DEBUG_ONLY_THIS_PROCESS 0x00000002
The calling thread starts the new process. It receives all of the debug events using the WaitForDebugEvent function. CreateProcess's argument is dwCreationFlags it can be DEBUG_ONLY_THIS_PROCESS or the DEBUG_PROCESS
DEBUG_PROCESS 0x00000001
The thread starts and debugs the new process and all processes created by the process. It can receive related debug events using the WaitForDebugEvent function. A process that uses DEBUG_PROCESS is the root of a debugging chain. This continues until other processes in the chain is created with DEBUG_PROCESS. If this flag is combined with DEBUG_ONLY_THIS_PROCESS, the caller debugs only the new ones, not any child ones.
The lpProcessAttributes argument also takes a pointer to a SECURITY_ATTRIBUTES structure which may define special security permissions for the created process as well.
I would detour CreateProcess & log the arguments to find out if either of these is being used.
Last thought is, they registered their own debugger to prevent from attaching their own, sounds like a good trick to stop debuggers.
Comments