Anti-Debug NtQueryObject

NtQueryObject is another example of a known and underestimated anti-debug measurement. Most anti-debug articles describe (here or here) that we must call NtQueryObject with the class ObjectAllTypesInformation (Index number 3, but the correct name is ObjectTypesInformation). This class will return a list with all existing object types. But it is much better to call this function with class index number 2 ObjectTypeInformation. ObjectTypeInformation will only return the type information of the supplied handle. So how to get a debug handle? We simply create our own debug handle. This technique is very powerful to detect any debugger and no anti-anti-debug tool/plugin is currently able to defeat this.

We simply create the debug handle with the NtCreateDebugObject API:

NtCreateDebugObject (
    OUT PHANDLE DebugObjectHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    IN ULONG Flags

The call is very simple and it could look like this:

	HANDLE debugObject;

	if (NtCreateDebugObject(&debugObject, DEBUG_ALL_ACCESS, &oa, 0) >= 0)

Now we have our own debug handle + object. Let’s query this handle with NtQueryObject:

		if (NtQueryObject(debugObject, ObjectTypeInformation, objectType, sizeof(memory), 0) >= 0)
			if (objectType->TotalNumberOfObjects == 1) //there must be 1 object...
				ShowMessageBox("Everything is ok!");
			else if (objectType->TotalNumberOfObjects == 0) //bad
				ShowMessageBox("Anti-Anti-Debug Tool detected!");
				ShowMessageBox("Debugger detected!\r\n\r\nTotalNumberOfHandles %d\r\nTotalNumberOfObjects %d\r\n", objectType->TotalNumberOfHandles, objectType->TotalNumberOfObjects);

If successful there are three possibilities. We know exactly that there must be 1 handle/object. If there are more objects, a debugger is present. It is also possible to detect anti-anti-debug tools because they probably return zero, but we know that this cannot be true!

Source code and x86/x64 binaries here:


3 thoughts on “Anti-Debug NtQueryObject

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s