Disable EXCEPTION_DEBUG_EVENT from being passed to the attached debugger

Question

Disable EXCEPTION_DEBUG_EVENT from being passed to the attached debugger

I am dealing with an anti-debug application that disables EXCEPTION_DEBUG_EVENT from being passed to my debugger, it executes its SEH and UnhandledExceptionFilters instead.

I tried this with 3 different debuggers (even homemade ones)
My debugger receives other debug events like LOAD_DLL, CREATE_THREAD, etc.
Exceptions are not thrown at the earliest debug opportunity, and also the last chance.
The interrupt events of my own created threads are passed to the debugger, so the anti-debug method must be thread specific and can be a modification of the ThreadInformationBlock
No access to kernel mode

So, how can EXCEPTION_DEBUG_EVENT be passed in usermode (only for one thread, not affecting the whole process)?

+2

assembly debugging windows exception exception-handling

5andr0 09 Sep '09 at 16:02

source to share

1 answer

5andr0 · Accepted Answer · 2009-09-09T17:52:55+0000

Well, the solution is pretty simple:

Call

NtSetInformationThread(
  IN HANDLE               ThreadHandle,
  IN THREAD_INFORMATION_CLASS ThreadInformationClass,
  IN PVOID                ThreadInformation,
  IN ULONG                ThreadInformationLength );

with ThreadHideFromDebugger ( 0x11 )

how ThreadInformationClass

.

Disable EXCEPTION_DEBUG_EVENT from being passed to the attached debugger

More articles: