Code Taken From:
Guide on How to play with processes memory, write loaders and Oraculums
http://www.exetools.com/forum/showthread.php?t=6556
Many Thanks to Shub-Nigurrath
Code:
unsigned long KillisDebuggerPresent()
{
FARPROC addrIDP; //Buffer for API Address IsDebuggerPresent
BYTE rdt[13]; //Buffer to read to (Total of 13 bytes)
BYTE wrt[3] = {0x33, 0xC0, 0xC3}; /*(Bytes to write (patch):
33C0 xor eax, eax
C3 ret
*/
unsigned long byteswritten=0;
DWORD oldpr=0;
HINSTANCE hKer;
HANDLE hProcess = GetCurrentProcess();
hKer = GetModuleHandle("KERNEL32");
ZeroMemory(rdt,16);
addrIDP = GetProcAddress(hKer, "IsDebuggerPresent");
VirtualProtectEx(hProcess, (LPVOID)addrIDP, 3, PAGE_READONLY, &oldpr);
ReadProcessMemory(hProcess, (LPVOID)addrIDP, (LPVOID)rdt, 13, NULL);
VirtualProtectEx(hProcess, (LPVOID)addrIDP, 3, oldpr, &oldpr);
// Check api signature
if (rdt[0]==0x64 && rdt[1]==0xA1 && rdt[2]==0x18 && rdt[3]==0 && rdt[4]==0 && rdt[5]==0 && rdt[6]==0x8B && rdt[7]==0x40 && rdt[8]==0x30 && rdt[9]==0x0F && rdt[10]==0xB6 && rdt[11]==0x40 && rdt[12]==0x02)
{
__asm
{
add addrIDP, 9
}
VirtualProtectEx(hProcess, (LPVOID)addrIDP, 3, PAGE_READWRITE, &oldpr);
WriteProcessMemory(hProcess, (LPVOID)addrIDP, (LPVOID)wrt, 3, &byteswritten);
VirtualProtectEx(hProcess, (LPVOID)addrIDP, 3, oldpr, &oldpr);
}
return byteswritten;
}
Regards...