Category: detailed

Experimenting with Object Initializers in Windows – See PG-compliance Disclaimer*

Overview In this article, I wanted to introduce a fun approach to performing functions similar to those enabled by Windows Object Callbacks but through an alternative means (experimentally). It’s well known that anti-malware, anti-cheat, and generic monitoring tools on Windows systems often use these callbacks. However, their usability is limited to parties with signed modules, […]

Read More

Usermode Debugger Check Prevention

It’s easy enough to use OllyDbg or any other debugger to bypass debugger checks, but any sort of anti-debugging technique that utilizes the time stamp counter such as QueryPerformanceCounter, GetTickCount, and others, can be bypassed by setting the 2nd bit in control register 4 (CR4) which disables the TimeStamp Counter from working for applications operating […]

Read More

Breaking Down System Routines #2 [NtQuerySystemInformation]

System Routine Overview NtQuerySystemInformation¬†is a system routine that gathers system information specific to the class value provided. During this breakdown, we’ll look at it in much more depth because, like the previous system routine documented, it’s just a wrapper for an internal kernel routine that actually gathers the system information. However, the internal routine it […]

Read More