You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NtQuerySystemInformation
Use SYSTEM_HANDLE_INFORMATION or SYSTEM_HANDLE_INFORMATION_EX to enumerate all handles
There is a thread creation debug event in DbgkpOpenHandles which gets a handle to the thread created by the debugging process and the debugger does not close the handle until the thread is finished.
Then as soon as we create a new thread and enumerate the Handle to get Object(PETHREAD)
After that we re-enumerate and determine if the handle is our thread based on the Object, and we can simply tell if it is being debugged
NtQuerySystemInformation
Use SYSTEM_HANDLE_INFORMATION or SYSTEM_HANDLE_INFORMATION_EX to enumerate all handles
There is a thread creation debug event in DbgkpOpenHandles which gets a handle to the thread created by the debugging process and the debugger does not close the handle until the thread is finished.
typedef struct _SYSTEM_HANDLE_INFORMATION{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
Then as soon as we create a new thread and enumerate the Handle to get Object(PETHREAD)
After that we re-enumerate and determine if the handle is our thread based on the Object, and we can simply tell if it is being debugged
Demo.zip
https://hbxiaock.baklib-free.com/AntiDebug/681d
I'm not sure about xp ObjectTypeNumber
The text was updated successfully, but these errors were encountered: