Tyranid mentioned our debug object trick in a blog post, and showed that it can be bypassed by the target process modifying the security descriptor of its own debug handle object to contain no ACEs.
We should fix this, checking only for STATUS_PORT_NOT_SET as an error code, rather than just looking to see if the API call fails.
gsuberland
commented
4 years ago
Tyranid mentioned our debug object trick in a blog post, and showed that it can be bypassed by the target process modifying the security descriptor of its own debug handle object to contain no ACEs.
We should fix this, checking only for
STATUS_PORT_NOT_SETas an error code, rather than just looking to see if the API call fails.