REGISTER
desert eagle
main menu

home

forums
    Show me new threads!

bookmarks

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged on, and level 1, to access downloads

Rootkit Collection

File Contributer Link
Hacker Def... hfn/a
HE4Hook adminn/a
BASIC CLAS... hoglundn/a
Vanquish xshadown/a
NT Rootkit hoglundn/a
FU fuzen_opn/a
WinlogonHi... JeFFOsZn/a
klister joannan/a
Patchfinde... joannan/a
MyNetwork hoglundn/a
MTDWin hoglundn/a
NTFSHider hoglundn/a
VideoCardK... hoglundn/a
VICE fuzen_opn/a
Klog Clandestin...n/a
NtIllusion Kdmn/a
AFX Rootki... TheRealAph...n/a
SInAR vulndevn/a
Shadow Wal... Clandestin...n/a
BootRootki... dereksoede...n/a
CHAZ - Nim... neocrackrn/a
Clandestin... merlvingia...n/a
FUTo petersilbe...n/a
Windows Me... alcapone66...n/a
RAIDE petersilbe...n/a
BOOT KIT vipinkumarn/a
BluePill Joanna and...n/a
DEFRAG blume1975n/a
Keyboard H... chpien/a
CheatEngin... DarkByten/a

search the site

Hide user mode debuggers from executables with debbuger detection : message board

post a message

Show all posts in this forum

view options: unpacked threads | collapsed threads | old style view

how many threads to display:

search board (text+titles):

Posted by 90210 (Rootkit Contributor) [ip info hidden] - Apr 24 2005, 15:25 (UTC+0)
ThreadHideFromDebugger
Btw, a good debugger should also hook NtSetInformationThread() and catch ThreadHideFromDebugger class. If Thread->HideFromDebugger is TRUE, debugger won't receive debug events about this thread any more - see DbgkForwardException(), DbgkCreateThread(), DbgkExitThread(), DbgkExitProcess(), DbgkMapViewOfSection(), DbgkUnMapViewOfSection().

Seems that it's a nice antidebugging technique - however, I haven't seen this in any antidebug code yet.

Example of usage is RtlQueryProcessDebugInformation() - it sets HideFromDebugger to the RtlpQueryProcessDebugInformationRemote thread to make it invisible to the attached debuggers to avoid deadlocks.
reply to this message  
   
Posted by j0epub (Rootkit Contributor) [ip info hidden] - Apr 25 2005, 07:13 (UTC+0)
Re: ThreadHideFromDebugger
But really the debugger would need to still receive events from the debugge, or it's job as a debugger would be pretty useless

But definetly something else that I could look at
reply to this message  


"Hey ! It compiles ! Ship it !"