Thread: TitanHide
View Single Post
  #23  
Old 02-06-2014, 06:20
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
@mr.exodia
You might want to look at the implementation of NtClose in ntoskrnl.exe. AFAIR, NtClose raises an exception by means of a user mode call back through ntdll (KiRaiseUserExceptionDispatcher). If you need help with that, just ping me and I'll jump in if you like

@Ahmadmansoor
Not sure if the code you suggested makes sense for the NtClose anti debugging trick since that technique works by closing an invalid handle, so there is no point in enumerating all system handles, no?

Btw, I do agree that NtClose is not really critical, since any decent debugger should allow you to simply swallow the exception and continue execution. As a consequence, the debuggee won't even notice that NtClose raised an exception.
However, VMProtect uses it, so one could argue that this "trick" is somewhat common.

Last edited by mcp; 02-06-2014 at 06:29.
Reply With Quote
The Following User Gave Reputation+1 to mcp For This Useful Post:
mr.exodia (02-08-2014)