Research Blog

SizeOfStackReserve Denial of Service

In this post I will be referencing information I’ve found through reversing and through waleedassars blog article titled SizeOfStackReserve Anti-Attaching Trick. It should be noted that the following was tested on Windows 10. The routine RtlCreateUserStack in ntoskrnl.exe is called following a call to CreateRemoteThread, CreateThread, and/or of course NtCreateThreadEx. The RtlCreateUserStack is called far later in a […]

Read More

Using Flags of RTL_USER_PROCESS_PARAMETERS for Anti-Debugging

OverviewThere are various flags in the PEB associated with a specific process such as the CrossProcessFlags, the BitField (4th member of the PEB), AppCompatFlags, and so forth. I’d always tried looking for differences in the flags when operating in a standard runtime environment vs. a debugged runtime environment and after many failed attempts to find […]

Read More