Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Another way to detect OllyDbg and another debugger (https://forum.exetools.com/showthread.php?t=4769)

TQN 08-02-2004 16:12
Another way to detect OllyDbg and another debugger
 
1 Attachment(s)
Hi all !
When I trying UnhandledExceptionFilter of xDREAM, I have detected a method which Windows uses to detect a app is being debugged (I dont know once else already have found it). The plugin of xDREAM patch the result of the call of NtQueryInformationProcess. Windows call NtQueryInformationProcess with ProcessInformationClass is 7 (DebugPort) to detect a app is being debugged. For example: open a exe with Visual studio or OllyDbg, open TaskManager, and kill the debugged exe, Windows will warning: "Program being debugged" or "Access denied". Search in my copy of Win2k source code, at the ntos folder, the function _EndTask of TaskManager uses this way.
I wrote a small C program, compiled with VS .NET 2003, and test the exe with OllyDbg, VS, VS .NET, IDAPro debugger, WinDbg and TD32. The app will detect it is debugged. But with SoftIce, the app could not detect.
But I can not use NtSetInformationProcess to clear the debug port value because it can only be set when debug port is zero.
Hope I will receive your idea !
Regards,
TQN

Jay 08-02-2004 23:52
here
 
I think this method was discussed a while back on woodman
http://www.woodmann.net/forum/showthread.php?t=5420&highlight=NtQueryInformationProcess

JMI 08-03-2004 09:12
Which references a thread here:

http://www.exetools.com/forum/showthread.php?s=&threadid=3164

and around and around we go. ;)

Regards,


All times are GMT +8. The time now is 06:58.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX