De debugging (set the main thread as hidden debugging to destroy the debugging Channel & debugger detection)

Debugging is essentially the next int3（ abnormal ）, There's an exception , The debugger will receive an exception , Will give the opportunity to deal with , Find the debugger before processing , Find the debugger after processing , Find the debugger twice . Using the functions of the driver layer can hide the thread settings under debugging , The original meaning is that the process does not debug , But the consequence is when the thread itself is attached with a debugger , Originally, one int3 The breakpoint of , What happens is an exception , There will be exceptions here , The debugger doesn't handle

Because it is an undisclosed function , You need to load the export table first

void GameProtect::AntiDebug()
{
    auto hNtdll = LoadLibrary(L"ntdll.dll");
    if (hNtdll)
    {
        ZwSetInfomationThreadPtr ZwSetInfomationThread;
        ZwSetInfomationThread = (ZwSetInfomationThreadPtr)GetProcAddress(hNtdll, "ZwSetInformationThread");
        ZwSetInfomationThread((DWORD)GetCurrentThread(), 0x11, 0x0, 0x0);
    }
}

test ： next int3 Breakpoint direct GG

Because the next one int3 Breakpoints essentially produce an exception , Exception find the debugger and find that the debugger does not respond , Go back to the program to deal with , The program cannot handle , Find the debugger , The debugger crashes when it ignores it

Use these functions to be obscene , Otherwise, when reverse analysis, look at the string table directly GG, It's better to use the login to send the address directly

Debugger detection ：

adopt BeingDebugged testing ：

// testing PEB structure 
	BOOL debug = IsDebuggerPresent();
	BOOL _debug;
	CheckRemoteDebuggerPresent(GetCurrentProcess(), &_debug);

	if (debug)AfxMessageBox(L"IsDebuggerPresent  Debugger detected ");
	if (_debug)AfxMessageBox(L"CheckRemoteDebuggerPresent  Debugger detected ");

Compile operation use x32DBG additional ：

  It was detected .

General debugger such as OD Will dispose of this place It has plug-ins that can fix this place , In essence, it's going to be beingdebug Field processed

commonly BeingDebugged The detection of is of little use     The assembly code is directly changed 0 perhaps HOOK This function can also pass

OD Plug in for ：

  Detect the debugger through kernel properties ：
In principle application layer Access to kernel mode is not available , But Microsoft still left a hole .

utilize NtQueryInformationProcess pick up information ：

NTSTATUS(NTAPI* NtQueryInformationProcess)(
	HANDLE ProcessHandle,// Process handle 
	DWORD ProcessInformationClass,// Information types 
	PVOID ProcessInformation,// Information pointer 
	ULONG ProcessInformationLength,// Information pointer size 
	PULONG ReturnLength  // Write buffer size 
	)
PROCESSINFOCLASS 0x7   DebugPort
PROCESSINFOCLASS 0x1E  DebugObjectHandle
PROCESSINFOCLASS 0x1F  DebugFlags

The third parameter is an enumeration type But with DWORD Also yes

BOOL GameProtect::CheckDebugByNT()
{
    //
    DWORD debug_port = 0;
    NtQueryInfomationProcess(HProcess, 0x07, &debug_port, sizeof(debug_port), 0x0);
    if (debug_port)return TRUE;
    HANDLE debug_object = 0;
    // testing DBGOBJECT
    NtQueryInfomationProcess(HProcess, 0x1E, &debug_object, sizeof(debug_object), 0x0);
    if (debug_object)return TRUE;
    BOOL debug_flags = 1;
	NtQueryInfomationProcess(HProcess, 0x1F, &debug_flags, sizeof(debug_flags), 0x0);
	if (!debug_flags)return TRUE;
    return FALSE;
}