Skip to content
/ anti-suspend Public

blocks debuggers from suspending your programs threads

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kaiiskirrrrr/anti-suspend

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
initialization
initialization
 
 
module
module
 
 
README.md
README.md
 
 
suspension.sln
suspension.sln
 
 

Repository files navigation

Suspension-Blocking

Overview

This project prevents debuggers from suspending your program's threads. It works by injecting a module into a Windows process and then resuming all threads in a loop using the ResumeThread function.

This serves as a proof of concept for blocking thread suspension (not detecting, but actively preventing it as most people just detect it). After trying various methods without finding a solid solution, this is the best approach I've come up with so far.

Note: This solution is extremely powerful if you hide your logic correctly. If you just paste and use lazy importer and skcrypt, it won't be very effective. as they will see what you are doing. You need to properly randomize and obfuscate your logic. It's also recommended to implement a watchdog for the thread and the CMD process.

How to Use:

  1. The project includes both a DLL and a console application as examples.
  2. The console project shows how to use the DLL by injecting it into cmd.exe.
    • In a real-world scenario, you would randomize this across multiple processes.
    • The loop then resumes all suspended threads within the target process.
  3. Important: Ensure that you update the program name in the DLL project to match your target program, or it will not work. Once updated, don't forget to modify the corresponding byte array.

tips:

  1. Find your loader in the module using a rare identifier, instead of the program name.
  2. Setup a watchdog/heart beat, this will stop people from killing your threads.
  3. You can also generate a random interval when you start your program then increment a variable by that amount throughout your threads, then have a precalucated value and check it equals to that, if it doesnt they have jmp over something or killed your thread
  4. randomize the processes you inject into, only injecting into CMD is not a good idea.
  5. before you inject into the process, find the amount of threads it currently has, store that in a integer and increment it by one, then check and make sure it equals that amount of threads, if it doesnt they have killed the anti suspend thread
  6. make sure the program your injecting into is compatible with all things above^, and ofc ensure the instance of the program your injecting into is always active
2024-09-24.17-27-50.mp4

I recommend using this as a base idea, and expanding and improving on it on your own. :)

About

blocks debuggers from suspending your programs threads

Topics

debugging security protection debug anti-debug antidebug obsfucation anti-debugger

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages