Friday, October 28, 2011

Using NtGlobalFlag

This is probably not the right way to go about implementing a NtGlobalFlag check in a exe; I looked around a bit but couldn't find anything else so I decided to go about using Ollydbg to do some manual patching. Like I said, probably not the best way - I just did this for fun. If you know a better way to do this, it would be awesome if you could take a few minutes and let me know in the comments section below.


I did not wanna write assembly from the scratch so I compiled the following code.

#include<stdio.h>
void blah() {
int x,y,z;
}
int main() {
blah();
printf("no debugger present\n");
return 0;
printf("debugger present\n");
getchar();
}
Did a binary patch and fill the rest with NOPs ...

and ran it ...

There are loads of posts out there describing ways to circumvent this - so yeah thats about it for this post.


[UPDATE]
Using inline assembly is probably the right way to go about doing this.

2 comments:

  1. For Wow64 Processes, don't forget to null the "NtGlobalFlag" field for the 64Bit Peb.

    ReplyDelete
    Replies
    1. cool stuff -- thats for adding that point in!

      Delete