Anti debugging (basic principles of debugger Design & NT NP and other anti debugging principles)

Add application level anti debugging function to the game （ No write drive ）, Make it resistant to general debugging tools , such as OllyDbg、CE、x96dbg wait ..、       

The level of de debugging ：

1. Prohibit or destroy the debugging function
2. Detection of debugging status

The basic principle of software debugger design ：
 

	BOOL DebugByCreate;//TRUE   Debug new process  FALSE  Create a process and debug 
	DWORD dwPID; // Of the debugged process ID
	DEBUG_EVENT		dbgevent;
	if (!DebugByCreate)
	{
		CreateProcess(..., DEBUG_PROCESS, ...);
	}
	else {
		DebugActiveProcess(dwPID);// Debug the existing process 
	}
	while (WaitForDebugEvent(&dbgevent, INFINITE) == TRUE)
	{
		switch (dbgevent.dwDebugEventCode)
		{
			// Handle debugging events 
		}
		ContinueDebugEvent(...);
	}

CreateProcess Create the underlying implementation of the debugged process

BOOL
WINAPI
CreateProcessA(
	_In_opt_ LPCSTR lpApplicationName,
	_Inout_opt_ LPSTR lpCommandLine,
	_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
	_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
	_In_ BOOL bInheritHandles,
	_In_ DWORD dwCreationFlags, // Process creation flag bit 
	_In_opt_ LPVOID lpEnvironment,
	_In_opt_ LPCSTR lpCurrentDirectory,
	_In_ LPSTARTUPINFOA lpStartupInfo,
	_Out_ LPPROCESS_INFORMATION lpProcessInformation
);

dwCreationFlags Value ：

DEBUG_PROCESS  0x1         [ Debug the process and its child processes ]

DEBUG_ONLY_THIS_PROCESS 0x2  [ Only debug this process ]

Bottom call ：

[1] DbgUiConnectToDbg();// The debugger process establishes a connection with the debugging subsystem

        establish DEBUG_OBJECT Kernel object

         preservation DEBUG_OBJECT Data to thread environment DbgSsReserved[1]

[2] NtCreateProcess() / NtCreateProcessEx()

         take   DbgSsReserved[1] Pass to the kernel process manager

        PsCreateProcess take DbgSsReserved Data transfer to EPROCESS Structural DebugPort Field

        PsCreateProcess call MmCeatePeb Create a process PEB data

        MmCreatePeb The function will DebugPort Not empty adjustment PEB Of BeingDebugged Field is 1

DebugActiveProcess Debug the underlying call of the process ：

[1]DbgUiconnectToDbg(); // The debugger process establishes a connection with the debugging subsystem

[2]ProcessIdToHandle(); // Get process handle Internal calls OpenProcess->NtOpenProcess

[3]DbgUiDebugActiveProcess();// Set the debugging state of the process

        >>NtDebugActiveProccess(); // Get according to the specified process handle EPROCESS structure

        >>DbgkpSetProcessDebugObject Attach debug objects to EPROCESS Of DebugPort

        >>DbgfkpMarkProcessPeb To set the debug process PEB->BeingDebuggged

Conclusion ： A process is debugged , In kernel state EPROCESS Structural DebugPort It must not be for 0

In user mode PEB Structural BeingDebuged It must not be for 0

TP NP Wait for the principle of anti debugging drive ：

The basic working state of a debugger is CreateProcess Create and DebugActiveProcess additional Two structures

CreateProcess：

        You must call several functions under the kernel , When the application layer reaches the kernel . The most typical takeover is HOOK, You can also use the callback function now Windows The change of ,HOOK It's not a good way anymore , Basically, the callback function is used , It's easy to see with callback function PsCreateProcess The situation of , You can see who the created path is , Found to be xxx Go straight back to failure Even the process can't run , Let alone build and debug .

Generally speaking There are few processes to create . More is to add to debug .

about DebugActiveProcess ：

In the second step , OpenProcess->NtOpenProcess When To take over NtProcess It's easy to see who the debugging target is If it is xx Direct to failure You can't run directly , The back can also be destroyed , The more damage , The more places to recover , The more difficult it is to attack

For both methods, we should DebugPort Attach to debug object   Maybe DebugPort Zero clearing Delete here It's equivalent to the port being killed The information about establishing channels is recorded in a place , Removing this will destroy the channel

In addition to opening the process , Also read and write processes , Dispose of all these places , And that's what happened