GET /api/techniques/59/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 59,
"key": "csrgetprocessid",
"unprotect_id": "U0115",
"name": "CsrGetProcessID",
"description": "This function is undocumented within `OpenProcess`. It can be used to get the PID of CRSS.exe, which is a `SYSTEM` process. By default, a process has the `SeDebugPrivilege` privilege in their access token disabled. \r\n\r\nHowever, when the process is loaded by a debugger such as OllyDbg or WinDbg, the `SeDebugPrivilege` privilege is enabled. If a process is able to open CRSS.exe process, it means that the process `SeDebugPrivilege` enabled in the access token, and thus, suggesting that the process is being debugged.\r\n\r\nIf we call `OpenProcess` and pass the ID returned by `CsrGetProcessId`, no error will occur if the `SeDebugPrivilege` has been set with `SetPrivilege` / `AdjustTokenPrivileges`.",
"windows": "",
"linux": "",
"macos": "",
"resources": "https://www.gironsec.com/blog/2013/12/other-antidebug-tricks/",
"creation_date": "2019-03-18T13:31:58Z",
"tags": "CsrGetProcessID",
"modification_date": "2023-10-04T10:43:42.118000Z",
"category": [
3
],
"rules": [
74
],
"attachments": [],
"featured_api": [
24,
425
],
"contributors": []
}
