[Too much to do, and this is part of the difficulty is so big for me, to write about the general framework, the specific function when the reverse analysis process to write]
problem:
What is the first event received when debugging is 1. Establish Debugger is?
2. What is the event generation process in the kernel is?
3. how it is initialized when a breakpoint is to determine whether the program being debugged (instead of the usual procedure)?
4. About debugging kernel function of why you want to send a false message (** fake **)?
First, when creating a debug event Process
A simple case creation process being debugged
In this case, simply open notepad .exe in debug mode, found its first event will receive an exception.
When debugging process creates or additional debugging process, it will be next int 3 breakpoint in the debugging process.
After its function is as follows :( NOTE: When the function is too large, the reverse may be introduced by the debugger function of IDA Cross Reference)
Note: In the initialization process, the kernel usually calls LdrpInitializeProcess, but not every process will be the next breakpoint.
Below, which detects the PEB + 0x2
Second, send false messages
When a debugging process to attach the form, it will call the function DebugActive like.
Send a false message function internally, why send fake news?
Because the process has been created, DLL module has been loaded.
However, the debugger needs to be information that the debugger DLL modules, etc., at this time debugging process need to send a false message, in fact, to traverse the list to find a variety of TEB DLL module.
Well, this reliable?
Of course unreliable, before we have a hidden layer in R3 TEB use C ++ to implement the module hidden (R3 layer chain scission)