I'm currently trying to create an anti-anti-debugging software to better analyze a security vulnerability that I found in a popular game. Naturally as any other game it has robust anti-anti-cheating measures.
As part of my research I looked at many anti-debugging techniques which basically are small checks present on the process' memory (or the PEB which is in the process' memory). These changes (for example the "isBeingDebugged" flag in the PEB or the heap flags), happen in the executable before a debugger is attached to it.
My question is: Who performs this changes? The debugger? The debugee itself? The kernel? A third process?
If I can determine who perform these changes, I can maybe stop them from happening and then I don't need to patch the process' memory so they aren't detected.
PS: Yes, I have permission from the owner. Yes, I'm doing this legally. Yes, I'm a security researcher. No, I don't need a lecture.
Thank you!
PS2: I've tried patching against different anti-debugging techniques but so far I trigger protections when I attach my debugger.
