Maybe somebody came across this before, but i just came across it in a program, it kept catching me, and i couldnt for the life find where, finally after a while i came across the following, and emulated it here, any discussion if you saw it, would be nice.

The program calls ZwQueryObject, with a null handle and fills the OBJECT_ALL_TYPES_INFORMATION structure, it checks if the current object type is "DebugObject", if it is, it then checks if pObject->TotalNumberOfHandles, and pObject->TotalNumberOfObjects are greater than 0, if they then the program is being debugged, i didnt try it with softice, as i didnt get it installed yet, but it detects ollydbg just fine.

Heres the emulated code i wrote, and the compiled exe:

Attached Files

Detect.zip (14.4 KB, 88 views)