Disable EXCEPTION_DEBUG_EVENT from being passed to an attached debugger
https://stackoverflow.com/questions/1400579
-
05-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm dealing with an anti-debug application which disables EXCEPTION_DEBUG_EVENT from being passed to my debugger, instead it executes its SEH and UnhandledExceptionFilters.
- I tried it with 3 different debuggers (even selfmade one)
- My debugger receives other debug events like LOAD_DLL, CREATE_THREAD etc
- Exceptions are not passed when first chance debugging aswell as last chance
- Breakpoint events of my own created threads get passed to the debugger, so the anti-debug method must be thread specific and may be a modification of the ThreadInformationBlock
- There's no kernel mode access
So how can it be possible in usermode to pass EXCEPTION_DEBUG_EVENT (for only one thread, not affecting the whole process) ?
Solution
Well.. the solution is rather simple:
call
NtSetInformationThread(
IN HANDLE ThreadHandle,
IN THREAD_INFORMATION_CLASS ThreadInformationClass,
IN PVOID ThreadInformation,
IN ULONG ThreadInformationLength );
with ThreadHideFromDebugger ( 0x11 ) as ThreadInformationClass.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
