I placed this under DEEP level. Instead of hooking SuspendThread (as suggested in the CP article), I preferred to hook GetWindowTextA and GetWindowsTextW for the following reasons:
SuspendThread is often used for other purposes
the GetWindowText function are also used for other Antidebug checks, so even these will be covered here
Obviously there are legit uses of these functions, so that's why I placed it under DEEP level
As the article says, this is an old technique, but used a lot in the past, so may be it's worth to be added.
Considering the possible legit usage, I put it under DEEP level.
I added 3 commits with some new Antidebug detections. Let me know what you think and/or if any rework is needed. Thanks!
EnumWindows() and SuspendThread()
https://anti-debug.checkpoint.com/techniques/interactive.html#suspendthread
I placed this under DEEP level. Instead of hooking SuspendThread (as suggested in the CP article), I preferred to hook GetWindowTextA and GetWindowsTextW for the following reasons:
Obviously there are legit uses of these functions, so that's why I placed it under DEEP level
SwitchDesktop()
https://anti-debug.checkpoint.com/techniques/interactive.html#switchdesktop
Just checking for the function call. Nothing special to note here
OutputDebugString
https://anti-debug.checkpoint.com/techniques/interactive.html#outputdebugstring
As the article says, this is an old technique, but used a lot in the past, so may be it's worth to be added. Considering the possible legit usage, I put it under DEEP level.