I'm dealing with an anti-debug application which disables EXCEPTION_DEBUG_EVENT from being passed to my debugger, instead it executes its SEH and UnhandledExceptionFilters.
- I tried it with 3 different debuggers (even selfmade one)
- My debugger receives other debug events like LOAD_DLL, CREATE_THREAD etc
- Exceptions are not passed when first chance debugging aswell as last chance
- Breakpoint events of my own created threads get passed to the debugger, so the anti-debug method must be thread specific and may be a modification of the ThreadInformationBlock
- There's no kernel mode access
So how can it be possible in usermode to pass EXCEPTION_DEBUG_EVENT (for only one thread, not affecting the whole process)?