Jump to content
Cartman.

Anti-Debug trick

Recommended Posts

Posted

Hey,

this is really advanced, and yet best method.

There isn't any actual bypass, except binary patch of course.

defs.h

NTSYSAPI
NTSTATUS
NTAPI
NtCreateEventPair(
OUT PHANDLE
IN ACCESS_MASK
IN POBJECT_ATTRIBUTES
EventPairHandle,
DesiredAccess,
ObjectAttributes OPTIONAL );

typedef struct _DEBUG_EVENT
{
LIST_ENTRY EventList;
KEVENT ContinueEvent;
CLIENT_ID ClientId;
PEPROCESS Process;
PETHREAD Thread;
NTSTATUS Status;
ULONG Flags;
PETHREAD BackoutThread;
DBGKM_MSG ApiMsg;
} DEBUG_EVENT, *PDEBUG_EVENT;

typedef struct _DBGKM_MSG
{
PORT_MESSAGE h;
DBGKM_APINUMBER ApiNumber;
ULONG ReturnedStatus;
union
{
DBGKM_EXCEPTION Exception;
DBGKM_CREATE_THREAD CreateThread;
DBGKM_CREATE_PROCESS CreateProcess;
DBGKM_EXIT_THREAD ExitThread;
DBGKM_EXIT_PROCESS ExitProcess;
DBGKM_LOAD_DLL LoadDll;
DBGKM_UNLOAD_DLL UnloadDll;
};
} DBGKM_MSG, *PDBGKM_MSG;

detect.c

#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "defs.h"
#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"psapi.lib")
void QueryProcessHeapMethod(void)
{
PDEBUG_BUFFER buffer;
buffer = RtlCreateQueryDebugBuffer(0,FALSE);
RtlQueryProcessHeapInformation(buffer);
if (buffer->RemoteSectionBase == (PVOID) 0x50000062)
MessageBoxA(NULL,"Debugged","Warning",MB_OK);
else
MessageBoxA(NULL,"Not Debugged","Warning",MB_OK);
if (buffer->EventPairHandle == (PVOID) 0x00002b98)
MessageBoxA(NULL,"Debugged","Warning",MB_OK);
else
MessageBoxA(NULL,"Not Debugged","Warning",MB_OK);
printf("EventPairHandle= %x",(int)buffer->EventPairHandle);
}

int main()
{
QueryProcessHeapMethod();
}

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...