Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File handle remains open after call to MapFileEx() #5

Open
arxhendz opened this issue Jun 12, 2020 · 1 comment
Open

File handle remains open after call to MapFileEx() #5

arxhendz opened this issue Jun 12, 2020 · 1 comment

Comments

@arxhendz
Copy link

arxhendz commented Jun 12, 2020
edited

When loading a new executable file for debugging, MapFileEx() is used to map it to memory after opening a handle to the file. The resulting handle is not closed afterwards and left open during further execution.

TitanEngine/TitanEngine/TitanEngine.Static.cpp

Lines 13 to 16 in 7976be4

if(MapFileEx(szFileName, DesiredAccess, FileHandle, LoadedSize, FileMap, FileMapVA, NULL))
{
return true;
}

This enables an anti-debugging technique where the process can attempt to open its own executable file for exclusive access, but will fail receiving an INVALID_HANDLE_VALUE instead of a valid handle.

My suggestion would be to close the handle before returning. But since I am not familiar with the code base, I decided to open an issue first.
@arxhendz arxhendz changed the title File handle remains open due to missing UnMapFileEx() after MapFileEx() File handle remains open after call to MapFileEx() Jun 12, 2020
@mrexodia
Copy link
Member

It appears to be possible to close the file handle before unmapping (https://stackoverflow.com/a/36495309) however this does not actually solve the real issue which is that x64dbg needs file mappings to read contents of the module (I think you will still be able to enumerate handles and you will see something has a handle open to your file).

In the grand scheme of things however, it is not really a good anti-debug trick to expect that you will be able to open an exclusive handle to your own executable mostly because some random process (think AV for instance) might have a handle open and you would get a false detection.

@mrexodia mrexodia mentioned this issue Nov 6, 2020
Closed
@dauthleikr dauthleikr mentioned this issue Oct 14, 2021
Closed
mrexodia added a commit to mrexodia/DebugLoopRace that referenced this issue Oct 5, 2023
@mrexodia
Add an AntiDebugHandle test (and make sure it doesn't trigger)
869617a 
References:
- x64dbg/x64dbg#2749
- x64dbg/x64dbg#1364
- x64dbg/TitanEngine#5
- x64dbg/x64dbg#2504
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mrexodia @arxhendz