x64bugreport
commented
3 months ago TinyTracer.ini set ANTIDEBUG=1 or 2,Neither can bypass debugger detection.
Open x64bugreport opened 3 months ago
x64bugreport
commented
3 months ago TinyTracer.ini set ANTIDEBUG=1 or 2,Neither can bypass debugger detection.
hasherezade
commented
3 months ago hi @x64bugreport ! thanks for reporting. I reproduced it, and will investigate it soon.
x64bugreport
commented
3 months ago @hasherezade I continued researching for two days, but still made no progress. Have you made any progress?
x64bugreport
commented
3 months ago Is there any progress on this case? @hasherezade
hasherezade
commented
2 months ago It is on my TODO, I will take care of this when I get some free time.
x64bugreport
commented
2 months ago @hasherezade Thank you very much for your reply. I have not found the key point of this detection so far. If you solve this case later, I hope you can reply to me. Thank you very much.
hasherezade
commented
2 months ago @x64bugreport - sure I will let you know!
x64bugreport
commented
3 weeks ago @hasherezade Is there any progress?
greenozon
commented
1 week ago How about running Scyllahide injector tool that will fix themida/winlic antidbg?
x64bugreport
commented
5 days ago @hasherezade I think it may be the pin environment that causes certain debugging states to be checked out. I don't understand why instrumentation triggers debugging related flags to be set. Did you find the cause of this issue?
hasherezade
commented
5 days ago @hasherezade I think it may be the pin environment that causes certain debugging states to be checked out. I don't understand why instrumentation triggers debugging related flags to be set. Did you find the cause of this issue?
I didn't spot anything obvious, and I don't have time to dig deeper for now. It may be about some slowdown introduced by the tracing itself.
HongThatCong
commented
1 day ago I am also looking into this issue
I see 2 suspicious points about WinLicense's antidebug technique:
Using RaiseException AddVectoredExceptionHandler -> RaiseException with exception = 0xC00000008E (FLOATING_POINT_EXCEPTION) -> Call VectorHander -> RemoveVectoredExceptionHandler
Call KiUserExceptionDispatcher directly to execute the pre-installed ExceptionHandler
@hasherezade Sorry, I'm disturbing you again. When I traced the winlicese encrypted program, it was detected and prompted that the debugger was found. According to my understanding, PIN will not trigger the debugging status and related API detection return exceptions generated by the debugger at runtime. The only thing that comes to mind is the time difference. But you've already dealt with RDTSC. The actual test is still detected. I have no idea how to deal with this detection. Do you have any good method to locate this detection solution and handle the detection? The following is the test program I provided. You can debug it with confidence. The main program has a trusted digital signature. After tracing winlicense.exe for a few seconds, the debugger found will be notified via MESSAGEBOXEXW.
https://mega.nz/file/xJY3WTaY#1kpLBZ1FxXQU2yGrRVvBMlUykHeROZBceHuWaj9f0b4
The decompression password of the test case compressed package is 123. I look forward to your reply. Thank you very much.