Debugger Evasion
View on attack.mitre.org →15 syscalls implement this technique
- NtQueryVirtualMemory
Retrieves information about pages in a target process's virtual address space.
- NtGetContextThread
Retrieves the CPU register context (CONTEXT structure) of a suspended thread.
- NtQueryInformationProcess
Retrieves a class of information about a process — the universal back-end of GetProcessInformation and the workhorse of anti-debug checks.
- NtSetInformationProcess
Modifies a class of process-level state — anti-debug self-cleansing, CET range registration, ACG/CIG policy installation, instrumentation callbacks.
- NtQueryInformationThread
Reads a property from a thread via the THREADINFOCLASS enum — TEB pointer, hide-from-debugger flag, times, exit status.
- NtSetInformationThread
Sets a property on a thread via the THREADINFOCLASS enum — most famously ThreadHideFromDebugger.
- NtCreateDebugObject
Creates a kernel DebugObject — the per-debugger port that receives debug events from attached processes.
- NtDebugActiveProcess
Attaches an existing DebugObject to a running process — the kernel side of DebugActiveProcess.
- NtRemoveProcessDebug
Detaches a DebugObject from a process — the kernel side of DebugActiveProcessStop.
- NtWaitForDebugEvent
Waits for the next debug event delivered to a debug object, returning a DBGUI_WAIT_STATE_CHANGE.
- NtDebugContinue
Resumes a debuggee thread after a debug event with a given NTSTATUS continue code.
- NtClose
Closes a kernel object handle (file, key, event, process, thread, section, etc.).
- NtQueryObject
Returns metadata about a kernel object handle: basic info, name, type, or the system-wide type table.
- NtSetInformationObject
Sets handle-level attributes (inheritance, protect-from-close) on a kernel object handle.
- NtSystemDebugControl
Routes kernel debugger-style requests (kernel R/W, control space, breakpoints, profiler) selected by the SysDbgCommand enum.