Page 1 of 1

Process Suspend vs AntiDebuggers

Posted: Sun Jan 12, 2014 9:50 pm
by tutenKam
So, what happens if you start an application normally, suspend it with process explorer and then attach a debugger?
Are you catching the anitduggers with their pants down or is there more to it?

I noticed that a code dump suspended and then running an attached debugger shows differences in the code.
This tells me that I have bypassed at least some anitdebugging features?


Posted: Wed Jan 15, 2014 1:40 am
by blabberer
attaching to a running process instead of starting it bypasses only the initial antidebugging measures

there are close to infinite number of antidebugging measures that could be implemented in run time instead of initial stages

there are even anti atttach mechanisms to thwart attachin to running process

Posted: Thu Jan 16, 2014 9:17 pm
by tutenKam
So for a newbie this is in the right direction. I have read many documents on this issue and it is starting to make sense. But does the argument stand that if the program is paused at some dialogue box and I suspect the process, attach a debugger, the code up that point should be valid? Of course code which would execute after could also be modified by some antidebugging features. I am just trying to make some progress here so at least I can see all the functions executed until the suspended state.