The tiny trace is detected by the winlicense. What should I do?

[x64bugreport]

@hasherezade Sorry, I'm disturbing you again. When I traced the winlicese encrypted program, it was detected and prompted that the debugger was found. According to my understanding, PIN will not trigger the debugging status and related API detection return exceptions generated by the debugger at runtime. The only thing that comes to mind is the time difference. But you've already dealt with RDTSC. The actual test is still detected. I have no idea how to deal with this detection. Do you have any good method to locate this detection solution and handle the detection?
The following is the test program I provided. You can debug it with confidence. The main program has a trusted digital signature. After tracing winlicense.exe for a few seconds, the debugger found will be notified via MESSAGEBOXEXW.

https://mega.nz/file/xJY3WTaY#1kpLBZ1FxXQU2yGrRVvBMlUykHeROZBceHuWaj9f0b4

The decompression password of the test case compressed package is 123.
I look forward to your reply. Thank you very much.

[x64bugreport]

TinyTracer.ini set ANTIDEBUG=1 or 2,Neither can bypass debugger detection.

[hasherezade]

hi @x64bugreport ! thanks for reporting. I reproduced it, and will investigate it soon.

[x64bugreport]

@hasherezade I continued researching for two days, but still made no progress. Have you made any progress?

[x64bugreport]

Is there any progress on this case?
@hasherezade

[hasherezade]

It is on my TODO, I will take care of this when I get some free time.

[x64bugreport]

@hasherezade Thank you very much for your reply. I have not found the key point of this detection so far. If you solve this case later, I hope you can reply to me. Thank you very much.

[hasherezade]

@x64bugreport - sure I will let you know!

[x64bugreport]

@hasherezade Is there any progress?

[greenozon]

How about running Scyllahide injector tool that will fix themida/winlic antidbg?

[x64bugreport]

@hasherezade I think it may be the pin environment that causes certain debugging states to be checked out. I don't understand why instrumentation triggers debugging related flags to be set. Did you find the cause of this issue?

[hasherezade]

@hasherezade I think it may be the pin environment that causes certain debugging states to be checked out. I don't understand why instrumentation triggers debugging related flags to be set. Did you find the cause of this issue?

I didn't spot anything obvious, and I don't have time to dig deeper for now. It may be about some slowdown introduced by the tracing itself.

[HongThatCong]

I am also looking into this issue

I see 2 suspicious points about WinLicense's antidebug technique:

1. Using RaiseException
   AddVectoredExceptionHandler -> RaiseException with exception = 0xC00000008E (FLOATING_POINT_EXCEPTION) -> Call VectorHander -> RemoveVectoredExceptionHandler

2. Call KiUserExceptionDispatcher directly to execute the pre-installed ExceptionHandler

[x64bugreport]

I am also looking into this issue

I see 2 suspicious points about WinLicense's antidebug technique:

1. Using RaiseException
   AddVectoredExceptionHandler -> RaiseException with exception = 0xC00000008E (FLOATING_POINT_EXCEPTION) -> Call VectorHander -> RemoveVectoredExceptionHandler
2. Call KiUserExceptionDispatcher directly to execute the pre-installed ExceptionHandler

I'm glad to hear your reply. Have you finally solved this problem? Can I ask how you troubleshoot this issue? I tried to handle it myself but I had no clue.