied\AppData\Local\Temp\RSPC47D.tmp"
28 | <h3>Output Window</h3>
29 | Compiling...
30 | StdAfx.cpp
31 | Compiling...
32 | test.cpp
33 | H:\microsoft visual studio\VC6\MyProjects\test\test.cpp(15) : warning C4146: unary minus operator applied to unsigned type, result still unsigned
34 | H:\microsoft visual studio\VC6\MyProjects\test\test.cpp(95) : warning C4305: '=' : truncation from 'const int' to 'char'
35 | H:\microsoft visual studio\VC6\MyProjects\test\test.cpp(95) : warning C4309: '=' : truncation of constant value
36 | Linking...
37 | 
38 | 
39 | 
40 | <h3>Results</h3>
41 | test.exe - 0 error(s), 3 warning(s)
42 | </pre>
43 | </body>
44 | </html>
45 | 


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/ReadMe.txt:
--------------------------------------------------------------------------------
 1 | ========================================================================
 2 |        CONSOLE APPLICATION : pxm
 3 | ========================================================================
 4 | 
 5 | 
 6 | AppWizard has created this pxm application for you.  
 7 | 
 8 | This file contains a summary of what you will find in each of the files that
 9 | make up your pxm application.
10 | 
11 | pxm.dsp
12 |     This file (the project file) contains information at the project level and
13 |     is used to build a single project or subproject. Other users can share the
14 |     project (.dsp) file, but they should export the makefiles locally.
15 | 
16 | pxm.cpp
17 |     This is the main application source file.
18 | 
19 | 
20 | /////////////////////////////////////////////////////////////////////////////
21 | Other standard files:
22 | 
23 | StdAfx.h, StdAfx.cpp
24 |     These files are used to build a precompiled header (PCH) file
25 |     named pxm.pch and a precompiled types file named StdAfx.obj.
26 | 
27 | 
28 | /////////////////////////////////////////////////////////////////////////////
29 | Other notes:
30 | 
31 | AppWizard uses "TODO:" to indicate parts of the source code you
32 | should add to or customize.
33 | 
34 | /////////////////////////////////////////////////////////////////////////////
35 | 


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/StdAfx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | //	pxm.pch will be the pre-compiled header
3 | //	stdafx.obj will contain the pre-compiled type information
4 | 
5 | #include "stdafx.h"
6 | 
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 | 


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/StdAfx.h:
--------------------------------------------------------------------------------
 1 | // stdafx.h : include file for standard system include files,
 2 | //  or project specific include files that are used frequently, but
 3 | //      are changed infrequently
 4 | //
 5 | 
 6 | #if !defined(AFX_STDAFX_H__9F9B4A75_2BEB_41CD_A602_F607DFC431DB__INCLUDED_)
 7 | #define AFX_STDAFX_H__9F9B4A75_2BEB_41CD_A602_F607DFC431DB__INCLUDED_
 8 | 
 9 | #if _MSC_VER > 1000
10 | #pragma once
11 | #endif // _MSC_VER > 1000
12 | 
13 | 
14 | // TODO: reference additional headers your program requires here
15 | 
16 | //{{AFX_INSERT_LOCATION}}
17 | // Microsoft Visual C++ will insert additional declarations immediately before the previous line.
18 | 
19 | #endif // !defined(AFX_STDAFX_H__9F9B4A75_2BEB_41CD_A602_F607DFC431DB__INCLUDED_)
20 | 


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/pxm.cpp:
--------------------------------------------------------------------------------
 1 | // pxm.cpp : Defines the entry point for the console application.
 2 | //
 3 | 
 4 | #include "stdafx.h"
 5 | 
 6 | extern "C"
 7 | {
 8 | 	int __stdcall MessageBoxA(int,char*,char*,int);
 9 | }
10 | 
11 | struct BLAH_BLAH
12 | {
13 | 	int A,B;
14 | 	int* pIndex;
15 | 	void(__stdcall **f)(void*,int,void*);
16 | 	int C,D;
17 | };
18 | 
19 | void __stdcall clb(void*,int reason,void*)
20 | {
21 | 	if(reason==1)  /*  DLL_PROCESS_ATTACH  */
22 | 		MessageBoxA(0,"walied","hi",0);
23 | }
24 | 
25 | 
26 | int x[2]={1,0};
27 | void(__stdcall *ft[2])(void*,int,void*)={&clb,0};
28 | 
29 | 
30 | extern "C"
31 | {
32 | 	/* object name must be _tls_used */
33 | 	BLAH_BLAH _tls_used={0,0,x,ft,0,0};
34 | }
35 | 
36 | int main(int argc, char* argv[])
37 | {
38 | 
39 | 	return 0;
40 | }
41 | 


