TransWikia.com

Program prevents x64dbg from starting or kills it if it's already running. What to do?

Reverse Engineering Asked by ne0n on April 12, 2021

I have the following problem with x64dbg. I am trying to debug a x64 PE program with x64dbg on Windows.
It looks like the program has some sort of anti-debug protection. I have the following behavior:

  • If the program is running and I try to start x64dbg, x64dbg just won’t start. Nothing happens.

  • If x64dbg is running and I try to start the program, the program starts and kills x64dbg immediately

    => because of this I am not able to attach x64dbg to the process

  • I also tried using File->Open in x64dbg. With this I can at least open the program. But the problem here is that when doing this the program immediately terminates.

As I am relatively new to this I really don’t know what to do or where to go from here.

I hope some of you experienced guys can give me a solution or hint how I can debug this program.
Thanks in advance!

One Answer

This technique can occur in two ways, the first is through usermode, for example an application or an application module checks a snapshot of all processes in search of a blacklisted process or by debugger window patterns, in this first case you can rename the window and check if it will continue, the second way is to go to the folder of your program "that you want to attach" and check if it finds a kernel driver, you can detect it by its extension ".sys", in this second it is a little more complex the idea is almost the same but you need to patch the instructions responsible for checking the processes from RING 0, you can also try to use another debugger like Cutter for example that has x64 support if this is your architecture, see cutter aqui, see how ring zero, finally test some anti-anti-debugger as well TitanHide.

Answered by 0x0A on April 12, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP