Skip to content
/ Empress Public

Single header memory protection/anti-debug library

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

svespalec/Empress

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
empress.hpp
empress.hpp
 
 
example.cpp
example.cpp
 
 

Repository files navigation

Empress

A header-only C++ library that prevents debugger functionality by restricting process memory operations through Windows Job Objects.

How It Works

The technique leverages Windows Job Objects to set a process memory limit that's just enough for your code to run, but not enough for debuggers to function.

Breakpoint Types

Software Breakpoints (int 3/0xCC)

  • Requires memory writes to replace instructions
  • Most common debugging method
  • Default choice for user-mode debuggers

Hardware Breakpoints

  • Utilizes CPU debug registers (DR0-DR7)
  • No memory modification required
  • Exception handlers still need memory allocation
  • Job object prevents exception handling while allowing breakpoints

Memory Management

Memory Types

Type Description Characteristics
Private Pages Process-specific memory - Heap and stack storage
- Copy-on-write when modified
- Required for debugger operations
Shared Pages Mapped files and shared memory - Accessible by multiple processes
- Usually read-only for code sections
Committed Pages Physical or page file backed - Contains existing code
- Unaffected by job object restrictions

Job Object Effects

The job object restriction:

  • Prevents new memory commitments
  • Blocks private page allocations needed by debuggers
  • Preserves existing committed pages
  • Maintains shared page accessibility

Protection Mechanism

The 0x1000 (4KB) memory limit is effective because:

  • Matches minimum system page size
  • Allows existing committed memory to continue execution (your code)
  • Prevents debuggers from:
    • Allocating private pages for operation
    • Creating exception handling threads
    • Modifying memory protection flags

Usage

#include "empress.hpp"

int main() {
  if (empress::protection::enable()) {
    // Protection active - debuggers can't modify memory
  }

  return 0;
}

Results

Breakpoints:

{0727F23B-F4EA-4664-B687-A80069C6E795}

Memory editing: {F2A69C4A-914D-47B6-99DD-D515A1121441}

Limitations

  • Not effective against kernel-mode debuggers (they bypass user-mode restrictions)
  • Your code must minimize dynamic memory allocations after protection
  • Very small programs (<4KB) might not be protected if entirely private
  • Some debuggers might still attach but won't be able to function

Requirements

  • Windows OS
  • C++20 or later
  • MSVC compiler

References

Based on the technique described in "Process on a diet: anti-debug using job objects" by Justas Masiulis.

About

Single header memory protection/anti-debug library

Topics

antidebug memory-protection

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages