Welcome to the new Woodmann RCE Messageboards Regroupment

This Forum is now strictly read-only. New Memberships and Postings have stopped.

Remember that under the RCE Links tab are the classic sites:

Fravia's Archive of Reverse Engineering
Fravia's Searchlores
CrackZ's Reverse Engineering Page
Yates - Reverse-Engineering.info

Enjoy 20+ years of Reverse Engineering discussions!
So Long.

Process Suspend vs AntiDebuggers

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
tutenKam
Junior Member
Posts: 8
Joined: Thu Jan 09, 2014 8:58 pm

Process Suspend vs AntiDebuggers

Post by tutenKam »

So, what happens if you start an application normally, suspend it with process explorer and then attach a debugger?
Are you catching the anitduggers with their pants down or is there more to it?

I noticed that a code dump suspended and then running an attached debugger shows differences in the code.
This tells me that I have bypassed at least some anitdebugging features?

Ideas>?
blabberer
Senior Member
Posts: 1537
Joined: Wed Dec 08, 2004 11:12 am

Post by blabberer »

attaching to a running process instead of starting it bypasses only the initial antidebugging measures

there are close to infinite number of antidebugging measures that could be implemented in run time instead of initial stages

there are even anti atttach mechanisms to thwart attachin to running process
tutenKam
Junior Member
Posts: 8
Joined: Thu Jan 09, 2014 8:58 pm

Post by tutenKam »

So for a newbie this is in the right direction. I have read many documents on this issue and it is starting to make sense. But does the argument stand that if the program is paused at some dialogue box and I suspect the process, attach a debugger, the code up that point should be valid? Of course code which would execute after could also be modified by some antidebugging features. I am just trying to make some progress here so at least I can see all the functions executed until the suspended state.
Locked