How I managed to bypass Process Monitor detection for anti-debuggers and Riot Games
Hey there, I hope this article finds you well and you’re safe somewhere in the world, Anyways It’s not a new thing that process monitor is the most hated yet the most powerful monitoring tool in windows, and anti-debuggers really hate it that it’s existence and the fact it has been launched in this machine before just gets detected in seconds.
But how anti-debuggers are able to detect process monitor? Actually anti-debuggers have 4 methods to detect process monitor that includes: Active filter drivers, Window class name, Process name and Publisher/Company information
Active filter drivers:
If you didn’t know, Process monitor depends on a filter driver to actually capture the events of executables and know what’s going on, and anti-debuggers highly depend on the driver name to detect Process monitor because it can’t function without the driver, If you unload the driver Process monitor is pretty useless
So the first thing we had to do here is to change the name of the filter driver process monitor is creating and using, and since we don’t have the source code and we can’t simply edit the code and compile we have to work with the executable itself, that means we will rely on Hex editor for this job
Searching inside Procmon.exe for the driver name, In this version of process monitor the driver name is PROCMON24
Now all we have to do is to go through every single result in the executable and change the driver name to anything else, In my case I changed it to BROCMON24
Now we restart the system, cause Process monitor driver is really badly programmed that you can’t unload it unless you restart the system, but running the modified Process monitor will update the driver successfully
Window class name:
It’s pretty common for anti-debuggers to detect programs based on WINDOW_CLASS_NAME cause it’s a constant, every program window have a constant name that’s just getting shipped with the executable, In this case process monitor window class name is pretty known and can easily be detected
In order to bypass this we need to figure out the window class name for process monitor so we can edit it in HxD, For this I will use WinSpy++
In this case the class name is PROCMON_WINDOW_CASS, now we can open up HxD and search this up then update it
Now we change the class name into anything else, save the application and we’re half the way there
Process name:
I don’t have to say much here, the process name is pretty much the executable name cause we’re dealing with a portable version of Process monitor, a standalone executable that doesn’t rely on other programs to launch, just rename Procmon.exe into Brocmon.exe and it goes undetected
Publisher / Company information:
Every executable contains copyrights and information about the Publisher / Company that made that executable, these information could be used to detect Process monitor as-well by some anti-debuggers, We just need to strip them, And you can easily do this using Resource Hacker
Simply placing an empty string instead of these information, and compiling the application then saving it is enough to strip these information, It’s better to remove everything except the application version.
The goal here was to bypass Riot games Process monitor detection, and after testing the new build of procmon I created I was actually able to bypass Riot Games process monitor detection as you can see
Now you can for once see what Valorant is doing on your machine, I hope you enjoyed this article and it was actually useful for you guys
Make sure to follow me on my socials
https://twitter.com/DemoniaSlash
https://www.linkedin.com/in/mohamed-dief-b87649184/
You can also get Brocmon, the modified version of Process Monitor from here
See you ❤
