{"id":22004808,"url":"https://github.com/revsic/antidebugging","last_synced_at":"2025-04-09T20:10:12.932Z","repository":{"id":140177588,"uuid":"72120700","full_name":"revsic/AntiDebugging","owner":"revsic","description":"AntiDebugging sample sources written in C++","archived":false,"fork":false,"pushed_at":"2018-07-23T13:48:06.000Z","size":718,"stargazers_count":337,"open_issues_count":0,"forks_count":54,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-09T20:10:09.608Z","etag":null,"topics":["anti-attach","anti-debugging","cpp","hash","veh"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/revsic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-27T15:14:34.000Z","updated_at":"2025-02-25T14:46:00.000Z","dependencies_parsed_at":null,"dependency_job_id":"2c1af195-02e0-4301-9d7a-91a8cb8d8e7b","html_url":"https://github.com/revsic/AntiDebugging","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/revsic%2FAntiDebugging","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/revsic%2FAntiDebugging/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/revsic%2FAntiDebugging/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/revsic%2FAntiDebugging/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/revsic","download_url":"https://codeload.github.com/revsic/AntiDebugging/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103871,"owners_count":21048245,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-attach","anti-debugging","cpp","hash","veh"],"created_at":"2024-11-30T00:17:16.918Z","updated_at":"2025-04-09T20:10:12.900Z","avatar_url":"https://github.com/revsic.png","language":"C++","readme":"# Anti Debugging\n\nAnti debugging techniques written in C++.\n\n- Anti Attach, Anti Anti Attach : [AntiAttach.cpp](Sources/AntiAttach.cpp), [AntiAntiAttaching.cpp](Sources/AntiAntiAttach.cpp)\n- Text Section Hashing : [TextSectionHasher.cpp](Sources/TextSectionHasher.cpp)\n- VEH Checker, DR Register Resetter : [VEH_Checker.cpp](Sources/VEH_Checker.cpp), [DR_Register_Resetter.cpp](Sources/DR_Register_Resetter.cpp)\n\n## Anti Attach, Anti Anti Attach\n\nDebugger attach process with `DebugActiveProcess` api.\n\n```cpp\nDebugActiveProcess(pid);\n\nDEBUG_EVENT dbgEvent;\nBOOL dbgContinue = True;\n\nwhile (dbgContinue) {\n    if (FALSE == WaitForDebugEvent(\u0026dbgEvent, 100)) {\n        continue;\n    }\n\n    ...\n}\n```\n\nIt creates a thread in debuggee, then it calls `DbgUiRemoteBreakin()` to debug process.\n\n```cpp\n//AntiAttach\n__declspec(naked) void AntiAttach() {\n    __asm {\n\t\tjmp ExitProcess\n\t}\n}\n\n//main\nHANDLE hProcess = GetCurrentProcess();\n\nHMODULE hMod = GetModuleHandleW(L\"ntdll.dll\");\nFARPROC func_DbgUiRemoteBreakin = GetProcAddress(hMod, \"DbgUiRemoteBreakin\");\n\nWriteProcessMemory(hProcess, func_DbgUiRemoteBreakin, AntiAttach, 6, NULL);\n```\n\nAnti-Attacher hooks `DbgUiRemoteBreakin` and redirects it to `ExitProcess`. AntiAnti-Attacher releases the hooked function.\n\n## Text Section Hashing\n\nDebugger sets a software breakpoint by overwriting the `int 3` instruction.\n\nIt hashes text section and periodically checks that the text section has been changed.\n\n```cpp\nwhile (1) {\n\tSleep(1000);\n\n\tDWORD64 dwCurrentHash = HashSection(lpVirtualAddress, dwSizeOfRawData);\n\tif (dwRealHash != dwCurrentHash) {\n\t\tMessageBoxW(NULL, L\"DebugAttached\", L\"WARN\", MB_OK);\n\t\texit(1);\n\t}\n\n\tif (bTerminateThread) {\n\t\treturn;\n\t}\n}\n```\n\n## VEH Checker, DR Register Resetter\n\nVEH Debugger use Vectored Exception Handler. \n\nIt checks the fourth bit(`ProcessUsingVEH`) of the PEB's `CrossProcessFlags(+0x50)`. If `ProcessUsingVEH` bit is set, then VEH is being used.\n\n```cpp\nNtQueryInformationProcess(hProcess, ProcessBasicInformation, \u0026pbi, sizeof(pbi), \u0026ReturnLength);\nPPEB pPEB = (PPEB)pbi.PebBaseAddress;\n\nSIZE_T Written;\nDWORD64 CrossProcessFlags = -1;\nReadProcessMemory(hProcess, (PBYTE)pPEB + 0x50, (LPVOID)\u0026CrossProcessFlags, sizeof(DWORD64), \u0026Written);\n\nprintf(\"[*] CrossProcessFlags : %p\\n\", CrossProcessFlags);\nif (CrossProcessFlags \u0026 0x4) {\n\tprintf(\"[*] veh set\\n\");\n}\nelse {\n\tprintf(\"[*] veh unset\\n\");\n}\n```\n\nVEH Debugger usually uses Hardware breakpoint. Verify hardware bp is set\n\n```cpp\nHANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, tid);\n\nCONTEXT ctx;\nmemset(\u0026ctx, 0, sizeof(CONTEXT));\nctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;\n\nctx.Dr0 = 0;\nctx.Dr1 = 0;\nctx.Dr2 = 0;\nctx.Dr3 = 0;\nctx.Dr7 \u0026= (0xffffffffffffffff ^ (0x1 | 0x4 | 0x10 | 0x40));\n\nSetThreadContext(hThread, \u0026ctx);\nCloseHandle(hThread);\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frevsic%2Fantidebugging","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frevsic%2Fantidebugging","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frevsic%2Fantidebugging/lists"}