Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-02-2004, 16:12
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 272
Rept. Given: 120
Rept. Rcvd 10 Times in 8 Posts
Thanks Given: 21
Thanks Rcvd at 7 Times in 5 Posts
TQN Reputation: 10
Another way to detect OllyDbg and another debugger

Hi all !
When I trying UnhandledExceptionFilter of xDREAM, I have detected a method which Windows uses to detect a app is being debugged (I dont know once else already have found it). The plugin of xDREAM patch the result of the call of NtQueryInformationProcess. Windows call NtQueryInformationProcess with ProcessInformationClass is 7 (DebugPort) to detect a app is being debugged. For example: open a exe with Visual studio or OllyDbg, open TaskManager, and kill the debugged exe, Windows will warning: "Program being debugged" or "Access denied". Search in my copy of Win2k source code, at the ntos folder, the function _EndTask of TaskManager uses this way.
I wrote a small C program, compiled with VS .NET 2003, and test the exe with OllyDbg, VS, VS .NET, IDAPro debugger, WinDbg and TD32. The app will detect it is debugged. But with SoftIce, the app could not detect.
But I can not use NtSetInformationProcess to clear the debug port value because it can only be set when debug port is zero.
Hope I will receive your idea !
Regards,
TQN
Attached Files
File Type: rar TestDbg.rar (15.8 KB, 32 views)
Reply With Quote
  #2  
Old 08-02-2004, 23:52
Jay Jay is offline
VIP
 
Join Date: Feb 2002
Posts: 249
Rept. Given: 31
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 15
Thanks Rcvd at 13 Times in 5 Posts
Jay Reputation: 3
here

I think this method was discussed a while back on woodman
http://www.woodmann.net/forum/showthread.php?t=5420&highlight=NtQueryInformationProcess
Reply With Quote
  #3  
Old 08-03-2004, 09:12
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 95 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
Which references a thread here:

http://www.exetools.com/forum/showthread.php?s=&threadid=3164

and around and around we go.

Regards,
__________________
JMI
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using RtlAdjustPrivilege to detect debugger. Insid3Code Source Code 2 03-05-2015 13:35
Unseen Debugger Detection (Ollydbg) Peter[Pan] General Discussion 27 10-17-2005 09:34


All times are GMT +8. The time now is 02:43.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX