Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debugger detection based on the exclusive access to NtDll #2749

Closed
AndyWatterman opened this issue Oct 4, 2021 · 2 comments · Fixed by #3234
Closed

Debugger detection based on the exclusive access to NtDll #2749

AndyWatterman opened this issue Oct 4, 2021 · 2 comments · Fixed by #3234
Labels
bug The issue describes a bug. It does not mean the bug has been reproduced by a developer.

Comments

@AndyWatterman
Copy link

AndyWatterman commented Oct 4, 2021
edited
Loading

Operating System

Windows 10, x64, 19043.1055

x64dbg Version

Jun 14 2021 (NO plugins)

Describe the issue

This PoC will fail if you have running debugging:

#include <Windows.h>
#include <iostream>

const auto NTDLL = L"C:\\Windows\\system32\\ntdll.dll";

int main()
{
    auto isOK = CreateFileW(NTDLL, 0x80000000, NULL, NULL, 0x3, 0x80, NULL);
    std::cout << std::hex << isOK << std::endl;
    system("pause");
}

Steps to reproduce

  1. Start any 32-bit file debugging in x64dbg from Admin (I have not checked x64)
  2. Run PoC (just click in Explorer)
  3. Look at 0xFFFFFFFF

Attachments

No response
@AndyWatterman AndyWatterman added the bug The issue describes a bug. It does not mean the bug has been reproduced by a developer. label Oct 4, 2021
@dauthleikr
Copy link

I might be wrong but I think this is x64dbg/TitanEngine#5

@AndyWatterman
Copy link
Author

AndyWatterman commented Oct 15, 2021
edited
Loading

Hmm... Actually I guess you could be right. I'll test it again soon.
However, this is not about the process itself. It is about system library.

mrexodia added a commit to mrexodia/DebugLoopRace that referenced this issue Oct 5, 2023
@mrexodia
Add an AntiDebugHandle test (and make sure it doesn't trigger)
869617a 
References:
- x64dbg/x64dbg#2749
- x64dbg/x64dbg#1364
- x64dbg/TitanEngine#5
- x64dbg/x64dbg#2504
mrexodia added a commit that referenced this issue Oct 5, 2023
@mrexodia
Fix an anti-debug trick used by GuLoader
ffb6de5 
Closes #2749
Closes #2504
@mrexodia mrexodia mentioned this issue Oct 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug The issue describes a bug. It does not mean the bug has been reproduced by a developer.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix an anti-debug trick used by GuLoader x64dbg/x64dbg
2 participants
@dauthleikr @AndyWatterman