Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle leak allows debugger detection #7

Open
mrexodia opened this issue Oct 5, 2023 · 1 comment
Open

Handle leak allows debugger detection #7

mrexodia opened this issue Oct 5, 2023 · 1 comment

Comments

@mrexodia
Copy link
Sponsor Contributor

mrexodia commented Oct 5, 2023
edited
Loading

Fix in x64dbg: x64dbg/x64dbg#3234

Reproduction code (you need to run it on an x64dbg with the fix above, otherwise it triggers anyway):

#include <Windows.h>
#include <cstdio>
#include <cinttypes>

int main()
{
    puts("");

    wchar_t executablePath[MAX_PATH] = L"";
    GetModuleFileNameW(0, executablePath, _countof(executablePath));

    auto hNtdll = CreateFileW(L"C:\\Windows\\system32\\ntdll.dll", GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr);
    printf("[AntiDebugHandle] ntdll: 0x%zX (LastError: %u)\n", (uintptr_t)hNtdll, GetLastError());

    auto hExe = CreateFileW(executablePath, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr);
    printf("[AntiDebugHandle] exe: 0x%zX (LastError: %u)\n", (uintptr_t)hExe, GetLastError());
    
    puts("");
}

You would probably need to create a fake QIODevice (or whatever is the abstract of QFile) and use a file mapping backend. Once you have the section mapping open you can close the file handle and things will work fine.
@horsicq
Copy link
Owner

horsicq commented Oct 5, 2023

Thanks! I will take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrexodia @horsicq