Support for the anti-debug trick via OutputDebugStringW on Windows 10

[prolium]

Windows 10 has a separate implementation for OutputDebugStringW rather than passing the string to OutputDebugStringA, quoting their note:

Important In the past, the operating system did not output Unicode strings via OutputDebugStringW and instead only output ASCII strings. To force OutputDebugStringW to correctly output Unicode strings, debuggers are required to call WaitForDebugEventEx to opt into the new behavior. On calling WaitForDebugEventEx, the operating system will know that the debugger supports Unicode and is specifically opting into receiving Unicode strings.

The plugin (if I'm not mistaken) currently supports OutputDebugStringA only. This article (by ntquery) talks about this: https://ntquery.wordpress.com/2015/09/07/windows-10-new-anti-debug-outputdebugstringw/

[Mattiwatti]

The plugin (if I'm not mistaken) currently supports OutputDebugStringA only.

Correct. Strangely we do have a test for OutputDebugStringW in ScyllaTest...

I tried it in x64dbg and WinDbg: x64dbg passes because it does not call WaitForDebugEventEx, WinDbg fails because it does call the new wait function on Windows 10 and uses the unicode buffer. Even setting the DBG_PRINTEXCEPTION_WIDE_C exception to 'ignore, not handled' doesn't help.

This should definitely be added at some point but I'm not in a rush with it, since it's one more checkbox to add to the too many we've already got in the GUI, for a pretty obscure anti-debug technique. If you find something that actually uses this in the wild that changes things of course.