Go Back

Steam's anti-debugging code

I bought a few more steam games on friday (F.E.A.R. 3, DeusEx, Brinck, Fall out series, Duke Nukem) and ran into the annoying crash-at-breakpoint again. This time, however, I decided to put some time into it to try and find why this is happening.

After a lot of googling I ran into this blog post:

While it does not specifically mention Steam, it does explain why WinDBG (and other debuggers like OllyDBG and C.E.) crash the game when a break point is triggered. Windows simply does not tell WinDBG about the break point and as such it crashes the game (as the game can't handle it either).

So I spend several hours figuring out ways to circumvent the "ThreadHideFromDebugger" flag.

At first I tried to undo the "ThreadHideFromDebugger" flag, but apparently once you've set this flag, it stays on  (there's no way to turn it off on a thread). I then tried to access the ETHREAD structure which gets modified by "NtSetInformationThread" but apparently you can't get access to the ETHREAD structure from User Space (at least not in any way that I could find).

So the only way to get rid of the "ThreadHideFromDebugger" flag is by not letting the application set the flag. There's two ways to do this, stop it in user mode or in kernel mode. Kernel mode is nice, but it really isn't funny to BSOD your system a lot while developing the driver. Also the whole 'need it to be signed' part for x64 sucks. But this is still a valid option which I might look into.

But I decided to write a user mode DLL which you can inject into Steam. Once it's injected, you simply have to start the game you want to debug from within steam and the DLL does all the work for you. It hooks 3 functions, CreateProcessA/W and NtSetInformationThread, the NtSetInformationThread hook is responsible for actually disabling the "ThreadHideFromDebugger" flag. The CreateProcess hooks are used to hook any game launched by Steam.

There's 1 big *read this*, do *not* start VAC-games (and probably also PunkBuster games) with this DLL loaded into Steam! It will most likely get you banned. Also a small disclaimer, only use this to cheat in single player games. Cheating in online-games is wrong mkay! ;)

You can download it here.

Posted by: Da_Teach on Sunday, August 7, 2011  •  Comments (230)  •  Full story  •  C# Hack Cheat Engine WinDBG Anti-Debugger

Anti-debugger protection

Lately I've seen an increased number of games use anti-debugger protection. This is mostly because a lot of them use the same copy protection. For example, it seems all the Steam games (at least the ones I have tried) have the same anti-debugger protection.

The effect seems to be roughly the same with the various protections. They all seem to crash the game after you place a breakpoint (either hardware or an int-3 breakpoint) inside it.

Now I have actually been too lazy to figure out exactly what's causing this issue. But I have some idea's which I'll have to play with in the future.

However there is an easy way around the issue. Use a kernel debugger that also supports debugging user-mode applications.

I've tried WinDBG, but its kernel debugger requires you to connect two pc's together with a serial cable. I got this working with VMware, however I got an error trying to attach to a user-mode application. It might still be possible with WinDBG, but I got bored trying to figure out why I was getting errors.

VMware also had an internal remote kernel debugger, however it doesn't support user-mode application debugging, at least not for Windows guest-os.

I also tried Syser and while it can do exactly what I want, I couldn't get it to work with my PC (Clean WinXP install with Syser, BSOD whenever Syser activated). Then I played around with it a bit more and found out that it works perfectly inside a VMware guest-os.

So to get around the anti-debugger protection (for now) I ended up using a WinXP guest-os inside a VMware machine with Syser installed. That said I do hope that Syser fixes support for the newer nvidia-graphics cards soon so I can debug without the use of VMware.

Posted by: Da_Teach on Friday, January 1, 2010  •  Comments (35)  •  Full story  •  Syser WinDBG Anti-Debugger