DEV Community

carlos
carlos

Posted on

A userland process protector with a watchdog living inside explorer.exe

I built a small C++ library for Windows x64 that protects a process from debugging and analysis. Most of these techniques are documented individually β€” I just put them together in a way I found interesting.
πŸ”— github.com/000nico/watchdog-process-protection

The core idea: inject a thread into explorer.exe that keeps your process alive even if an attacker freezes it entirely.

Explorer is a convenient host β€” it's always running and can't be closed under normal system operation. The injected thread receives duplicated handles to the main and protection threads and periodically resumes them if suspended. If the watchdog itself gets killed, the protected process crashes immediately via checkWatchDog().


cppstruct watchdogStruct {
HANDLE mainThreadHandle;
HANDLE protectThreadHandle;
pDuplicateHandle dup;
pNtResumeThread resume;
};

Other techniques worth looking at
Handle revocation β€” uses NtQuerySystemInformation to enumerate every open handle on the system, finds any external process holding a handle to the protected process, and closes them. This cuts off tools that rely on OpenProcess to read or manipulate memory.
Hook detection β€” checks the first bytes of critical functions in ntdll.dll, kernel32.dll, and kernelbase.dll for 0xE9 or 0xFF signatures. Tools like ScyllaHide work by hooking these functions β€” this catches them.
exceptionThrow β€” calls CloseHandle with an invalid handle. Without a debugger attached the call silently fails. With one attached, Windows raises STATUS_INVALID_HANDLE β€” a passive and hard to patch detection.
__fastfail crash **β€” when a debugger is detected, termination goes through __fastfail with an empty working set. It can't be caught with try/catch, can't be intercepted, and leaves little behind for post-mortem analysis.
**TLS callback init β€” all of this starts before main() via a TLS callback. Just including the header is enough.

Nothing here is novel β€” these are known techniques. The code is open source if you want to read it, use it, or improve it.
πŸ”— github.com/000nico/watchdog-process-protection

Top comments (0)