[FEATURE} Added 3 new detections

cecio commented 9 months ago

I added 3 commits with some new Antidebug detections. Let me know what you think and/or if any rework is needed. Thanks!

EnumWindows() and SuspendThread()

https://anti-debug.checkpoint.com/techniques/interactive.html#suspendthread

I placed this under DEEP level. Instead of hooking SuspendThread (as suggested in the CP article), I preferred to hook GetWindowTextA and GetWindowsTextW for the following reasons:

SuspendThread is often used for other purposes
the GetWindowText function are also used for other Antidebug checks, so even these will be covered here

Obviously there are legit uses of these functions, so that's why I placed it under DEEP level

SwitchDesktop()

https://anti-debug.checkpoint.com/techniques/interactive.html#switchdesktop

Just checking for the function call. Nothing special to note here

OutputDebugString

https://anti-debug.checkpoint.com/techniques/interactive.html#outputdebugstring

As the article says, this is an old technique, but used a lot in the past, so may be it's worth to be added. Considering the possible legit usage, I put it under DEEP level.

hasherezade commented 9 months ago

Thank you!

cecio commented 9 months ago

Thanks!

hasherezade / tiny_tracer