My friend and about kernel32!CloseHandle it is the same for CheckProcessDebugFlags by Keeping it in User Mode insted of Kernel mode
because some times we need to check this API for other prog so it is not good to make it in Kernel mode ( I think )
Quote:
http://www.symantec.com/connect/articles/windows-anti-debug-reference
(5) kernel32!CloseHandle and NtClose
APIs making user of the ZwClose syscall (such as CloseHandle, indirectly) can be used to detect a debugger. When a process is debugged, calling ZwClose with an invalid handle will generate a STATUS_INVALID_HANDLE (0xC0000008) exception.
As with all anti-debugs that rely on information made directly available from the kernel (therefore involving a syscall), the only proper way to bypass the "CloseHandle" anti-debug is to either modify the syscall data from ring3, before it is called, or set up a kernel hook.
This anti-debug, though extremely powerful, does not seem to be widely used by malicious programs.
|
example
Quote:
__try {
CloseHandle((HANDLE)0x1953);
} __except(1) {
return TRUE;
}
return FALSE;
|