views:

62

answers:

1

I'm dealing with an anti-debug application which disables EXCEPTION_DEBUG_EVENT from being passed to my debugger, instead it executes its SEH and UnhandledExceptionFilters.

  • I tried it with 3 different debuggers (even selfmade one)
  • My debugger receives other debug events like LOAD_DLL, CREATE_THREAD etc
  • Exceptions are not passed when first chance debugging aswell as last chance
  • Breakpoint events of my own created threads get passed to the debugger, so the anti-debug method must be thread specific and may be a modification of the ThreadInformationBlock
  • There's no kernel mode access

So how can it be possible in usermode to pass EXCEPTION_DEBUG_EVENT (for only one thread, not affecting the whole process) ?

+1  A: 

Well.. the solution is rather simple:

call

NtSetInformationThread( IN HANDLE ThreadHandle, IN THREAD_INFORMATION_CLASS ThreadInformationClass, IN PVOID ThreadInformation, IN ULONG ThreadInformationLength );

with ThreadHideFromDebugger ( 0x11 ) as ThreadInformationClass.

5andr0