Open mrexodia opened 11 months ago
Fix in x64dbg: https://github.com/x64dbg/x64dbg/pull/3234
Reproduction code (you need to run it on an x64dbg with the fix above, otherwise it triggers anyway):
#include <Windows.h> #include <cstdio> #include <cinttypes> int main() { puts(""); wchar_t executablePath[MAX_PATH] = L""; GetModuleFileNameW(0, executablePath, _countof(executablePath)); auto hNtdll = CreateFileW(L"C:\\Windows\\system32\\ntdll.dll", GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr); printf("[AntiDebugHandle] ntdll: 0x%zX (LastError: %u)\n", (uintptr_t)hNtdll, GetLastError()); auto hExe = CreateFileW(executablePath, GENERIC_READ, 0, nullptr, OPEN_EXISTING, 0, nullptr); printf("[AntiDebugHandle] exe: 0x%zX (LastError: %u)\n", (uintptr_t)hExe, GetLastError()); puts(""); }
You would probably need to create a fake QIODevice (or whatever is the abstract of QFile) and use a file mapping backend. Once you have the section mapping open you can close the file handle and things will work fine.
QIODevice
QFile
Thanks! I will take a look.
horsicq
commented
11 months ago
Fix in x64dbg: https://github.com/x64dbg/x64dbg/pull/3234
Reproduction code (you need to run it on an x64dbg with the fix above, otherwise it triggers anyway):
You would probably need to create a fake
QIODevice(or whatever is the abstract ofQFile) and use a file mapping backend. Once you have the section mapping open you can close the file handle and things will work fine.