AntiDebugging

Anti Debugging C++ Class

Techniques Covered

searchSoftwareBreakpoints(PVOID mAddress):

Searches for software breakpoints in the memory at the specified address (mAddress).
It looks for the byte 0xCC (int 3), which is a common opcode used for software breakpoints.

searchHardwareBreakpoints(HANDLE tHandle):

Checks for the presence of hardware breakpoints in the specified thread (tHandle).
Utilizes the CONTEXT structure and the thread's context to inspect debug registers.

debuggerPresent():

Uses the WinAPI function IsDebuggerPresent() to check if the process is being debugged.

antiDbgBreakPoint():

Attempts to disable the DbgBreakPoint function by changing its first byte to 0xC3 (ret) using VirtualProtect.

antiDbgUiRemoteBreakin():

Attempts to modify the DbgUiRemoteBreakin function to prevent remote debugging.
Creates a custom patch (DbgUiRemoteBreakinPatch) and applies it to the DbgUiRemoteBreakin function.

isDebuggerPresentInRemoteProcess(HANDLE hProcess):

Checks if a debugger is present in a remote process specified by the hProcess handle.
Uses the CheckRemoteDebuggerPresent function.

patchDebuggingFunctions():

Calls both antiDbgBreakPoint() and antiDbgUiRemoteBreakin() to apply the patches.