Other AntiDebug tricks

I came across this one individual’s page whom is an avid reverse engineer with some great material.

Check out his pdf cheat sheet on anti-debugging. There were a few in there I didn’t know about like the ‘csr’ trick which involves calling an undocumented ‘CsrGetProcessId’ function within OpenProcess. CsrGetProcessId is a native API that returns the PID of csrss.exe.

Evidently if you call OpenProcess and pass the ID returned by CsrGetProcessId(), no error will occur if the SeDebugPrivilege has been set with SetPrivilege() / AdjustTokenPrivileges(). How about some code with that shake?

#include <stdio.h>
#include <windows.h>
typedef HANDLE (*_CsrGetProcessId)();

int main(void)
{
HMODULE nt=GetModuleHandle("ntdll.dll");
_CsrGetProcessId CsrGetProcessId=(_CsrGetProcessId)GetProcAddress(nt,"CsrGetProcessId");
HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS,FALSE,CsrGetProcessId());
if(!proc)
{
printf("debugger is present!");
}
}

The cheat sheet has other stuff in it. Check it out some time. Better yet, check out the guy’s blog instead.

Happy cracking!

Leave a Reply