Merge pull request #5 from elikaski/master

Fix assembly code of NtQueryInformationProcess debug-flags technique
CheckPointSW · Nov 8, 2023 · 289d3cd · 289d3cd
2 parents f837fb6 + bd2d395
commit 289d3cd
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/_techniques/debug-flags.md b/_techniques/debug-flags.md
@@ -98,7 +98,7 @@ if (TRUE == CheckRemoteDebuggerPresent(GetCurrentProcess(), &bDebuggerPresent) &
 <p></p>
 
 {% highlight nasm %}
-    lea eax, bDebuggerPresent]
+    lea eax, [bDebuggerPresent]
     push eax
     push -1  ; GetCurrentProcess()
     call CheckRemoteDebuggerPresent
@@ -271,12 +271,12 @@ if (hNtdll)
     lea eax, [dwReturned]
     push eax ; ReturnLength
     push 4   ; ProcessInformationLength
-    lea ecx, [dwProcessDebugPort]
+    lea ecx, [dwProcessDebugFlags]
     push ecx ; ProcessInformation
     push 1Fh ; ProcessInformationClass
     push -1  ; ProcessHandle
     call NtQueryInformationProcess
-    cmp dword ptr [dwProcessDebugPort], 0
+    cmp dword ptr [dwProcessDebugFlags], 0
     jz being_debugged
     ...
 being_debugged:
@@ -293,12 +293,12 @@ being_debugged:
     lea rcx, [dwReturned]
     push rcx     ; ReturnLength
     mov r9d, 4   ; ProcessInformationLength
-    lea r8, [dwProcessDebugPort] 
+    lea r8, [dwProcessDebugFlags] 
                  ; ProcessInformation
     mov edx, 1Fh ; ProcessInformationClass
     mov rcx, -1  ; ProcessHandle
     call NtQueryInformationProcess
-    cmp dword ptr [dwProcessDebugPort], 0
+    cmp dword ptr [dwProcessDebugFlags], 0
     jz being_debugged
     ...
 being_debugged:
@@ -384,7 +384,7 @@ being_debugged:
     mov r9d, 4   ; ProcessInformationLength
     lea r8, [hProcessDebugObject] 
                  ; ProcessInformation
-    mov edx, 1Fh ; ProcessInformationClass
+    mov edx, 1Eh ; ProcessInformationClass
     mov rcx, -1  ; ProcessHandle
     call NtQueryInformationProcess
     cmp dword ptr [hProcessDebugObject], 0