Thread: help patching apis
View Single Post
  #3  
Old 01-24-2006, 21:56
adaptor adaptor is offline
Friend
  
Join Date: Jan 2006
Posts: 27
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
adaptor Reputation: 0
-Hide NtGlobalFlag, -Hide ProcessHeapFlag
On XP+ simply add _NO_DEBUG_HEAP=1 to sytem enviroment

-Patch ZwQueryInformationProcess
If second parameter is ProcessDebugPort (7), execute original API, then simply put zero at adress, extracted from thrid parameter.

-ZwSetInformationThread
If second parameter is HideFromDebugger (11h) simply return with stack correction and zero in eax

-Patch CheckRemoteDebuggerPresen
No need to patch coz it uses ZwQueryInformationProcess do detect debugger
Reply With Quote