Well, you can of course throw the exception yourself to test if this exception is always swallowed. However, I don't know any malware/packer that does this, so right now one could argue that hooking NtClose is more of a "comfort feature" than a requirement for an anti-anti-debugging plugin/driver. Issue is that the offset is very much kernel dependent, and therefore dealing with NtClose is quite brittle.
Anyways, glad, the DebugPort patching works ;-)
|