/*
	Description
		This is a small vulnerable program that is making use of process walking techniques
		to prevent debugging.
		
		The program takes in an argument, prints out the process walk, compares strings and then
		either exits or does a vulnerable call to strcpy();
		
	Author
		Saint patrick [saintpatrick@l1pht.com]
*/

#define UNICODE
#define _UNICODE

#include <windows.h>
#include <Shellapi.h>
#include <tlhelp32.h>	 // Needed for Process32First and Process32Next
#include <stdio.h>

#include <string.h>
#include <wchar.h>
#include <tchar.h>		

BOOL foundDebug();

// Here we have a simple buffer overflow to exploit.
int main(int argc, char *argv[])
{
	// Static Buffer @ 150
	char buffer[150];
	if (foundDebug())
	{
		printf("Found debugger");
		exit(0);
	}
	else
	{
		// Print something and then do the devil's dance
		printf("You're a sexy beast %s",argv[1]);
		strcpy(buffer,argv[1]);
	}
	return 0;
}

// Quite a bit of this code was ripped from a post by anonytmouse.  Big thanks to him.
// I've made changes necessary to illustrate it's use as a anti-debug trick
BOOL foundDebug()
{
	HANDLE         hProcessSnap = NULL; 
    BOOL           result      = FALSE; 
    PROCESSENTRY32 pe32      = {0}; 
    long           lngTimeout = 1000; 		// 1 second default timeout
    LPTSTR         exeFile[2];
	
	//  Stick whatever debuggers you want detected here.
	//  Theses are not case sensitive (_tcsicmp does lowercase comparison), so feel free to do quick add.
	exeFile[0] = TEXT("ImmunityDebugger.exe");
	exeFile[1] = TEXT("OLLYDBG.EXE");
	
	//  Take a snapshot of all processes in the system. 
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
	
    if (hProcessSnap == INVALID_HANDLE_VALUE) return 0; 
 
    //  Fill in the size of the structure before using it. 
    pe32.dwSize = sizeof(PROCESSENTRY32); 
 
    //  Walk the snapshot of the processes, and for each process, 
    //  display information. 
    if (Process32First(hProcessSnap, &pe32)) 
    { 

        do 
        { 
		//  Just quickly displaying the pe32.szExeFile property to help visualize
		wprintf(L"We found %s\n",pe32.szExeFile);
		
		// Iterate over the list.  Adjust for statement to match array length.
		int i = 0;
		for (i;i<=1;i++)
		{
			//  Do the comparison
			if (_tcsicmp( pe32.szExeFile, exeFile[i]) == 0) {
				result = TRUE;
			}
		}

        } while (Process32Next(hProcessSnap, &pe32)); 
    } 
	
	// Close the snapshot
	CloseHandle (hProcessSnap); 
	
	return result;
}