1
00:00:00,660 --> 00:00:07,230
So in this little movie, seeing how to check if the process is being under the debugger or not.

2
00:00:07,530 --> 00:00:13,800
So we can use this function is debugger present so it will return boolean value whether the process

3
00:00:13,800 --> 00:00:15,900
is being debugged or not.

4
00:00:15,930 --> 00:00:17,130
So it's very simple one.

5
00:00:18,270 --> 00:00:21,660
You can see this translates in the candidate to the dealer.

6
00:00:22,470 --> 00:00:24,090
You can just simply copy this one.

7
00:00:40,290 --> 00:00:43,470
So I can go and simply print this one.

8
00:00:48,650 --> 00:00:56,060
If I go and run this and will get the value because this process is being run under this nursery worker,

9
00:00:57,050 --> 00:01:03,890
the main problem with this function is many idiots will try to monitor the MPAA speakers and if there

10
00:01:03,890 --> 00:01:07,730
is any call to this function, then our process will not be executed.

11
00:01:08,000 --> 00:01:14,840
So this malware will try to first detect whether the binary is learning under the debugger or not.

12
00:01:15,200 --> 00:01:23,090
Whenever the malware finds out that it is running under the debugger, it will simply edit the code.

13
00:01:23,120 --> 00:01:27,290
So you can just simply open exit if that is present.

14
00:01:27,740 --> 00:01:31,520
If there is a good, you can normally run the code.

15
00:01:33,410 --> 00:01:39,920
Actually this function, they try to fetch their information from the process environment block.

16
00:01:40,160 --> 00:01:47,510
So this is the structure and windows can either initiate all of these values.

17
00:01:47,750 --> 00:01:51,230
So there are not many unknown.

18
00:01:51,500 --> 00:01:53,150
So there are many unknown voters here.

19
00:01:53,420 --> 00:01:55,810
But the third byte is being debugged.

20
00:01:55,830 --> 00:02:01,670
So you can see the first one is reserve point and the third byte is being debugged.

21
00:02:01,940 --> 00:02:08,300
So we can get this information by using this integrated information process.

22
00:02:09,410 --> 00:02:16,700
This resides in the integrator so we can get the process information.

23
00:02:16,940 --> 00:02:21,680
And what type of information we need depends on the second parameter.

24
00:02:21,980 --> 00:02:23,870
The first parameters, the process handle.

25
00:02:24,290 --> 00:02:27,610
And the second parameter is about this information class.

26
00:02:28,070 --> 00:02:29,690
And is normally in beta.

27
00:02:29,870 --> 00:02:33,260
So you can will be passing this process basic information.

28
00:02:37,190 --> 00:02:38,840
And here you can see this is a structure.

29
00:02:39,680 --> 00:02:41,600
These are normal pointers.

30
00:02:41,930 --> 00:02:46,460
And here you can see the second memory is the pointer to this.

31
00:02:47,520 --> 00:02:48,560
The structure.

32
00:02:50,580 --> 00:02:58,770
And that parameter is actually a the structure, this function, you can see the parameter.

33
00:02:59,100 --> 00:03:01,470
And the next one is proxy information length.

34
00:03:01,590 --> 00:03:08,890
So we'll be sending this are children and the output is the return.

35
00:03:09,150 --> 00:03:11,670
So let's go and import this one.

36
00:03:16,560 --> 00:03:21,780
I say, let's go and open this in our Expo file explorer.

37
00:03:26,380 --> 00:03:34,540
And if I go and run this normally Under Armour of Common Ground Window, I get fires because there is

38
00:03:34,540 --> 00:03:36,790
not the burglary to normal process.

39
00:03:37,330 --> 00:03:42,730
But when I run under this business area, this daredevil girl who ran this program.

40
00:04:03,710 --> 00:04:06,470
So this disturbance is in beta.

41
00:04:20,820 --> 00:04:25,350
So the first one is the pointer, which is the handle to the process.

42
00:04:25,680 --> 00:04:27,900
And the second one is process information.

43
00:04:28,230 --> 00:04:29,150
The type of.

44
00:04:31,200 --> 00:04:32,700
You can see the basic process.

45
00:04:32,700 --> 00:04:33,790
Basic information.

46
00:04:34,520 --> 00:04:36,180
Uh, we can just say integer.

47
00:04:41,330 --> 00:04:43,370
And the third one is the pointer.

48
00:04:48,550 --> 00:04:50,170
And the next one is Berlin.

49
00:04:50,890 --> 00:05:02,170
We can say this as you're in and out could be the variable to the variable of the size of the length

50
00:05:02,170 --> 00:05:04,090
of this structure.

51
00:05:07,710 --> 00:05:09,210
So they different the function.

52
00:05:11,900 --> 00:05:17,330
Now I have already copied this process information that is process, basic information structure.

53
00:05:18,380 --> 00:05:20,960
So you can see all of these other pointers.

54
00:05:21,140 --> 00:05:25,770
So we can go to this, uh, website here.

55
00:05:25,770 --> 00:05:30,830
We can search for, uh, process basic information.

56
00:05:39,900 --> 00:05:42,420
Where you can see the results, the signature.

57
00:05:42,960 --> 00:05:48,480
And here you have this enum containing all of the values.

58
00:05:56,580 --> 00:06:00,560
So it's clear the German border.

