├── .gitignore ├── README.md ├── Utils.h ├── bypasses ├── bypassCheckRemoteDebuggerPresent.h ├── bypassCreateToolhelp32Snapshot.h ├── bypassNtGlobalFlag.h ├── bypassUnhandledExceptionMethod.h ├── bypass_peb_64bit.asm ├── setPEB64HeavensGateDebuggerBypass.h └── setPEBDebuggerBypass.h ├── bypassing-anti-debugging.sln ├── bypassing-anti-debugging.vcxproj ├── bypassing-anti-debugging.vcxproj.filters ├── dllmain.cpp ├── framework.h ├── ntdll.h ├── pch.cpp └── pch.h /.gitignore: -------------------------------------------------------------------------------- 1 | console 2 | ## Ignore Visual Studio temporary files, build results, and 3 | ## files generated by popular Visual Studio add-ons. 4 | ## 5 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 6 | 7 | # User-specific files 8 | *.rsuser 9 | *.suo 10 | *.user 11 | *.userosscache 12 | *.sln.docstates 13 | 14 | # User-specific files (MonoDevelop/Xamarin Studio) 15 | *.userprefs 16 | 17 | # Mono auto generated files 18 | mono_crash.* 19 | 20 | # Build results 21 | [Dd]ebug/ 22 | [Dd]ebugPublic/ 23 | [Rr]elease/ 24 | [Rr]eleases/ 25 | x64/ 26 | x86/ 27 | [Ww][Ii][Nn]32/ 28 | [Aa][Rr][Mm]/ 29 | [Aa][Rr][Mm]64/ 30 | bld/ 31 | [Bb]in/ 32 | [Oo]bj/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*[.json, .xml, .info] 147 | 148 | # Visual Studio code coverage results 149 | *.coverage 150 | *.coveragexml 151 | 152 | # NCrunch 153 | _NCrunch_* 154 | .*crunch*.local.xml 155 | nCrunchTemp_* 156 | 157 | # MightyMoose 158 | *.mm.* 159 | AutoTest.Net/ 160 | 161 | # Web workbench (sass) 162 | .sass-cache/ 163 | 164 | # Installshield output folder 165 | [Ee]xpress/ 166 | 167 | # DocProject is a documentation generator add-in 168 | DocProject/buildhelp/ 169 | DocProject/Help/*.HxT 170 | DocProject/Help/*.HxC 171 | DocProject/Help/*.hhc 172 | DocProject/Help/*.hhk 173 | DocProject/Help/*.hhp 174 | DocProject/Help/Html2 175 | DocProject/Help/html 176 | 177 | # Click-Once directory 178 | publish/ 179 | 180 | # Publish Web Output 181 | *.[Pp]ublish.xml 182 | *.azurePubxml 183 | # Note: Comment the next line if you want to checkin your web deploy settings, 184 | # but database connection strings (with potential passwords) will be unencrypted 185 | *.pubxml 186 | *.publishproj 187 | 188 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 189 | # checkin your Azure Web App publish settings, but sensitive information contained 190 | # in these scripts will be unencrypted 191 | PublishScripts/ 192 | 193 | # NuGet Packages 194 | *.nupkg 195 | # NuGet Symbol Packages 196 | *.snupkg 197 | # The packages folder can be ignored because of Package Restore 198 | **/[Pp]ackages/* 199 | # except build/, which is used as an MSBuild target. 200 | !**/[Pp]ackages/build/ 201 | # Uncomment if necessary however generally it will be regenerated when needed 202 | #!**/[Pp]ackages/repositories.config 203 | # NuGet v3's project.json files produces more ignorable files 204 | *.nuget.props 205 | *.nuget.targets 206 | 207 | # Microsoft Azure Build Output 208 | csx/ 209 | *.build.csdef 210 | 211 | # Microsoft Azure Emulator 212 | ecf/ 213 | rcf/ 214 | 215 | # Windows Store app package directories and files 216 | AppPackages/ 217 | BundleArtifacts/ 218 | Package.StoreAssociation.xml 219 | _pkginfo.txt 220 | *.appx 221 | *.appxbundle 222 | *.appxupload 223 | 224 | # Visual Studio cache files 225 | # files ending in .cache can be ignored 226 | *.[Cc]ache 227 | # but keep track of directories ending in .cache 228 | !?*.[Cc]ache/ 229 | 230 | # Others 231 | ClientBin/ 232 | ~$* 233 | *~ 234 | *.dbmdl 235 | *.dbproj.schemaview 236 | *.jfm 237 | *.pfx 238 | *.publishsettings 239 | orleans.codegen.cs 240 | 241 | # Including strong name files can present a security risk 242 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 243 | #*.snk 244 | 245 | # Since there are multiple workflows, uncomment next line to ignore bower_components 246 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 247 | #bower_components/ 248 | 249 | # RIA/Silverlight projects 250 | Generated_Code/ 251 | 252 | # Backup & report files from converting an old project file 253 | # to a newer Visual Studio version. Backup files are not needed, 254 | # because we have git ;-) 255 | _UpgradeReport_Files/ 256 | Backup*/ 257 | UpgradeLog*.XML 258 | UpgradeLog*.htm 259 | ServiceFabricBackup/ 260 | *.rptproj.bak 261 | 262 | # SQL Server files 263 | *.mdf 264 | *.ldf 265 | *.ndf 266 | 267 | # Business Intelligence projects 268 | *.rdl.data 269 | *.bim.layout 270 | *.bim_*.settings 271 | *.rptproj.rsuser 272 | *- [Bb]ackup.rdl 273 | *- [Bb]ackup ([0-9]).rdl 274 | *- [Bb]ackup ([0-9][0-9]).rdl 275 | 276 | # Microsoft Fakes 277 | FakesAssemblies/ 278 | 279 | # GhostDoc plugin setting file 280 | *.GhostDoc.xml 281 | 282 | # Node.js Tools for Visual Studio 283 | .ntvs_analysis.dat 284 | node_modules/ 285 | 286 | # Visual Studio 6 build log 287 | *.plg 288 | 289 | # Visual Studio 6 workspace options file 290 | *.opt 291 | 292 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 293 | *.vbw 294 | 295 | # Visual Studio LightSwitch build output 296 | **/*.HTMLClient/GeneratedArtifacts 297 | **/*.DesktopClient/GeneratedArtifacts 298 | **/*.DesktopClient/ModelManifest.xml 299 | **/*.Server/GeneratedArtifacts 300 | **/*.Server/ModelManifest.xml 301 | _Pvt_Extensions 302 | 303 | # Paket dependency manager 304 | .paket/paket.exe 305 | paket-files/ 306 | 307 | # FAKE - F# Make 308 | .fake/ 309 | 310 | # CodeRush personal settings 311 | .cr/personal 312 | 313 | # Python Tools for Visual Studio (PTVS) 314 | __pycache__/ 315 | *.pyc 316 | 317 | # Cake - Uncomment if you are using it 318 | # tools/** 319 | # !tools/packages.config 320 | 321 | # Tabs Studio 322 | *.tss 323 | 324 | # Telerik's JustMock configuration file 325 | *.jmconfig 326 | 327 | # BizTalk build output 328 | *.btp.cs 329 | *.btm.cs 330 | *.odx.cs 331 | *.xsd.cs 332 | 333 | # OpenCover UI analysis results 334 | OpenCover/ 335 | 336 | # Azure Stream Analytics local run output 337 | ASALocalRun/ 338 | 339 | # MSBuild Binary and Structured Log 340 | *.binlog 341 | 342 | # NVidia Nsight GPU debugger configuration file 343 | *.nvuser 344 | 345 | # MFractors (Xamarin productivity tool) working folder 346 | .mfractor/ 347 | 348 | # Local History for Visual Studio 349 | .localhistory/ 350 | 351 | # BeatPulse healthcheck temp database 352 | healthchecksdb 353 | 354 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 355 | MigrationBackup/ 356 | 357 | # Ionide (cross platform F# VS Code tools) working folder 358 | .ionide/ 359 | 360 | # Fody - auto-generated XML schema 361 | FodyWeavers.xsd 362 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ricardonacif/gh-anti-debugging-bypass/14d5435bc45518892c62e18bf093e28344e048a2/README.md -------------------------------------------------------------------------------- /Utils.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "windows.h" 4 | #include "ntdll.h" 5 | 6 | 7 | 8 | namespace Utils 9 | { 10 | char* internalPatternScanner(const char* pattern, const char* mask, char* begin, intptr_t size) 11 | { 12 | intptr_t patternLen = strlen(mask); 13 | 14 | for (int i = 0; i < size; i++) 15 | { 16 | bool found = true; 17 | for (int j = 0; j < patternLen; j++) 18 | { 19 | if (mask[j] != '?' && pattern[j] != *(char*)((intptr_t)begin + i + j)) 20 | { 21 | found = false; 22 | break; 23 | } 24 | } 25 | if (found) 26 | { 27 | return (begin + i); 28 | } 29 | } 30 | return nullptr; 31 | } 32 | 33 | char* TO_CHAR(wchar_t* string) 34 | { 35 | size_t len = wcslen(string) + 1; 36 | char* c_string = new char[len]; 37 | size_t numCharsRead; 38 | wcstombs_s(&numCharsRead, c_string, len, string, _TRUNCATE); 39 | return c_string; 40 | } 41 | 42 | 43 | void Patch(char* dst, char* src, int size) 44 | { 45 | DWORD oldprotect; 46 | VirtualProtect(dst, size, PAGE_EXECUTE_READWRITE, &oldprotect); 47 | memcpy(dst, src, size); 48 | VirtualProtect(dst, size, oldprotect, &oldprotect); 49 | } 50 | 51 | 52 | void Hook(void* toBeHooked, void* whereToHookTo, uintptr_t length) { 53 | if (length < 5) 54 | { 55 | std::cout << "Unhookable! GTFOH." << "\n"; 56 | return; 57 | } 58 | 59 | DWORD oldprotect; 60 | VirtualProtect(toBeHooked, length, PAGE_EXECUTE_READWRITE, &oldprotect); 61 | 62 | memset(toBeHooked, 0x90, length); 63 | 64 | // Utils::Patch(toBeHooked,) 65 | // // calcular endereco: 66 | 67 | uintptr_t relativeAddress = ((uintptr_t)whereToHookTo - (uintptr_t)toBeHooked) - 5; 68 | 69 | *(BYTE*)toBeHooked = 0xE9; 70 | *(uintptr_t*)((uintptr_t)toBeHooked + 1) = relativeAddress; 71 | 72 | DWORD temp; 73 | 74 | VirtualProtect(toBeHooked, length, oldprotect, &temp); 75 | } 76 | 77 | 78 | 79 | RFW_LDR_DATA_TABLE_ENTRY* GetLDREntry(std::string moduleName) 80 | { 81 | // get the PEB pointer 82 | auto pebPtr = (PEB*) __readfsdword(0x30); 83 | // get the list head 84 | LIST_ENTRY head = pebPtr->Ldr->InMemoryOrderModuleList; 85 | LIST_ENTRY curr = head; 86 | 87 | RFW_LDR_DATA_TABLE_ENTRY* foundLdr = nullptr; 88 | 89 | // loops comparing the module name 90 | while (curr.Flink != head.Blink) { 91 | 92 | RFW_LDR_DATA_TABLE_ENTRY* ldrDataTablePtr = (RFW_LDR_DATA_TABLE_ENTRY*) CONTAINING_RECORD(curr.Flink, RFW_LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks ); 93 | 94 | if (ldrDataTablePtr->FullDllName.Buffer) 95 | { 96 | 97 | char* cName = TO_CHAR(ldrDataTablePtr->BaseDllName.Buffer); 98 | if (_stricmp(cName, moduleName.c_str()) == 0) 99 | { 100 | foundLdr = ldrDataTablePtr; 101 | break; 102 | } 103 | delete[] cName; 104 | } 105 | curr = *curr.Flink; 106 | } 107 | return foundLdr; 108 | } 109 | 110 | }; 111 | 112 | -------------------------------------------------------------------------------- /bypasses/bypassCheckRemoteDebuggerPresent.h: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | #include 4 | 5 | #include "ntdll.h" 6 | #include "Utils.h" 7 | 8 | 9 | const LPVOID __declspec(naked) GetGateAddress() { 10 | __asm { 11 | mov eax, dword ptr fs:[0xC0]; 12 | ret; 13 | } 14 | } 15 | 16 | LPVOID originalGateCodeBackup = nullptr; 17 | 18 | LPVOID BackupOriginalGateCode( LPVOID gateAddress ) { 19 | originalGateCodeBackup = VirtualAlloc(nullptr, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 20 | memcpy(originalGateCodeBackup, (void*)gateAddress, 9); 21 | 22 | return originalGateCodeBackup; 23 | } 24 | 25 | DWORD Backup_Eax, Handle, ProcessInformationClass, ProcessInformationLength, *PProcessInformation; 26 | 27 | void __declspec(naked) hk_zwQueryInformationProcess() { 28 | __asm { 29 | mov Backup_Eax, eax 30 | mov eax, [esp + 0x8] 31 | mov Handle, eax 32 | mov eax, [esp + 0xC] 33 | mov ProcessInformationClass, eax 34 | mov eax, [esp + 0x10] 35 | mov PProcessInformation, eax 36 | mov eax, [esp + 0x14] 37 | mov ProcessInformationLength, eax 38 | // mov eax, [esp + 0x18] 39 | // mov Old, eax 40 | mov eax, Backup_Eax 41 | pushad 42 | } 43 | 44 | printf("hk_zwQueryInformationProcess Handle: [%x] ProcessInformationClass: [0x%x] PProcessInformation: [%d] ProcessInformationLength: [0x%x]\n", Handle, ProcessInformationClass, *PProcessInformation, ProcessInformationLength); 45 | 46 | __asm { 47 | popad 48 | mov eax, 0xffffffff 49 | ret 50 | // int 3 51 | // jmp originalGateCodeBackup 52 | } 53 | 54 | } 55 | 56 | void __declspec(naked) hk_Wow64Trampoline() { 57 | 58 | __asm { 59 | cmp eax, 0x19 //id of zwQueryInformationProcess 60 | je hk_zwQueryInformationProcess; 61 | jmp originalGateCodeBackup; 62 | } 63 | } 64 | 65 | void bypassCheckRemoteDebuggerPresent() { 66 | LPVOID gateAddress = GetGateAddress(); 67 | std::cout << "gate Address: " << std::hex << gateAddress; 68 | 69 | std:: cout << "Original copy address: " << BackupOriginalGateCode(gateAddress); 70 | Utils::Hook((void*)gateAddress, (void*)hk_Wow64Trampoline, 7); 71 | } 72 | -------------------------------------------------------------------------------- /bypasses/bypassCreateToolhelp32Snapshot.h: -------------------------------------------------------------------------------- 1 | #include "pch.h" 2 | #include 3 | 4 | #include "Utils.h" 5 | #include 6 | 7 | void bypassCreateToolhelp32Snapshot() { 8 | 9 | std::array debuggerNames = { "ollydbg.exe", "ida.exe", "ida64.exe", "idag.exe", "idag64.exe", "idaw.exe", "idaw64.exe", "idaq.exe", "idaq64.exe", "idau.exe", "idau64.exe", "scylla.exe", "scylla_x64.exe", "scylla_x86.exe", "protection_id.exe", "x64dbg.exe", "x32dbg.exe", "windbg.exe", "reshacker.exe", "ImportREC.exe", "IMMUNITYDEBUGGER.EXE", "devenv.exe"}; 10 | 11 | RFW_LDR_DATA_TABLE_ENTRY* mainModuleData = Utils::GetLDREntry("anti-debugging.exe"); 12 | 13 | for(const auto& name: debuggerNames) { 14 | 15 | std::cout << name << ' '; 16 | int stringSize = name.size(); 17 | char *mask = (char*)malloc(stringSize + 1); 18 | memset((void*)mask, 'x', stringSize); 19 | mask[stringSize] = '\0'; 20 | 21 | void* patternLocation = Utils::internalPatternScanner(name.c_str(),(const char*) mask, (char*)mainModuleData->DllBase, mainModuleData->SizeOfImage); 22 | 23 | if (patternLocation == 0x00000000) 24 | { 25 | std::cout << "address not found aki! " << std::hex << patternLocation << "\n"; 26 | return; 27 | } 28 | std::cout << "Found!! " << std::hex << patternLocation << "\n"; 29 | char replacement[12] = "UWONTFINDME"; 30 | 31 | Utils::Patch((char*)patternLocation, (char*)replacement ,stringSize); 32 | } 33 | 34 | } -------------------------------------------------------------------------------- /bypasses/bypassNtGlobalFlag.h: -------------------------------------------------------------------------------- 1 | void bypassNtGlobalFlag() { 2 | auto peb = (char*) __readfsdword(0x30); 3 | *(peb + 0x68) = (*(peb + 0x68) &= ~(1UL << 5)); 4 | } -------------------------------------------------------------------------------- /bypasses/bypassUnhandledExceptionMethod.h: -------------------------------------------------------------------------------- 1 | #include "Utils.h" 2 | 3 | void bypassUnhandledExceptionMethod() { 4 | RFW_LDR_DATA_TABLE_ENTRY* mainModuleData = Utils::GetLDREntry("anti-debugging.exe"); 5 | 6 | char* cName = Utils::TO_CHAR(mainModuleData->BaseDllName.Buffer); 7 | 8 | void* patternLocation = Utils::internalPatternScanner("\xC6\x05\x00\x00\x00\x00\x00\xFF\x15\x00\x00\x00\x00\xCC\xA0\x00\x00\x00\x00\xC3", "xx?????xx????xx????x", (char*)mainModuleData->DllBase, mainModuleData->SizeOfImage); 9 | 10 | if (patternLocation == 0x00000000) 11 | { 12 | std::cout << "address not found! " << std::hex << patternLocation << "\n"; 13 | return; 14 | } 15 | std::cout << "found address " << std::hex << patternLocation << "\n"; 16 | unsigned char newBytecode[8] = "\x90\xB0\x00\x90\x90\x90\xC3"; 17 | 18 | Utils::Patch((char*)patternLocation+13, (char*)&newBytecode ,7); 19 | } 20 | -------------------------------------------------------------------------------- /bypasses/bypass_peb_64bit.asm: -------------------------------------------------------------------------------- 1 | .model flat, c 2 | 3 | bypass segment execute 4 | 5 | hg_enter macro 6 | 7 | push 033h ; swap to long mode 8 | call $+5 9 | add dword ptr [esp], 5 10 | retf 11 | 12 | endm 13 | 14 | hg_end macro 15 | 16 | call $+5 17 | db 0C7h, 44h, 24h, 04h, 23h, 0, 0, 0 ; mov dword [rsp+4], 0x23 18 | db 83h, 04h, 24h, 0Dh, 0CBh ; add dword [rsp], 0xD. RETF 19 | 