Friday, October 28, 2011

Using NtGlobalFlag

This is probably not the right way to go about implementing a NtGlobalFlag check in a exe; I looked around a bit but couldn't find anything else so I decided to go about using Ollydbg to do some manual patching. Like I said, probably not the best way - I just did this for fun. If you know a better way to do this, it would be awesome if you could take a few minutes and let me know in the comments section below.

I did not wanna write assembly from the scratch so I compiled the following code.

void blah() {
int x,y,z;
int main() {
printf("no debugger present\n");
return 0;
printf("debugger present\n");
Did a binary patch and fill the rest with NOPs ...

and ran it ...

There are loads of posts out there describing ways to circumvent this - so yeah thats about it for this post.

Using inline assembly is probably the right way to go about doing this.


  1. For Wow64 Processes, don't forget to null the "NtGlobalFlag" field for the 64Bit Peb.

    1. cool stuff -- thats for adding that point in!