#1
|
||||
|
||||
Using RtlAdjustPrivilege to detect debugger.
A basic way using RtlAdjustPrivilege to detect the debugger (OllyDbg and IDA demo 6.6)
As usually but not (enabled by default) for all debugger, the Debugger must acquiring debug privilege to work with its complete capacity. The snippet is simple and probably already used but I write it as simple as possible to get a clear ASM code inside the debugger. RtlAdjustPrivilege: Enables or disables a privilege from the calling thread or process. PHP Code:
Our work is to read the contents of this variable after calling RtlAdjustPrivilege with SE_DEBUG_PRIVILEGE as parameter, and of course if a status is already enabled then we have a likely debugging situation. PHP Code:
__________________
Computer Forensics |
The Following User Says Thank You to Insid3Code For This Useful Post: | ||
nimaarek (09-09-2017) |
#2
|
||||
|
||||
Detection by opening csrss process is based on the similar principle. It can be fixed by running a debuggee with a privilege-stripped token.
|
#3
|
||||
|
||||
It seems (Tuts4You Forum) that the desired result is uncontrollable, and some conditions which must be fulfilled, such Run as administrator (UAC) and debug privilege which must already acquired by the Debugger...
As mentioned by Archer there are similarity with detecting the debugger by trying to open "csrss.exe" process with PROCESS_ALL_ACCESS as parameter (debug privilege needed) also limited by the same conditions mentioned above. PHP Code:
Regards
__________________
Computer Forensics |
Tags |
rtladjustprivilege |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Detect It Easy 2.0 | hors | Community Tools | 30 | 12-29-2023 05:32 |
Detect It Easy 0.73 | Dreamer | Community Tools | 85 | 11-03-2019 23:08 |
Another way to detect OllyDbg and another debugger | TQN | General Discussion | 2 | 08-03-2004 09:12 |