@mcp:
Today I tested setting the DebugPort to 0 in the PEPROCESS structure, it works fine like this:
Code:
ULONG pid=(ULONG)PsGetCurrentProcessId();
NTSTATUS ret;
if(HiderIsHidden(pid, HideNtClose))
{
Log("[TITANHIDE] NtClose by %d\n", pid);
PVOID OldDebugPort=SetDebugPort(PsGetCurrentProcess(), 0);
ret=NtClose(Handle);
SetDebugPort(PsGetCurrentProcess(), OldDebugPort);
}
else
ret=NtClose(Handle);
There is however a problem, which is that the EPROCESS structure according to http://www.nirsoft.net/kernel_struct/vista/EPROCESS.html doesn't seem to work on windows XP (it's a vista structure definition). I think I need to install every OS to check the structure definitions using WinDbg...
And about
:
Quote:
|
Btw, I do agree that NtClose is not really critical, since any decent debugger should allow you to simply swallow the exception and continue execution. As a consequence, the debuggee won't even notice that NtClose raised an exception.
|
I don't agree at all, a decent debugger passes all unhandled exceptions back to the original program. It would be easy to detect if a debugger doesn't pass the 0xC0000008 exception, by simply throwing it yourself. It would require hooking NtClose in usermode for this trick to work and hooking in usermode is something I want to avoid.
Greetings