@ahmadmansoor: How would you fool NtQueryInformationProcess without being in kernel mode? I tried NtSetInformationProcess with the DebugFlag, but I don't think it worked very well...
Notice that not every process is hidden, just the PID you specify.
I agree with you on NtClose though, it could affect performance very badly, if it is done incorrectly. But because it is now an SSDT hook (and later I will also use direct pointers to the original API) it is just a call & check if the current PID is hidden (simple lookup), which doesn't slow down the program.
About the trap flag: I will check this, I think I forward all the non-debugger exceptions to the program (by calling ContinueDebugEvent with the DBG_CONTINUE flag), but I didn't check this for all exceptions yet (GUARD_PAGE for example is now automatically forwarded to the application when it is no memory breakpoint).
Do you have an example for NtClose on x64? I tried many things, but it doesn't seem to work as an anti-debug trick.
Greetings,
Mr. eXoDia
|