/*================================================================================

	Description:
		This is example code for the IsDebuggerPresent anti-debugging technique.
		There is a simple buffer overflow nested in a code path reachable when
		IsDebuggerPresent() is set to false.
	
	Author:
		Saint Patrick <saintpatrick@l1pht.com>
	
================================================================================*/

#include <windows.h>
#include <stdio.h>
#include <shellapi.h>

BOOL isDebuggerPresent();

// Here we have a simple buffer overflow to exploit.
int main(int argc, char *argv[])
{
	// Static Buffer @ 250
	char buffer[250];
	if (isDebuggerPresent()){
		exit(0);}
	else
	{
		// Print something and then do the devil's dance
		printf("L1pht appreciates your donation of: %s",argv[1]);
		strcpy(buffer,argv[1]);
	}
	return 0;
}

// This is the method that takes care of the WinAPI calls.
// This code was ripped from a forum post discussing IsDebuggerPresent by mudlord
BOOL isDebuggerPresent()
{
 BOOL result = FALSE;
 //Get a handle to the kernel32.dll library
 HINSTANCE kern_lib = LoadLibraryEx( "kernel32.dll", NULL, 0 );
        if( kern_lib ) {
				// Get the function address
                FARPROC lIsDebuggerPresent = GetProcAddress( kern_lib, "IsDebuggerPresent" );
                if( lIsDebuggerPresent && lIsDebuggerPresent() ) {
                        result = TRUE;
                }
                FreeLibrary( kern_lib );
        }
		// Return the result of IsDebuggerPresent
        return result;
}