59
00:06:31,400 --> 00:06:36,890
And when you do also create your own talent of this one.

60
00:06:50,530 --> 00:06:53,590
And we cannot read this interview in.

61
00:07:03,230 --> 00:07:10,160
And we can get the current process under using this process that the current process so we'll be passing

62
00:07:10,160 --> 00:07:11,480
this but can do.

63
00:07:12,560 --> 00:07:15,170
And the second one is the process information.

64
00:07:15,320 --> 00:07:21,590
That is the raw process, basic information that should be accurate.

65
00:07:30,740 --> 00:07:33,050
And the third one is the pointer.

66
00:07:48,210 --> 00:07:50,850
Red circle, the size to hold.

67
00:07:53,600 --> 00:07:57,740
That much I want to shatter so we can save face.

68
00:08:36,210 --> 00:08:38,160
So let's pass that point here.

69
00:08:39,780 --> 00:08:45,060
And the process, the structure of the project, basic information that is size.

70
00:08:48,890 --> 00:08:51,190
And now for the.

71
00:08:53,240 --> 00:08:55,700
Miranda should be permanently available.

72
00:09:11,620 --> 00:09:11,920
Okay.

73
00:09:11,920 --> 00:09:13,420
I think we are good to go.

74
00:09:25,810 --> 00:09:28,600
And after that, we'll be getting the.

75
00:09:45,990 --> 00:09:49,860
We'll be getting the pointer to this structure.

76
00:09:50,430 --> 00:10:02,310
So what we did is we needed to convert this pointer structure to be a PDA and that type of basic information.

77
00:10:04,560 --> 00:10:07,110
So we created this common this.

78
00:10:15,960 --> 00:10:17,250
So what about this structure?

79
00:10:17,310 --> 00:10:19,020
So, PBA either structure.

80
00:10:19,860 --> 00:10:24,480
Now we can sit in PPR every year.

81
00:10:24,720 --> 00:10:28,620
So that is the pointer to the be restructured.

82
00:10:28,620 --> 00:10:29,910
We can see the PBA dot.

83
00:10:32,330 --> 00:10:33,780
Me base address.

84
00:10:36,460 --> 00:10:42,550
Something at this PBT are a pointer to this structure.

85
00:10:42,610 --> 00:10:50,020
So all we need to do is we need to just move forward and retrieve the content.

86
00:10:52,280 --> 00:11:01,780
So we can sell Marshall DA rebate, so we can use this function to read the byte at the particular address.

87
00:11:02,360 --> 00:11:04,700
So we are going to be able to ah press boot.

88
00:11:05,870 --> 00:11:13,340
So that uh gives us the value of this being debugged value so we can just print this one.

89
00:11:18,520 --> 00:11:25,810
So now we should get the value one and you can see we got the value one.

90
00:11:27,280 --> 00:11:30,930
Now if we go and run this in the past, we should get the value zero.

91
00:11:31,510 --> 00:11:32,350
So we are good.

92
00:11:33,430 --> 00:11:36,370
Now we can just write some code.

93
00:11:43,310 --> 00:11:46,490
If the cost is close to one.

94
00:11:49,840 --> 00:11:52,990
We were Gary's present greeting.

95
00:12:06,090 --> 00:12:06,440
No.

96
00:12:06,450 --> 00:12:07,230
They were goodies.

97
00:12:07,230 --> 00:12:07,740
Prison.

98
00:12:09,950 --> 00:12:16,550
Let's go on this and you can see that God present and future and this there is not a.

99
00:12:17,000 --> 00:12:27,260
So this is uh uh one of the techniques to find whether the process uses under the debugger or not.

100
00:12:27,260 --> 00:12:32,180
We can also pass the but I just hand it off another process as well.

101
00:12:33,140 --> 00:12:37,100
So this, uh, technique is also used by the

102
00:12:40,700 --> 00:12:48,670
game anti cheating and we can see, uh, this is a valorant game and this valorant game has this, uh.

103
00:12:54,400 --> 00:12:54,750
Right.

104
00:12:55,390 --> 00:12:59,380
Vanguard that is burned, beaten by these riot games.

105
00:12:59,740 --> 00:13:06,550
So these were that if you try to just open that they were good and open this practice.

106
00:13:06,550 --> 00:13:13,840
And if you run this and this right, Vanguard will be in the background and it will benefit from the

107
00:13:13,840 --> 00:13:14,110
game.

108
00:13:14,560 --> 00:13:19,380
So it will not only benefit from the game, it will band your hardware.

109
00:13:19,990 --> 00:13:24,280
So that means you cannot play this game under this, uh, computer.

110
00:13:24,310 --> 00:13:26,260
So you need to buy another computer to play the game.

111
00:13:26,270 --> 00:13:31,000
So, uh, this is the best, uh, and the cheating in.

112
00:13:33,180 --> 00:13:36,480
I have to note from this that I had games returned.

113
00:13:36,690 --> 00:13:45,840
So that's why you need to just go wait before if you are attaching any game to that, even if it's your

114
00:13:45,860 --> 00:13:46,500
first game.

115
00:13:46,830 --> 00:13:52,160
If it's a single game, it's no need to worry if it's a multiplayer game.

116
00:13:52,230 --> 00:13:55,410
So then you need to be so more cautious about.