Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Process Suspend vs AntiDebuggers

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
tutenKam
Junior Member
Posts: 8
Joined: Thu Jan 09, 2014 8:58 pm

Process Suspend vs AntiDebuggers

Post by tutenKam »

So, what happens if you start an application normally, suspend it with process explorer and then attach a debugger?
Are you catching the anitduggers with their pants down or is there more to it?

I noticed that a code dump suspended and then running an attached debugger shows differences in the code.
This tells me that I have bypassed at least some anitdebugging features?

Ideas>?
blabberer
Senior Member
Posts: 1535
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

attaching to a running process instead of starting it bypasses only the initial antidebugging measures

there are close to infinite number of antidebugging measures that could be implemented in run time instead of initial stages

there are even anti atttach mechanisms to thwart attachin to running process
tutenKam
Junior Member
Posts: 8
Joined: Thu Jan 09, 2014 8:58 pm

Post by tutenKam »

So for a newbie this is in the right direction. I have read many documents on this issue and it is starting to make sense. But does the argument stand that if the program is paused at some dialogue box and I suspect the process, attach a debugger, the code up that point should be valid? Of course code which would execute after could also be modified by some antidebugging features. I am just trying to make some progress here so at least I can see all the functions executed until the suspended state.
Locked