For the first two, given the fact that they should be pretty peculiar, I just added the tracking, without additional checks. Especially for the first point: since these are active debugging functions, they shouldn't be called outside antidebug tricks (unless we trace a debugger).
For the BlockInput I added a counter, to track if there is more than one call.
As usual, let me know if you think any re-work is needed.
Thanks a lot!
I added some additional API tracking for AntiDebug:
kernel32!DebugActiveProcess()
,ntdll!DbgUiDebugActiveProcess()
andntdll!NtDebugActiveProcess()
) https://anti-debug.checkpoint.com/techniques/interactive.html#self-debuggingGenerateConsoleCtrlEvent
https://anti-debug.checkpoint.com/techniques/interactive.html#generateconsolectrleventBlockInput
https://anti-debug.checkpoint.com/techniques/interactive.html#blockinputFor the first two, given the fact that they should be pretty peculiar, I just added the tracking, without additional checks. Especially for the first point: since these are active debugging functions, they shouldn't be called outside antidebug tricks (unless we trace a debugger).
For the
BlockInput
I added a counter, to track if there is more than one call.As usual, let me know if you think any re-work is needed. Thanks a lot!