0

If you look up Anti-Debug on the Internet, you will find a lot of information. For example, isDebuggerPresent and NtGlobalFlags were found in the search. However, my process can only protect itself from the debugger by terminating its own process when it detects it. I would like to know how to prevent the debugger from attaching in the first place, or how to identify and detach the debugger process.

justANewb stands with Ukraine
  • 4,535
  • 3
  • 14
  • 39
4zu
  • 11
  • 1
  • 5
    A determined attacker will detour `IsDebuggerPresent` for the process being debugged and always return false. In short if the attacker has local admin rights (or can get them) there is no way to stop an attack. – Richard Critten Dec 26 '21 at 17:52
  • So that means I can't resist the debugger. Thanks for the answer. – 4zu Dec 26 '21 at 18:12
  • possible, if debugger not prevent you, determnate are your process is debugged, determinated process, which debugged your process and detach debugger (if we say about local, user mode debugger). but of course - debugger can and prevent you from do this – RbMm Dec 26 '21 at 18:15
  • *I can't resist the debugger.* - possible create problems for debugger (for the person who will debug your process ). then all depend from him, from him qualification and experience – RbMm Dec 26 '21 at 18:18
  • It's an XY problem. I think what you need is kind of process encryption mechanism. If you want your process not getting hacked. – Louis Go Jan 04 '22 at 09:40

1 Answers1

1

I would like to know how to prevent the debugger from attaching in the first place, or how to identify and detach the debugger process.

  1. There isn't a way to do that.
  2. Even if there was, the debugger could have done a lot of things to your process between attaching and detaching -- change global data, change function pointers, create new threads, inject DLLs, etc.

    So even if you could detach the debugger, you shouldn't trust your process' integrity after doing that.
Employed Russian
  • 199,314
  • 34
  • 295
  • 362
  • Well, thank you, it turns out that Windows is very vulnerable to debuggers. – 4zu Dec 26 '21 at 18:09
  • Additionally you can do all of said things without even attaching a debugger through several different ways. – floomby Dec 26 '21 at 18:16
  • 7
    Not sure what you mean by "very vulnerable to debuggers". There is no vulnerability in being able to debug your own processes. A debugger has full control over the process being debugged -- for example, it could just remove the code that checks for a debugger! – Raymond Chen Dec 26 '21 at 22:39
  • 4
    @azu Saying that *"Windows is very vulnerable to debuggers"* is like saying that padlocks are very vulnerable to keys. – IInspectable Dec 27 '21 at 08:38