Anti-Debug NtSetInformationThread

Most people who work with debuggers don’t really care about anti-debug tricks, because there are plenty of anti-anti-debug plugins e.g. StrongOD, Phantom, Stealth64, IdaStealth, HideDebugger, etc. and they do a great job against standard anti-debug tricks found in “anti-debug reference” articles (e.g. here). But most anti-debug articles simply copy & paste known source code without adjusting it. Most tricks work fine with Windows XP, but don’t work with Windows Vista/7/8, e.g. one of the worst anti-debug trick ever is kernel32!OutputDebugString. And some other known tricks can be updated and improved to work even better with Vista/7/8.

A side note: Microsoft will drop all updates for Windows XP on 8. April 2014. Most reverser use XP for reversing and most software is still working fine on XP. But this will change soon. Starting from this date, protector/software developers could drop XP support entirely, so anti-debug tricks for Vista+ will become more and more important.

So now I want to show you an updated known anti-debug trick: NtSetInformationThread. In my opinion this API offers one of the best anti-debug tricks you can find. All current existing anti-anti-debug plugins handle this API wrong, so it is very easy to detect debuggers.

	//invalid parameter
	ntStat = NtSetInformationThread(NtCurrentThread, ThreadHideFromDebugger, &check, sizeof(ULONG));
	if (ntStat >= 0) //it must fail
	{
		ShowMessageBox("Anti-Anti-Debug Tool detected 1!\n");
	}

	//invalid handle
	ntStat = NtSetInformationThread((HANDLE)0xFFFFF, ThreadHideFromDebugger, 0, 0);
	if (ntStat >= 0) //it must fail
	{
		ShowMessageBox("Anti-Anti-Debug Tool detected 2!\n");
	}

	ntStat = NtSetInformationThread(NtCurrentThread, ThreadHideFromDebugger, 0, 0);

	if (ntStat >= 0)
	{
		//only available >= VISTA
		ntStat = NtQueryInformationThread(NtCurrentThread, ThreadHideFromDebugger, &check, sizeof(BOOLEAN), 0);
		if (ntStat >= 0)
		{
			if (!check)
			{
				ShowMessageBox("Anti-Anti-Debug Tool detected 3!\n");
			}
			else
			{
				ShowMessageBox("Everything ok!\n");
			}
		}
		else
		{
			ShowMessageBox("Query ThreadHideFromDebugger not available!\n");
		}
	}
	else
	{
		ShowMessageBox("Anti-Anti-Debug Tool detected 4!\n");
	}

We call NtSetInformationThread two times with wrong parameters and this will reveal most anti-anti-debug plugins. Since Vista it is possible to use NtQueryInformationThread and this makes it much more powerful. Currently no anti-anti-debug plugin is hooking NtQueryInformationThread to prevent this check.

Source code and binaries can be downloaded here:
https://bitbucket.org/NtQuery/teststuff/downloads/NtSetInformationThread.rar
https://bitbucket.org/NtQuery/teststuff/src/d2ade28bd7ea941a897cf7a5d452c4df29603986/NtSetInformationThread.cpp?at=master

Advertisements

2 thoughts on “Anti-Debug NtSetInformationThread

  1. >Starting from this date, protector/software developers could drop XP support entirely
    That is so not true. Any small software developer who intentionally alienates 20-30% of his potential userbase (or ~50% in some countries like China), is certifiably insane.

    Microsoft, on the other hand, is doing anything in their powers to force people to move away from XP. VS2012 is a great example, as by default it sets OS Version = 6 in PE header, even though there is absolutely no technical reason to do so. CRT libs requiring Vista+ APIs is another trick of theirs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s