20 | endm 21 | 22 | bypass_peb_64 proc 23 | 24 | hg_enter 25 | db 065h, 067h, 048h, 0A1h, 060h, 00, 00, 00 ; mov rax, gs:[0x60] 26 | mov byte ptr [eax+2], 00h ; (overwriting PEB64->IsBeingDebugged) 27 | hg_end 28 | ret 29 | 30 | bypass_peb_64 endp 31 | 32 | end 33 | -------------------------------------------------------------------------------- /bypasses/setPEB64HeavensGateDebuggerBypass.h: -------------------------------------------------------------------------------- 1 | extern "C" void bypass_peb_64( ); 2 | 3 | void setPEB64HeavensGateDebuggerBypass() { 4 | bypass_peb_64(); 5 | } -------------------------------------------------------------------------------- /bypasses/setPEBDebuggerBypass.h: -------------------------------------------------------------------------------- 1 | void setPEBDebuggerBypass() { 2 | auto peb = (char*) __readfsdword(0x30); 3 | *(peb+0x2) = 0x0; 4 | } -------------------------------------------------------------------------------- /bypassing-anti-debugging.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29806.167 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bypassing-anti-debugging", "bypassing-anti-debugging.vcxproj", "{5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Debug|x64.ActiveCfg = Debug|x64 17 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Debug|x64.Build.0 = Debug|x64 18 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Debug|x86.ActiveCfg = Debug|Win32 19 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Debug|x86.Build.0 = Debug|Win32 20 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Release|x64.ActiveCfg = Release|x64 21 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Release|x64.Build.0 = Release|x64 22 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Release|x86.ActiveCfg = Release|Win32 23 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {8CFB1F80-43DE-4197-BF59-F62B77248E95} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /bypassing-anti-debugging.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {5BC540AC-D55F-4FA3-A1DD-25B937D23B0B} 24 | Win32Proj 25 | bypassingantidebugging 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | 77 | 78 | true 79 | 80 | 81 | false 82 | 83 | 84 | false 85 | 86 | 87 | 88 | Use 89 | Level3 90 | true 91 | WIN32;_DEBUG;BYPASSINGANTIDEBUGGING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | 95 | 96 | Windows 97 | true 98 | false 99 | 100 | 101 | 102 | 103 | Use 104 | Level3 105 | true 106 | _DEBUG;BYPASSINGANTIDEBUGGING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 107 | true 108 | pch.h 109 | 110 | 111 | Windows 112 | true 113 | false 114 | 115 | 116 | 117 | 118 | Use 119 | Level3 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;BYPASSINGANTIDEBUGGING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 124 | true 125 | pch.h 126 | 127 | 128 | Windows 129 | true 130 | true 131 | true 132 | false 133 | false 134 | 135 | 136 | 137 | 138 | Use 139 | Level3 140 | true 141 | true 142 | true 143 | NDEBUG;BYPASSINGANTIDEBUGGING_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 144 | true 145 | pch.h 146 | 147 | 148 | Windows 149 | true 150 | true 151 | true 152 | false 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | Create 165 | Create 166 | Create 167 | Create 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | -------------------------------------------------------------------------------- /bypassing-anti-debugging.