Anti-piracy tip: Prevent debugging (Windows)

[Opcode]

Here's another method to add to the collection. Easy to implement, easy to bypass. Still something though.

Code: Select all

Procedure PatchDbgUiRemoteBreakin()
  
  Protected.l DbgAddr, oProtect
  
  DbgAddr = GetProcAddress_(GetModuleHandle_("ntdll.dll"), "DbgUiRemoteBreakin")
  
  VirtualProtect_(DbgAddr, 6, #PAGE_EXECUTE_READWRITE, @oProtect)
  
  PokeB(DbgAddr + 0, $68)
  PokeL(DbgAddr + 1, GetProcAddress_(GetModuleHandle_("kernel32.dll"), "ExitProcess"))
  PokeB(DbgAddr + 5, $C3)
  
  VirtualProtect_(DbgAddr, 6, oProtect, @oProtect)
  
EndProcedure

What does this do? And do you just call that procedure alone to protect your exe?

A debugger calls the "DebugActiveProcess" function which ends up with calling the "RtlCreateUserThread" function to create a new remote thread into the target process, with the "DbgUiRemoteBreakin" function as the new thread entry point.

This just patches DbgUiRemoteBreakin so it redirects to ExitProcess. You would just call it once somewhere at the start of your program to apply the patch and that's it.

[Kwai chang caine]

Excuse me if i disturb this nice expert discussion
But i read three words together "Debug", "attacking" and "piracy"

Before in my enterprise, i had W7 and SYMANTEC
Since several weeks i have a new laptop with W10 and always SYMANTEC, but apparently the network admin have choose most strict rule for W10
And since i have this new machine, SYMANTEC see virus everywhere, and the admin want to disable all my USB port, for i can't connect any externals devices

So i have see a strange behavior, if i run a PB code with debugger mode, immediately SYMANTEC notify a virus, and delete the temporary "PureBasic_Compilation0.exe"....and my admin is notify too
If i run the same code without debugger mode, nothing is happening and i have no explanation of this behavior

Do you believe that my problem has something to do with your discussion ?
Thanks in advance