NtQuerySystemInformation
Use SYSTEM_HANDLE_INFORMATION or SYSTEM_HANDLE_INFORMATION_EX to enumerate all handles
There is a thread creation debug event in DbgkpOpenHandles which gets a handle to the thread created by the debugging process and the debugger does not close the handle until the thread is finished.
Then as soon as we create a new thread and enumerate the Handle to get Object(PETHREAD)
After that we re-enumerate and determine if the handle is our thread based on the Object, and we can simply tell if it is being debugged
NtQuerySystemInformation Use SYSTEM_HANDLE_INFORMATION or SYSTEM_HANDLE_INFORMATION_EX to enumerate all handles
There is a thread creation debug event in DbgkpOpenHandles which gets a handle to the thread created by the debugging process and the debugger does not close the handle until the thread is finished.
typedef struct _SYSTEM_HANDLE_INFORMATION{ ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
Then as soon as we create a new thread and enumerate the Handle to get Object(PETHREAD) After that we re-enumerate and determine if the handle is our thread based on the Object, and we can simply tell if it is being debugged
Demo.zip
https://hbxiaock.baklib-free.com/AntiDebug/681d
I'm not sure about xp ObjectTypeNumber