Rahul Mishra

Hey everyone, Welcome to the anti-debugging series, Very recently i started learning about these concepts and its always better to document our learning which can be beneficial for others too. So I will be sharing this via some blogs, so lets get started :) ‍ What really is Anti-debugging?? So, Anti-debugging means putting code inside a program that tries to detect if someone is debugging it, and behaves differently (or stops) if it detects one. ...

Hey, hope you’re doing well :) We’re back again with another anti-debugging technique commonly used by threat actors. This time, we’ll be looking at how attackers detect debuggers by examining the value of ​NtGlobalFlag​ The NtGlobalFlag field exists at offset 0x68 in the Process Environment Block on the 32-bit versions of Windows, and at offset 0xBC on the 64-bit versions of Windows. The value in that field is zero by default. ...

This API call is among those that malware can use to spot the presence of a debugger ‍ Tell the compiler exactly what the hidden function looks like typedef NTSTATUS(WINAPI *PNtQueryInformationProcess)( HANDLE ProcessHandle, DWORD ProcessInformationClass, PVOID ProcessInformation, DWORD ProcessInformationLength, PDWORD ReturnLength ); ‍ The function NtQueryInformationProcess​​ is an internal Windows function. It is not listed in the standard instruction manuals (header files) that come with your compiler. If you tried to use it directly, the compiler would scream, “I don’t know what this is!” ...

The way to start Debugging in User Mode is in one of two ways: Attach to an existing Process then start looking into it. Launch an executable which will create a process based on that executable and attach to it immediately ‍ Let’s start with the first option, Attach to an existing Process Notepad can no longer run any code because all the threads in notepad are suspended. ‍ ...

Process Explorer is a free, powerful system Monitoring tool from Microsoft’s Sysinternals suite that goes far beyond the builtin Task Manager. ‍ To ensure Process Explorer always runs with administrative privileges: Right‑click on procexp64.exe​ (or its shortcut) and select Properties. Switch to the Compatibility tab. Under Settings, check Run this program as an administrator. Click OK to save. ‍ ‍ There are more columns present here compared to task manager ...