Windows 10: New Anti-Debug OutputDebugStringW

Prior to Windows 10, OutputDebugStringW was only a dummy implementation. The function converted the input Unicode string to a simple Ansi string and calls the Ansi version of the function OutputDebugStringA internally. Now with Windows 10, Microsoft implemented the real Unicode function for OutputDebugString. Therefore, in the past it was enough to handle OutputDebugStringA for Anti-Anti-Debug purpose, now we have to defeat another Anti-Debug possibility. Continue reading

Anti-Debug NtSetInformationThread

Most people who work with debuggers don’t really care about anti-debug tricks, because there are plenty of anti-anti-debug plugins e.g. StrongOD, Phantom, Stealth64, IdaStealth, HideDebugger, etc. and they do a great job against standard anti-debug tricks found in “anti-debug reference” articles (e.g. here). But most anti-debug articles simply copy & paste known source code without adjusting it. Most tricks work fine with Windows XP, but don’t work with Windows Vista/7/8, e.g. one of the worst anti-debug trick ever is kernel32!OutputDebugString. And some other known tricks can be updated and improved to work even better with Vista/7/8. Continue reading