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/pxm.dsp:
--------------------------------------------------------------------------------
  1 | # Microsoft Developer Studio Project File - Name="pxm" - Package Owner=<4>
  2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00
  3 | # ** DO NOT EDIT **
  4 | 
  5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103
  6 | 
  7 | CFG=pxm - Win32 Debug
  8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE,
  9 | !MESSAGE use the Export Makefile command and run
 10 | !MESSAGE 
 11 | !MESSAGE NMAKE /f "pxm.mak".
 12 | !MESSAGE 
 13 | !MESSAGE You can specify a configuration when running NMAKE
 14 | !MESSAGE by defining the macro CFG on the command line. For example:
 15 | !MESSAGE 
 16 | !MESSAGE NMAKE /f "pxm.mak" CFG="pxm - Win32 Debug"
 17 | !MESSAGE 
 18 | !MESSAGE Possible choices for configuration are:
 19 | !MESSAGE 
 20 | !MESSAGE "pxm - Win32 Release" (based on "Win32 (x86) Console Application")
 21 | !MESSAGE "pxm - Win32 Debug" (based on "Win32 (x86) Console Application")
 22 | !MESSAGE 
 23 | 
 24 | # Begin Project
 25 | # PROP AllowPerConfigDependencies 0
 26 | # PROP Scc_ProjName ""
 27 | # PROP Scc_LocalPath ""
 28 | CPP=cl.exe
 29 | RSC=rc.exe
 30 | 
 31 | !IF  "$(CFG)" == "pxm - Win32 Release"
 32 | 
 33 | # PROP BASE Use_MFC 0
 34 | # PROP BASE Use_Debug_Libraries 0
 35 | # PROP BASE Output_Dir "Release"
 36 | # PROP BASE Intermediate_Dir "Release"
 37 | # PROP BASE Target_Dir ""
 38 | # PROP Use_MFC 0
 39 | # PROP Use_Debug_Libraries 0
 40 | # PROP Output_Dir "Release"
 41 | # PROP Intermediate_Dir "Release"
 42 | # PROP Target_Dir ""
 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 45 | # ADD BASE RSC /l 0xc01 /d "NDEBUG"
 46 | # ADD RSC /l 0xc01 /d "NDEBUG"
 47 | BSC32=bscmake.exe
 48 | # ADD BASE BSC32 /nologo
 49 | # ADD BSC32 /nologo
 50 | LINK32=link.exe
 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386
 53 | 
 54 | !ELSEIF  "$(CFG)" == "pxm - Win32 Debug"
 55 | 
 56 | # PROP BASE Use_MFC 0
 57 | # PROP BASE Use_Debug_Libraries 1
 58 | # PROP BASE Output_Dir "Debug"
 59 | # PROP BASE Intermediate_Dir "Debug"
 60 | # PROP BASE Target_Dir ""
 61 | # PROP Use_MFC 0
 62 | # PROP Use_Debug_Libraries 1
 63 | # PROP Output_Dir "Debug"
 64 | # PROP Intermediate_Dir "Debug"
 65 | # PROP Ignore_Export_Lib 0
 66 | # PROP Target_Dir ""
 67 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /GZ  /c
 68 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Yu"stdafx.h" /FD /c
 69 | # ADD BASE RSC /l 0xc01 /d "_DEBUG"
 70 | # ADD RSC /l 0xc01 /d "_DEBUG"
 71 | BSC32=bscmake.exe
 72 | # ADD BASE BSC32 /nologo
 73 | # ADD BSC32 /nologo
 74 | LINK32=link.exe
 75 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib  kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept
 76 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /entry:"main" /subsystem:console /incremental:no /machine:I386 /nodefaultlib /pdbtype:sept
 77 | # SUBTRACT LINK32 /pdb:none
 78 | 
 79 | !ENDIF 
 80 | 
 81 | # Begin Target
 82 | 
 83 | # Name "pxm - Win32 Release"
 84 | # Name "pxm - Win32 Debug"
 85 | # Begin Group "Source Files"
 86 | 
 87 | # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
 88 | # Begin Source File
 89 | 
 90 | SOURCE=.\pxm.cpp
 91 | # End Source File
 92 | # Begin Source File
 93 | 
 94 | SOURCE=.\StdAfx.cpp
 95 | # ADD CPP /Yc"stdafx.h"
 96 | # End Source File
 97 | # End Group
 98 | # Begin Group "Header Files"
 99 | 
100 | # PROP Default_Filter "h;hpp;hxx;hm;inl"
101 | # Begin Source File
102 | 
103 | SOURCE=.\StdAfx.h
104 | # End Source File
105 | # End Group
106 | # Begin Group "Resource Files"
107 | 
108 | # PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
109 | # End Group
110 | # Begin Source File
111 | 
112 | SOURCE=.\ReadMe.txt
113 | # End Source File
114 | # End Target
115 | # End Project
116 | 


