BarryG wrote:What does this do? And do you just call that procedure alone to protect your exe?Opcode wrote:Here's another method to add to the collection. Easy to implement, easy to bypass. Still something though.Code: Select all
Procedure PatchDbgUiRemoteBreakin() Protected.l DbgAddr, oProtect DbgAddr = GetProcAddress_(GetModuleHandle_("ntdll.dll"), "DbgUiRemoteBreakin") VirtualProtect_(DbgAddr, 6, #PAGE_EXECUTE_READWRITE, @oProtect) PokeB(DbgAddr + 0, $68) PokeL(DbgAddr + 1, GetProcAddress_(GetModuleHandle_("kernel32.dll"), "ExitProcess")) PokeB(DbgAddr + 5, $C3) VirtualProtect_(DbgAddr, 6, oProtect, @oProtect) EndProcedure
This just patches DbgUiRemoteBreakin so it redirects to ExitProcess. You would just call it once somewhere at the start of your program to apply the patch and that's it.waliedassar wrote:A debugger calls the "DebugActiveProcess" function which ends up with calling the "RtlCreateUserThread" function to create a new remote thread into the target process, with the "DbgUiRemoteBreakin" function as the new thread entry point.