Parent Process Detection

By checking the parent process of a given process we can determine if the process is being debugged or not by expecting “explorer.exe” to be the usual parent process started by the user.
For this technique the following Windows APIs are used.

We also use a pointer to PROCESSENTRY32 structure which will store the information of each process taken from the snapshot.

typedef struct tagPROCESSENTRY32 {
  DWORD     dwSize;
  DWORD     cntUsage;
  DWORD     th32ProcessID;
  ULONG_PTR th32DefaultHeapID;
  DWORD     th32ModuleID;
  DWORD     cntThreads;
  DWORD     th32ParentProcessID;
  LONG      pcPriClassBase;
  DWORD     dwFlags;
  TCHAR     szExeFile[MAX_PATH];
} PROCESSENTRY32, *PPROCESSENTRY32;

First we get the PID of the explorer.exe process by taking a snapshot of all process and enumerating through the list. Next we again take a snapshot and locate the current Process ID (PID) of our process by enumerating through the list and then we evaluate if the Parent Process ID (PPID) of our current process is equal to “explorer.exe”.
In case if someone rename something else as “explorer.exe” we can write more checks to determine if the parent process is equal “explorer.exe”.

Here’s an example I wrote in C.

https://github.com/OsandaMalith/Anti-Debug/blob/master/PPID/ppid.c

This is an example which I wrote in MASM.

https://github.com/OsandaMalith/Anti-Debug/blob/master/PPID/ppid.asm

Example when we normally run the program.


When the PPID is not equal to explorer.exe.


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Cancel

Connecting to %s