GET /api/techniques/107/
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "name": "NtSetDebugFilterState",
    "category": [
        "https://search.unprotect.it/api/categories/3/"
    ],
    "description": "The NtSetDebugFilterState function can be used to detect the presence of a debugger.",
    "resources": "https://www.evilfingers.com/publications/research_EN/NtSetDebugFilterState.pdf",
    "tags": "",
    "snippets": [
        {
            "language": "https://search.unprotect.it/api/snippet_languages/1/",
            "author": "https://search.unprotect.it/api/snippet_authors/1/",
            "technique": "https://search.unprotect.it/api/techniques/107/",
            "description": "",
            "plain_code": "program NtSetDebugFilterState;\r\n\r\n{$APPTYPE CONSOLE}\r\n\r\nuses\r\n  WinAPI.Windows, System.SysUtils;\r\n\r\nvar\r\n  NtSetDebugFilterState : function(AComponentId : ULONG; ALevel : ULONG; AState : Boolean) : NTSTATUS; stdcall;\r\n\r\n  hNTDLL  : THandle;\r\n  AStatus : NTSTATUS;\r\n\r\nbegin\r\n  try\r\n    hNTDLL := LoadLibrary('ntdll.dll');\r\n    if (hNTDLL = 0) then\r\n      Exit();\r\n    try\r\n      @NtSetDebugFilterState := GetProcAddress(hNTDLL, 'NtSetDebugFilterState');\r\n\r\n      if NOT Assigned(NtSetDebugFilterState) then\r\n        Exit();\r\n\r\n      AStatus := NtSetDebugFilterState(0, 0, True);\r\n\r\n      writeln(AStatus);\r\n\r\n      if (AStatus <> 0) then\r\n        WriteLn('Not Debugged.')\r\n      else\r\n        WriteLn('Debugged.');\r\n    finally\r\n      FreeLibrary(hNTDLL);\r\n    end;\r\n  except\r\n    on E: Exception do\r\n      Writeln(E.ClassName, ': ', E.Message);\r\n  end;\r\nend."
        }
    ],
    "detection_rules": []
}