Cartman. Posted June 27, 2014 Report Posted June 27, 2014 Hey,this is really advanced, and yet best method.There isn't any actual bypass, except binary patch of course.defs.hNTSYSAPINTSTATUSNTAPINtCreateEventPair(OUT PHANDLEIN ACCESS_MASKIN POBJECT_ATTRIBUTESEventPairHandle,DesiredAccess,ObjectAttributes OPTIONAL );typedef struct _DEBUG_EVENT{LIST_ENTRY EventList;KEVENT ContinueEvent;CLIENT_ID ClientId;PEPROCESS Process;PETHREAD Thread;NTSTATUS Status;ULONG Flags;PETHREAD BackoutThread;DBGKM_MSG ApiMsg;} DEBUG_EVENT, *PDEBUG_EVENT;typedef struct _DBGKM_MSG{PORT_MESSAGE h;DBGKM_APINUMBER ApiNumber;ULONG ReturnedStatus;union{DBGKM_EXCEPTION Exception;DBGKM_CREATE_THREAD CreateThread;DBGKM_CREATE_PROCESS CreateProcess;DBGKM_EXIT_THREAD ExitThread;DBGKM_EXIT_PROCESS ExitProcess;DBGKM_LOAD_DLL LoadDll;DBGKM_UNLOAD_DLL UnloadDll;};} DBGKM_MSG, *PDBGKM_MSG;detect.c#define WIN32_LEAN_AND_MEAN#include <stdio.h>#include <stdlib.h>#include <windows.h>#include "defs.h"#pragma comment(lib,"ntdll.lib")#pragma comment(lib,"psapi.lib")void QueryProcessHeapMethod(void){ PDEBUG_BUFFER buffer; buffer = RtlCreateQueryDebugBuffer(0,FALSE); RtlQueryProcessHeapInformation(buffer); if (buffer->RemoteSectionBase == (PVOID) 0x50000062) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); if (buffer->EventPairHandle == (PVOID) 0x00002b98) MessageBoxA(NULL,"Debugged","Warning",MB_OK); else MessageBoxA(NULL,"Not Debugged","Warning",MB_OK); printf("EventPairHandle= %x",(int)buffer->EventPairHandle);}int main(){ QueryProcessHeapMethod();} Quote