Comments on: Anti-Debugging Series – Part III

By: jn

jn — Tue, 23 Feb 2010 03:21:49 +0000

“If a debugger is attached and we pass in 0×11 to NtSetInformationProcess, our process will immediately detach any attached debugger and terminate the process.”
This statement is not correct:
1) you are actually referring to NtSetInformationThread
2) the process is not terminated but debug events for the specified thread are not received by the debugger anymore.

By: HuRrIcAnE

HuRrIcAnE — Sat, 31 Jan 2009 04:14:07 +0000

I’m one of the fan here, and I wanna said that these type of subjects are increduble .. And I agree the abover’s comment that these functions are not that much difficult to bypass its. But what I’m trying to said that the Art of REC is not just for having fun on CRACKING programs and protections, It’s like to learn, to improve something, even if it’s useless.

what I’m agree here is that many private and public schemes will at less use this art of protection in somehow, somewhere to but it at that greatfull steps .

I hope Mr. Shields to continue your path and I’m one of your followers.

Thanks

By: A John Doe

A John Doe — Thu, 08 Jan 2009 23:55:41 +0000

Meh, API anti-debugging techniques are fairly useless. Reverse engineers are very familiar with them and they are exceedingly easy to bypass. Might as well use them a bit anyway because they are so easy to implement, but they should be a part of a MUCH MUCH stronger defensive scheme. If they form a notable percentage of the defensive scheme, time is being wasted that could be spent making the defended asset better IMO.

By: Adam Leyshon

Adam Leyshon — Thu, 08 Jan 2009 14:07:16 +0000

Very informative, I wish MS would document these functions better as they can be quite handy sometimes.