Tutorial Anti Debugging Tricks – CloseHandle Debugger Detection

Hexui Undetected CSGO Cheats PUBG Accounts

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
24,668
47
Anti Debugging Tricks – CloseHandle

This is probably one of my favourite antidebugging techniques because its relatively benign. It can be difficult to detect as many programs can have hundreds of legitimate calls to CloseHandle however as we'll see its not that difficult to bypass if you know what you're doing.

So how does it work?

Those of you familiar with the WINAPI know that most function calls end up calling their “big brother” versions inside ntdll (NtClose in the case of CloseHandle). What you may not know is the CloseHandle call operates differently depending on whether a debugger is attached.

Take the following code:
C++:
HANDLE hHandle = (HANDLE)0xDEADC0DE;
CloseHandle(hHandle);
This call will fail (of course) but the interesting thing is it will run normally and not crash to the error reporting screen (as you think). Try running it and see what happens it should run without any issue. However if we run this code inside Visual Studio with the debugger attached we get this interesting piece of information:

exception-closehandle.png


That’s interesting. Let’s see if we can leverage this into a program to detect this exception and terminate on detection of it. Take the following example code:

C++:
#include <stdio.h>
#include <Windows.h>

BOOL bDetected;

LONG WINAPI ExpCheckForDebugger(EXCEPTION_POINTERS *ExceptionInfo)
{
if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_INVALID_HANDLE)
bDetected = true;
return EXCEPTION_CONTINUE_EXECUTION;
}

int main(void)
{
bDetected = false;
HANDLE hHandle = (HANDLE)0xDEADC0DE;

LPVOID pHandle = AddVectoredExceptionHandler(1ul, ExpCheckForDebugger);

CloseHandle(hHandle);

if (bDetected) {
printf("Stop debugging me!\n");
system("pause");
return -1;
}

RemoveVectoredContinueHandler(pHandle);

printf("Normal execution\n");
system("pause");
return 0;
}
Try continuing after the exception is thrown, the application will detect that exception was thrown and exit. Executing the application without a debugger will result in normal execution pretty neat right?

vectored-exception-handlers.jpg


How to beat it

There’s a few options here. You could hook CloseHandle or AddVectoredExeceptionHandler. You could register your own First exception handler check the msdn page for more information. You could also simply nop out the call to CloseHandle.

My own preference would be to hook CloseHandle and perform some tests on the supplied handle to see if it indeed a valid handle or just a junk pointer to trigger the exception. You could use a call like DuplicateHandle to check this.

See the example below:

C++:
// This is our hook installed into the target application
BOOL WINAPI MyCloseHandle(HANDLE hHandle)
{
HANDLE hCurrProcess = GetCurrentProcess(), hOutput = NULL;
if (!DuplicateHandle(hCurrProcess, hHandle, hCurrProcess, &hOutput, NULL, FALSE, DUPLICATE_SAME_ACCESS)) {
// Call failed do not call CloseHandle() to avoid triggering the exception
return FALSE;
}

// Call the original unhooked function
// Close duplicate handle
RealCloseHandle(hOutput);
// Close the actual handle
return RealCloseHandle(hHandle);
}
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,999
79,068
2,466
This premium tutorial has been released to the heathens! Remember you can get early access to our content by donating

Would be cool to make a little anti-debug lib using all these techniques and then make videos of us bypassing them
 
  • Love
  • Like
Reactions: KF1337 and _Necros_
Community Mods