2021-03-07 20:57:35
When I wrote the LoadDll message today, I suddenly found a method to detect the debugger. This method has not been spread out. Actually, I am familiar with the debugging framework of windows.
They are all detection places, where are anti-debugging places. This method is R3. When loading the DLL, the system sends a message and stores the DLL name here.
/* Get the TEB */
Teb = Thread->Tcb.Teb;
if (Teb)
{
/* Copy the system library name and link to it */
wcsncpy(Teb->StaticUnicodeBuffer,
L"ntdll.dll",
sizeof(Teb->StaticUnicodeBuffer) / sizeof(WCHAR));
Teb->NtTib.ArbitraryUserPointer = Teb->StaticUnicodeBuffer;
/* Return it in the debug event as well */
LoadDll->NamePointer = &Teb->NtTib.ArbitraryUserPointer;
}
This is a static Unicode area, which is used when calling some API functions with strings. It shows that the API function is not equal to the name of the dll, so this is a detection method.
(c)
480 views17:57