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | 40 | 41 | Source Files 42 | 43 | 44 | -------------------------------------------------------------------------------- /dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "pch.h" 3 | #include 4 | #include 5 | 6 | #include "ntdll.h" 7 | #include "bypasses/setPEBDebuggerBypass.h" 8 | #include "bypasses/bypassNtGlobalFlag.h"; 9 | #include "bypasses/bypassCreateToolhelp32Snapshot.h"; 10 | #include "bypasses/bypassCheckRemoteDebuggerPresent.h"; 11 | #include "bypasses/bypassUnhandledExceptionMethod.h"; 12 | #include "bypasses/setPEB64HeavensGateDebuggerBypass.h"; 13 | 14 | DWORD WINAPI AntiAntiDebugThread(HMODULE hModule) 15 | { 16 | //Create Console 17 | AllocConsole(); 18 | FILE* f; 19 | freopen_s(&f, "CONOUT$", "w", stdout); 20 | 21 | setPEBDebuggerBypass(); 22 | bypassNtGlobalFlag(); 23 | bypassCreateToolhelp32Snapshot(); 24 | bypassCheckRemoteDebuggerPresent(); 25 | bypassUnhandledExceptionMethod(); 26 | setPEB64HeavensGateDebuggerBypass(); 27 | 28 | return 0; 29 | } 30 | BOOL APIENTRY DllMain( HMODULE hModule, 31 | DWORD ul_reason_for_call, 32 | LPVOID lpReserved 33 | ) 34 | { 35 | switch (ul_reason_for_call) 36 | { 37 | case DLL_PROCESS_ATTACH: 38 | CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)AntiAntiDebugThread, hModule, 0, nullptr)); 39 | case DLL_THREAD_ATTACH: 40 | case DLL_THREAD_DETACH: 41 | case DLL_PROCESS_DETACH: 42 | break; 43 | } 44 | return TRUE; 45 | } 46 | 47 | -------------------------------------------------------------------------------- /framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /ntdll.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | typedef ULONG LOGICAL, * PLOGICAL; 5 | 6 | // just some types I grabbed from https://github.com/x64dbg/x64dbg/blob/development/src/dbg/ntdll/ntdll.h . I added a _RFW_ prefix to those 7 | 8 | // NtQueryInformationProcess same as ZwQueryInformationProcess in the userland context 9 | 10 | typedef enum _PROCESSINFOCLASS 11 | { 12 | ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION 13 | ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX 14 | ProcessIoCounters, // q: IO_COUNTERS 15 | ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX, VM_COUNTERS_EX2 16 | ProcessTimes, // q: KERNEL_USER_TIMES 17 | ProcessBasePriority, // s: KPRIORITY 18 | ProcessRaisePriority, // s: ULONG 19 | ProcessDebugPort, // q: HANDLE 20 | ProcessExceptionPort, // s: HANDLE 21 | ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN 22 | ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 23 | ProcessLdtSize, // s: PROCESS_LDT_SIZE 24 | ProcessDefaultHardErrorMode, // qs: ULONG 25 | ProcessIoPortHandlers, // (kernel-mode only) 26 | ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS 27 | ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void 28 | ProcessUserModeIOPL, 29 | ProcessEnableAlignmentFaultFixup, // s: BOOLEAN 30 | ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS 31 | ProcessWx86Information, 32 | ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 33 | ProcessAffinityMask, // s: KAFFINITY 34 | ProcessPriorityBoost, // qs: ULONG 35 | ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX 36 | ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION 37 | ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND 38 | ProcessWow64Information, // q: ULONG_PTR 39 | ProcessImageFileName, // q: UNICODE_STRING 40 | ProcessLUIDDeviceMapsEnabled, // q: ULONG 41 | ProcessBreakOnTermination, // qs: ULONG 42 | ProcessDebugObjectHandle, // q: HANDLE // 30 43 | ProcessDebugFlags, // qs: ULONG 44 | ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables 45 | ProcessIoPriority, // qs: IO_PRIORITY_HINT 46 | ProcessExecuteFlags, // qs: ULONG 47 | ProcessResourceManagement, 48 | ProcessCookie, // q: ULONG 49 | ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION 50 | ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA 51 | ProcessPagePriority, // q: ULONG 52 | ProcessInstrumentationCallback, // 40 53 | ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX 54 | ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] 55 | ProcessImageFileNameWin32, // q: UNICODE_STRING 56 | ProcessImageFileMapping, // q: HANDLE (input) 57 | ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE 58 | ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE 59 | ProcessGroupInformation, // q: USHORT[] 60 | ProcessTokenVirtualizationEnabled, // s: ULONG 61 | ProcessConsoleHostProcess, // q: ULONG_PTR 62 | ProcessWindowInformation, // q: PROCESS_WINDOW_INFORMATION // 50 63 | ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8 64 | ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION 65 | ProcessDynamicFunctionTableInformation, 66 | ProcessHandleCheckingMode, 67 | ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION 68 | ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION 69 | ProcessWorkingSetControl, // s: PROCESS_WORKING_SET_CONTROL 70 | ProcessHandleTable, // since WINBLUE 71 | ProcessCheckStackExtentsMode, 72 | ProcessCommandLineInformation, // q: UNICODE_STRING // 60 73 | ProcessProtectionInformation, // q: PS_PROTECTION 74 | ProcessMemoryExhaustion, // PROCESS_MEMORY_EXHAUSTION_INFO // since THRESHOLD 75 | ProcessFaultInformation, // PROCESS_FAULT_INFORMATION 76 | ProcessTelemetryIdInformation, // PROCESS_TELEMETRY_ID_INFORMATION 77 | ProcessCommitReleaseInformation, // PROCESS_COMMIT_RELEASE_INFORMATION 78 | ProcessDefaultCpuSetsInformation, 79 | ProcessAllowedCpuSetsInformation, 80 | ProcessSubsystemProcess, 81 | ProcessJobMemoryInformation, // PROCESS_JOB_MEMORY_INFO 82 | ProcessInPrivate, // since THRESHOLD2 // 70 83 | ProcessRaiseUMExceptionOnInvalidHandleClose, 84 | ProcessIumChallengeResponse, 85 | ProcessChildProcessInformation, // PROCESS_CHILD_PROCESS_INFORMATION 86 | ProcessHighGraphicsPriorityInformation, 87 | ProcessSubsystemInformation, // q: SUBSYSTEM_INFORMATION_TYPE // since REDSTONE2 88 | ProcessEnergyValues, // PROCESS_ENERGY_VALUES, PROCESS_EXTENDED_ENERGY_VALUES 89 | ProcessActivityThrottleState, // PROCESS_ACTIVITY_THROTTLE_STATE 90 | ProcessActivityThrottlePolicy, // PROCESS_ACTIVITY_THROTTLE_POLICY 91 | ProcessWin32kSyscallFilterInformation, 92 | ProcessDisableSystemAllowedCpuSets, 93 | ProcessWakeInformation, // PROCESS_WAKE_INFORMATION 94 | ProcessEnergyTrackingState, // PROCESS_ENERGY_TRACKING_STATE 95 | MaxProcessInfoClass 96 | } PROCESSINFOCLASS; 97 | 98 | typedef struct NtQueryInformationProcess{ 99 | HANDLE ProcessHandle; 100 | PROCESSINFOCLASS ProcessInformationClass; 101 | PVOID ProcessInformation; 102 | ULONG ProcessInformationLength; 103 | PULONG ReturnLength; 104 | }; 105 | 106 | 107 | typedef struct _RFW_UNICODE_STRING 108 | { 109 | USHORT Length; 110 | USHORT MaximumLength; 111 | PWSTR Buffer; 112 | } RFW_UNICODE_STRING, * PRFW_UNICODE_STRING; 113 | 114 | typedef const RFW_UNICODE_STRING* PCRFW_UNICODE_STRING; 115 | 116 | typedef enum _LDR_DLL_LOAD_REASON 117 | { 118 | LoadReasonStaticDependency, 119 | LoadReasonStaticForwarderDependency, 120 | LoadReasonDynamicForwarderDependency, 121 | LoadReasonDelayloadDependency, 122 | LoadReasonDynamicLoad, 123 | LoadReasonAsImageLoad, 124 | LoadReasonAsDataLoad, 125 | LoadReasonUnknown = -1 126 | } LDR_DLL_LOAD_REASON, * PLDR_DLL_LOAD_REASON; 127 | 128 | typedef struct _LDR_SERVICE_TAG_RECORD 129 | { 130 | struct _LDR_SERVICE_TAG_RECORD* Next; 131 | ULONG ServiceTag; 132 | } LDR_SERVICE_TAG_RECORD, * PLDR_SERVICE_TAG_RECORD; 133 | 134 | typedef struct _LDRP_CSLIST 135 | { 136 | PSINGLE_LIST_ENTRY Tail; 137 | } LDRP_CSLIST, * PLDRP_CSLIST; 138 | 139 | typedef enum _LDR_DDAG_STATE 140 | { 141 | LdrModulesMerged = -5, 142 | LdrModulesInitError = -4, 143 | LdrModulesSnapError = -3, 144 | LdrModulesUnloaded = -2, 145 | LdrModulesUnloading = -1, 146 | LdrModulesPlaceHolder = 0, 147 | LdrModulesMapping = 1, 148 | LdrModulesMapped = 2, 149 | LdrModulesWaitingForDependencies = 3, 150 | LdrModulesSnapping = 4, 151 | LdrModulesSnapped = 5, 152 | LdrModulesCondensed = 6, 153 | LdrModulesReadyToInit = 7, 154 | LdrModulesInitializing = 8, 155 | LdrModulesReadyToRun = 9 156 | } LDR_DDAG_STATE; 157 | 158 | 159 | typedef struct _RTL_BALANCED_NODE 160 | { 161 | union 162 | { 163 | struct _RTL_BALANCED_NODE* Children[2]; 164 | struct 165 | { 166 | struct _RTL_BALANCED_NODE* Left; 167 | struct _RTL_BALANCED_NODE* Right; 168 | } s; 169 | }; 170 | union 171 | { 172 | UCHAR Red : 1; 173 | UCHAR Balance : 2; 174 | ULONG_PTR ParentValue; 175 | } u; 176 | } RTL_BALANCED_NODE, * PRTL_BALANCED_NODE; 177 | 178 | 179 | typedef struct _LDR_DDAG_NODE 180 | { 181 | LIST_ENTRY Modules; 182 | PLDR_SERVICE_TAG_RECORD ServiceTagList; 183 | ULONG LoadCount; 184 | ULONG LoadWhileUnloadingCount; 185 | ULONG LowestLink; 186 | union 187 | { 188 | LDRP_CSLIST Dependencies; 189 | SINGLE_LIST_ENTRY RemovalLink; 190 | }; 191 | LDRP_CSLIST IncomingDependencies; 192 | LDR_DDAG_STATE State; 193 | SINGLE_LIST_ENTRY CondenseLink; 194 | ULONG PreorderNumber; 195 | } LDR_DDAG_NODE, * PLDR_DDAG_NODE; 196 | 197 | 198 | typedef struct _RFW_LDR_DATA_TABLE_ENTRY 199 | { 200 | LIST_ENTRY InLoadOrderLinks; 201 | LIST_ENTRY InMemoryOrderLinks; 202 | union 203 | { 204 | LIST_ENTRY InInitializationOrderLinks; 205 | LIST_ENTRY InProgressLinks; 206 | }; 207 | PVOID DllBase; 208 | PVOID EntryPoint; 209 | ULONG SizeOfImage; 210 | RFW_UNICODE_STRING FullDllName; 211 | RFW_UNICODE_STRING BaseDllName; 212 | union 213 | { 214 | UCHAR FlagGroup[4]; 215 | ULONG Flags; 216 | struct 217 | { 218 | ULONG PackagedBinary : 1; 219 | ULONG MarkedForRemoval : 1; 220 | ULONG ImageDll : 1; 221 | ULONG LoadNotificationsSent : 1; 222 | ULONG TelemetryEntryProcessed : 1; 223 | ULONG ProcessStaticImport : 1; 224 | ULONG InLegacyLists : 1; 225 | ULONG InIndexes : 1; 226 | ULONG ShimDll : 1; 227 | ULONG InExceptionTable : 1; 228 | ULONG ReservedFlags1 : 2; 229 | ULONG LoadInProgress : 1; 230 | ULONG LoadConfigProcessed : 1; 231 | ULONG EntryProcessed : 1; 232 | ULONG ProtectDelayLoad : 1; 233 | ULONG ReservedFlags3 : 2; 234 | ULONG DontCallForThreads : 1; 235 | ULONG ProcessAttachCalled : 1; 236 | ULONG ProcessAttachFailed : 1; 237 | ULONG CorDeferredValidate : 1; 238 | ULONG CorImage : 1; 239 | ULONG DontRelocate : 1; 240 | ULONG CorILOnly : 1; 241 | ULONG ReservedFlags5 : 3; 242 | ULONG Redirected : 1; 243 | ULONG ReservedFlags6 : 2; 244 | ULONG CompatDatabaseProcessed : 1; 245 | } s; 246 | } u; 247 | USHORT ObsoleteLoadCount; 248 | USHORT TlsIndex; 249 | LIST_ENTRY HashLinks; 250 | ULONG TimeDateStamp; 251 | struct _ACTIVATION_CONTEXT* EntryPointActivationContext; 252 | PVOID Lock; 253 | PLDR_DDAG_NODE DdagNode; 254 | LIST_ENTRY NodeModuleLink; 255 | struct _LDRP_LOAD_CONTEXT* LoadContext; 256 | PVOID ParentDllBase; 257 | PVOID SwitchBackContext; 258 | RTL_BALANCED_NODE BaseAddressIndexNode; 259 | RTL_BALANCED_NODE MappingInfoIndexNode; 260 | ULONG_PTR OriginalBase; 261 | LARGE_INTEGER LoadTime; 262 | ULONG BaseNameHashValue; 263 | LDR_DLL_LOAD_REASON LoadReason; 264 | ULONG ImplicitPathOptions; 265 | ULONG ReferenceCount; 266 | ULONG DependentLoadFlags; 267 | UCHAR SigningLevel; // Since Windows 10 RS2 268 | } RFW_LDR_DATA_TABLE_ENTRY, * RFW_PLDR_DATA_TABLE_ENTRY; 269 | 270 | 271 | 272 | typedef struct _PEB_LDR_DATA { 273 | BYTE Reserved1[8]; 274 | PVOID Reserved2[3]; 275 | LIST_ENTRY InMemoryOrderModuleList; 276 | } PEB_LDR_DATA, *PPEB_LDR_DATA; 277 | 278 | // incomplete. Got issues. 279 | typedef struct _PEB { 280 | BYTE Reserved1[2]; 281 | BYTE BeingDebugged; 282 | BYTE Reserved2[1]; 283 | PVOID Reserved3[2]; 284 | PPEB_LDR_DATA Ldr; 285 | } PEB, *PPEB; -------------------------------------------------------------------------------- /pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | --------------------------------------------------------------------------------