hasherezade
commented
11 months ago looks good, thank you!
Closed cecio closed 11 months ago
hasherezade
commented
11 months ago looks good, thank you!
cecio
commented
11 months ago Thanks!
I added some additional API tracking for AntiDebug:
kernel32!DebugActiveProcess(),ntdll!DbgUiDebugActiveProcess()andntdll!NtDebugActiveProcess()) https://anti-debug.checkpoint.com/techniques/interactive.html#self-debuggingGenerateConsoleCtrlEventhttps://anti-debug.checkpoint.com/techniques/interactive.html#generateconsolectrleventBlockInputhttps://anti-debug.checkpoint.com/techniques/interactive.html#blockinputFor the first two, given the fact that they should be pretty peculiar, I just added the tracking, without additional checks. Especially for the first point: since these are active debugging functions, they shouldn't be called outside antidebug tricks (unless we trace a debugger).
For the
BlockInputI added a counter, to track if there is more than one call.As usual, let me know if you think any re-work is needed. Thanks a lot!