Skip to content

Detections & Preventions

Jump to bottom
Alex S. edited this page Feb 28, 2025 · 6 revisions

A full list of detections & preventions are as follows:

Detections:

Memory-related

  • Integrity checks on .text, .rdata, and sections on disc file vs. loaded image (current process)
  • Manual mapped module checks (both PE headers & erased headers)
  • TLS callback structure modification checks (check if someone modified the address of the callback routine)
  • IAT modification checks (IAT entry's routine points to an unknown module)
  • Re-re-mapping checks (check if someone remapped sections after we already remapped it)
  • Function preamble "jmp" checks on certain routines such as ws2_32.send & ws2_32.recv
  • Integrity checks on sections of WINTRUST.dll (check if someone is manipulating cert check routines)
  • Scans newly created processes for blacklisted byte patterns
  • Check if any pages within .text have write permissions
  • DLL load callback/notifications, newly loaded modules are cert checked
  • Detect new threads via TLS callback

Debugger-related

  • Simple IsDebuggerPresent call
  • PEB structure BeingDebugged check
  • Hardware debugger checks (check debug registers)
  • CloseHandle() with invalid handle (check if any debugger handles the generated exception)
  • DebugPort flag check via NtQueryInformationProcess
  • Process Debug Flags check via NtQueryInformationProcess
  • Kernel debugger: shared memory (_KUSER_SHARED_DATA) check (KdDebuggerEnabled field)
  • Kernel debugger: NtQuerySystemInformation with SystemKernelDebuggerInformation (35)
  • Heap flags check (heap force flags)
  • CheckRemoteDebuggerPresent on current process
  • Cheat Engine "VEH debugger" checks (look for loaded vehdebug-x86_64.dll module into our process)

Modules:

  • Check for unsigned modules loaded into process
  • Check embedded signature & catalog for modules

Processes & handles:

  • Monitors new process creation
  • Detects open process handles to our process
  • Check window names & text of processes (not recommended in a live setting, large false positive risk)
  • Blacklisted process check by name

Misc:

  • Secure boot check
  • Check if Windows is in "Test signing mode" (driver signature enforcement)
  • Hypervisor checks
  • Registry value modification monitoring (only monitors a couple currently, related to DeviceGuard & Secure Boot)
  • Server-client heartbeat to check if a client is running the program

Preventions:

Memory-related:

  • User APC blocking via undocumented ntdll.Ordinal8 patching
  • Sections remapping with SEC_NO_CHANGE
  • Spoofing NumberOfSections in PE header at runtime
  • Module name randomization at runtime (UltimateAnticheat.exe -> dsfWEF1@45^dsf)
  • Prevent new threads from being created if their start address isn't in a legitimate module (patch over their start address with a ret, Windows 10 only)
  • Check return address of certain routines to prevent remote calling/spoofing
  • Protects the program's Settings class object from being modified/written to at runtime by making use of my project: RemapProtectedClass

Debugger-related:

  • Closes known debuggers by creating a remote thread on their ExitProcess routine
  • Stops debuggers from attaching to program threads by calling NtSetInformationThread with ThreadHideFromDebugger for each thread
  • Patches over initializeVEH export routine in vehdebug-x86_64.dll
  • Mitigation policies (may or may not work depending on your OS build)

Misc:

  • Stops multiple instances of the program from being run by using shared memory
  • Force unload blacklisted drivers (coming in next code push)
Clone this wiki locally