In This Project i try to highlight some interesting Anti-Analysis technique, it works by injecting ShellCode inside the debugger itself while it debug our process and control what event the debugger receive from us, in our case i removed all the event that is caused by HW Break Point.
[1] detect the presence of debugger (i used Enumerate runninng process technique, you can change it you can find lots of ways to detect debugger online).
[2] inject the shellcode inside the debugger (used CreateRemoteThread injection Technique, you can see my other project for more injection technique link).
[3] sleep for 4 second to let our ShellCode Hook WaitForDebugEvent without causing any event which will lead to crash the debugger.
[1] it resolve all the function that it uses during execution.
[2] locate our function that will get called when WaitForDebugEvent Gets Called.
[3] replace the first instruction of WaitForDebugEvent (mov edi,edi) with short jump to 5 Bytes Before the Function (Some int 3 or nop instruction), then far jump to our ShellCode.
[4] the ShellCode Call the Original WaitForDebugEvent and see the return value of the function, if the event is caused by EXCEPTION_SINGLE_STEP (HW Break Point) it remove the break point and Calls WaitForDebugEvent again and the debugger will not notice the ocarance of the event.
it does not work on Windbg as Windbg call ntdll!ZwWaitForDebugEvent directly and does not call WaitForDebugEvent (the one we hook)
This is just a POC there is lots of things that you can do here it depends only on your imagination and creativity.
it works only for 32 bit application and debugger
i am not very experinced it writing windows ShellCode so in case of any crash please let me know.
this project is for educational purpose only.