debugme.asm

The example that shows how to use int2e trick to use ZwSetInformationThread to hide from ring3 debug

format PE GUI 4.0

include '%fasminc%\win32a.inc'

section '' readable writeable

entry $

; ###################################################

include 'systructs.inc'

macro assume reg,struct
{
  virtual at reg
    .#reg struct
  end virtual
}

antidebug:
     xor eax,eax
     assume edx,PEB
     mov edx,[fs:eax+48]
     mov ecx,[.edx.Ldr]
     jecxz .adbg_w9x
     mov dx,[.edx.OSBuildNumber]
.check_2k:
     cmp dx,2195 ; Windows 2000
     jne .check_xp
     mov al,199
     jmp .adbg_nt
.check_xp:
     cmp dx,2600 ; Windows XP
     jne .check_2k3
     mov al,229
     jmp .adbg_nt
.check_2k3:
     cmp dx,3790 ; Server 2003
     jne .adbg_quit
     mov al,238
     ;jmp .adbg_nt
.adbg_nt:
     xor ecx,ecx
     push ecx
     push ecx
     push 17
     push -2
     call @f
@@:  add dword [esp],@f-@r
     lea edx,[esp+4]
     int 46 ; call ZwSetInformationThread(-2,17,0,0)
@@:  add esp,20
     ;jmp .adbg_quit
.adbg_w9x:
.adbg_quit:

; ###################################################

invoke MessageBoxW,0,0,0,0
retn

data import

     library user32,'USER32.DLL'

     import user32,\
	    MessageBoxW,'MessageBoxW'

end data