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/pxm.dsw:
--------------------------------------------------------------------------------
 1 | Microsoft Developer Studio Workspace File, Format Version 6.00
 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
 3 | 
 4 | ###############################################################################
 5 | 
 6 | Project: "pxm"=".\pxm.dsp" - Package Owner=<4>
 7 | 
 8 | Package=<5>
 9 | {{{
10 | }}}
11 | 
12 | Package=<4>
13 | {{{
14 | }}}
15 | 
16 | ###############################################################################
17 | 
18 | Global:
19 | 
20 | Package=<5>
21 | {{{
22 | }}}
23 | 
24 | Package=<3>
25 | {{{
26 | }}}
27 | 
28 | ###############################################################################
29 | 
30 | 


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/pxm.ncb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Debugging/TLSCallback/pxm.ncb


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/pxm.opt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/waleedassar/antidebug/e4c6543d0d029f5d8252e772743b30f8f1fc03e8/Anti-Debugging/TLSCallback/pxm.opt


--------------------------------------------------------------------------------
/Anti-Debugging/TLSCallback/pxm.plg:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <body>
 3 | <pre>
 4 | <h1>Build Log</h1>
 5 | <h3>
 6 | --------------------Configuration: pxm - Win32 Debug--------------------
 7 | </h3>
 8 | <h3>Command Lines</h3>
 9 | Creating temporary file "C:\Users\mahamed\AppData\Local\Temp\RSP416B.tmp" with contents
10 | [
11 | /nologo /MLd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /Fp"Debug/pxm.pch" /Yu"stdafx.h" /Fo"Debug/" /Fd"Debug/" /FD /c 
12 | "C:\microsoft visual studio\MyProjects\pxm\pxm.cpp"
13 | ]
14 | Creating command line "cl.exe @C:\Users\mahamed\AppData\Local\Temp\RSP416B.tmp" 
15 | Creating temporary file "C:\Users\mahamed\AppData\Local\Temp\RSP416C.tmp" with contents
16 | [
17 | kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /entry:"main" /subsystem:console /incremental:no /pdb:"Debug/pxm.pdb" /machine:I386 /nodefaultlib /out:"Debug/pxm.exe" /pdbtype:sept 
18 | ".\Debug\StdAfx.obj"
19 | ".\Debug\pxm.obj"
20 | ]
21 | Creating command line "link.exe @C:\Users\mahamed\AppData\Local\Temp\RSP416C.tmp"
22 | <h3>Output Window</h3>
23 | Compiling...
24 | pxm.cpp
25 | Linking...
26 | LINK : warning LNK4075: ignoring /EDITANDCONTINUE due to /INCREMENTAL:NO specification
27 | 
28 | 
29 | 
30 | <h3>Results</h3>
31 | pxm.exe - 0 error(s), 1 warning(s)
32 | </pre>
33 | </body>
34 | </html>
35 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # antidebug
2 | Collection Of Anti-Debugging Tricks
3 | 


--------------------------------------------------------------------------------