Hello fellow engineers.
I am writing an anti-debugger that attempts to protect a process that was created through process hollowing. My process is created with CreateProcess and the process creation flag I pass is 0x00000004 (CREATE_SUSPENDED). I manually map the PE's sections and headers in memory and allocate the necessary memory, before I run ResumeThread() however, I start a new thread that runs an anti-debugger on the process using WinAPI's debugging methods.
The code that does the anti-debugging is the following:
public void StartProtection(Win32Api.ProcessInformation processInfo, int sizeOfHeaders, int imageBase)
{
Win32Api.DEBUG_EVENT debugEvent = default(Win32Api.DEBUG_EVENT);
int processId = Win32Api.GetProcessId(processInfo.ProcessHandle);
if (processId == 0) return;
if (!Win32Api.DebugActiveProcess(processId))
return;
Win32Api.DebugSetProcessKillOnExit(true);
int oldProtection = 0;
bool flag = true;
while (flag)
{
if (Win32Api.WaitForDebugEvent(ref debugEvent, -1))
{
switch (debugEvent.dwDebugEventCode - (Win32Api.DebugEventType)1)
{
case 0:
if (debugEvent.Exception.ExceptionRecord.ExceptionCode == 0x80000001)
{
Win32Api.ContinueDebugEvent(processId, (int)processInfo.ThreadId, 65538);
if (!VirtualProtectEx(processInfo.ProcessHandle, imageBase, sizeOfHeaders, 320,
ref oldProtection))
return;
}
break;
case 2:
if (VirtualProtectEx(processInfo.ProcessHandle, imageBase, sizeOfHeaders, 320,
ref oldProtection))
{
Api.ResumeThread(processInfo.ThreadHandle);
CloseHandle(debugEvent.LoadDll.hFile);
}
break;
case 4:
flag = false;
Win32Api.DebugActiveProcessStop(processId);
break;
}
Win32Api.ContinueDebugEvent(processId, (int)processInfo.ThreadId, 65538);
}
}
}
While step-by-step debugging, when I enter the following line, it will proceed a few times before unexpectedly stopping right there:
if (Win32Api.WaitForDebugEvent(ref debugEvent, -1))
I call the anti-debugger thread like this:
ThreadStart threadStart = ctx.RunAntiDebugger;
Thread thread = new Thread(threadStart) { IsBackground = true };
thread.Start();
thread.Join();
(RunAntiDebugger is just a wrapper function calls the StartProtection function above with the right parameters)
The line following the above thread initiating code is this:
if (Api.ResumeThread(ctx.ProcessInformation.ThreadHandle) == -1)
return false;
If I remove the thread.Join(); call, the hollowed process runs properly but the anti-debugger doesn't seem to prevent any debugger. However, if I join the thread, the anti-debugging works and the debug messages are handled properly but the process never runs in the end (stays suspended for ever).
Any ideas what might be causing this? I've been trying to figure this out for a couple of days but my efforts were fruitless so far. Any input will be very much appreciated.
Thank you in advance.
User contributions licensed under CC BY-SA 3.0