The protection mecanism consists on hooking DbgUiRemoteBreakin from ntdll.dll, which is an API called IN TARGET PROCESS by most known debuggers when it attaches itself to a running process, then the idea of hooking it is to execute our own code instead of the breakpoint.
Here is the original DbgUiRemoteBreakin:
After hooking:
And here is where it jumps:
And when we try to attach the target process that's what happens:
That's it, this is a simple implementation to protect any software from most debuggers, but of course it won't stop more skilled people, there are many ways to bypass it, this code was made just to demonstrate the technique and can be modified to make things a litlle harder for reversers.
And of course anti-attach all alone is nothing, anyone can start the process from debugger and debug it, so it's needed another kinds of protections working with the anti-attach, like anti-debugging, strong code obfuscation and VM based protections, I'm gonna talk about those someday.
Code available here
Any question please let me know..
Shinku
1 comment:
Nice, very good shinku!!!!!
Post a Comment