Results 1 to 3 of 3

Thread: SizeOfStackReserve As Anti-Attaching Trick

  1. #1

    SizeOfStackReserve As Anti-Attaching Trick

    My latest blog post where i explain a new anti-attaching trick.

    Any comments or ideas are very welcome

  2. #2
    Too many letters. I do not understand how it prevent debugging

  3. #3
    In brief, on Windows versions that use the ZwCreateThreadEx function instead of ZwCreateThread to create threads e.g. Windows 7, patching the "SizeOfStackReserve" to a high value e.g. 0xFFFFFED7 prevents debuggers from attaching to your process.

    #include "stdafx.h"
    #include "windows.h"
    #include "stdio.h"

    extern "C"
    IMAGE_NT_HEADERS* __stdcall RtlImageNtHeader(unsigned long ImageBase);

    int main(int argc, char* argv[])

    unsigned long IB=(unsigned long)GetModuleHandle(0);
    unsigned long old=0;
    IMAGE_NT_HEADERS* pNt=RtlImageNtHeader(IB);
    int i=0;
    printf("Now try to attach a debugger to me (Win7) %x\r\n",i++);
    return 0;

Similar Threads

  1. NtSetDebugFilterState as Anti-Dbg Trick
    By evilcry in forum Blogs Forum
    Replies: 11
    Last Post: December 18th, 2012, 11:27
  2. Yet Another Anti-Debug Trick
    By walied in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: January 22nd, 2012, 11:31
  3. RtlQueryProcessHeapInformation as Anti-Dbg Trick
    By evilcry in forum Blogs Forum
    Replies: 0
    Last Post: April 14th, 2009, 12:18
  4. RtlQueryProcessDebugInformation as Anti-Dbg Trick
    By evilcry in forum Blogs Forum
    Replies: 2
    Last Post: April 12th, 2009, 00:31
  5. Is This A New Anti Debug Trick
    By DaBoo in forum The Newbie Forum
    Replies: 6
    Last Post: June 15th, 2007, 10:15


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts