09 – Preventing Debugging by using SystemFunction40 (RtlEncryptMemory) on DbgUIRemoteBreakIn


The video discusses the conclusion of a series focused on anti-analysis techniques in executable code. The presenter reflects on the learning journey and provides insights into a specific function related to debugger prevention mechanisms. He walks through how the function manipulates memory protection settings to scramble a debugger’s access points, ultimately concluding with an invitation for further engagement from viewers.

**Key Points:**

  • The video is the final part of a series on anti-analysis techniques.
  • The presenter explains a specific function that prevents debuggers from attaching to the code.
  • It details the process of changing memory protections using the ZW Protect Virtual Memory function.
  • The function targets the debug UI remote break-in to make it writable and then encrypts its initial memory bytes.
  • This scrambling of memory aims to thwart debugger operations by corrupting the function’s code.
  • The discussion includes references to system function calls and memory manipulation techniques.
  • The presenter invites viewer feedback for potential future content and expresses hope that the audience learned valuable skills throughout the series.
  • The video hints at further possible explorations into the binary’s behavior and where it conceals strings and encryption methods.
  • Youtube Video: https://www.youtube.com/watch?v=j-pbT1xKBU8
    Youtube Channel: Dr Josh Stroschein – The Cyber Yeti
    Video Published: 2025-01-02T19:00:32+00:00