#2: Final?

Protector/AntiDebug.hpp

@@ -3,17 +3,22 @@
 inline bool BasicDebugTriggered()
 {
     if (IsDebuggerPresent())
+    {
+        printf("DETECTED/DEBUG/IsDebuggerPresent\n");
         return true;
+    }
     //get peb
 #ifdef _WIN64
     PPEB peb = (PPEB)__readgsqword(0x60);
-    #else
+#else
     PPEB peb = (PPEB)__readfsdword(0x30);
-    #endif
+#endif
     auto NtGlobalFlag = peb->NtGlobalFlag;
     if (NtGlobalFlag & 0x70)
+    {
+        printf("DETECTED/DEBUG/NtGlobalFlag:%p\n", NtGlobalFlag);
         return true;
-
+    }
     return false;
 }
 inline bool HWBPDebugTriggered()
@@ -23,8 +28,10 @@ inline bool HWBPDebugTriggered()
     GetThreadContext(GetCurrentThread(), &ctx);
 
     if (ctx.Dr0 != 0 || ctx.Dr1 != 0 || ctx.Dr2 != 0 || ctx.Dr3 != 0)
+    {
+        printf("DETECTED/DEBUG/HWBP/Dr0:%p, Dr1:%p, Dr2:%p, Dr3:%p\n", ctx.Dr0, ctx.Dr1, ctx.Dr2, ctx.Dr3);
         return true;
-
+    }
     return false;
 }
 inline bool HypervisorDebugTriggered()
@@ -33,28 +40,40 @@ inline bool HypervisorDebugTriggered()
     {
         __asm
         {
-            __emit 0xf3;
-            __emit 0x90;
-            __emit 0x00;
+            //pushf
+            __emit 0x9C
+            //or dword ptr [esp], 0x100
+            __emit 0x81
+            __emit 0x0C
+            __emit 0x24
+            __emit 0x00
+            __emit 0x01
+            __emit 0x00
+            __emit 0x00
+            //popf
+            __emit 0x9D
+            //cpuid
+            __emit 0x0F
+            __emit 0xA2
+            __emit 0x90
         }
     }
     __except (EXCEPTION_EXECUTE_HANDLER)
     {
-        return true;
+        return false;
     }
-
-    return false;
+    //if detected, it will crash
 }
 
 inline DWORD AntiDebugTriggered()
 {
     if (BasicDebugTriggered())
-        return 1;
+       return 1;
 
     if (HWBPDebugTriggered())
         return 2;
 
-    if (HypervisorDebugTriggered())
+   if (HypervisorDebugTriggered())
         return 3;
 
     return 0;

Protector/AntiLibrary.hpp

@@ -152,10 +152,7 @@ typedef struct _PEB
 } PEB, * PPEB;
 void NTAPI TlsCallback(PVOID DllHandle, DWORD dwReason, PVOID Reserved)
 {
-    if (dwReason == DLL_PROCESS_ATTACH)
-    {
-        printf("Checking library %p\n", DllHandle);
-    }
+    //TODO: CreateThread detection
 }
 #pragma data_seg(".CRT$XLX")
 PIMAGE_TLS_CALLBACK p_thread_callback[] = { TlsCallback, 0 };
@@ -179,6 +176,10 @@ __forceinline void CheckLibrary()
         //get module
         auto mod = CONTAINING_RECORD(curr, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
 
+        if (mod->DllBase == GetModuleHandle(NULL))
+        {
+            continue;
+        }
         //get module name
         auto path = malloc(mod->FullDllName.Length + sizeof(wchar_t));
         memcpy(path, mod->FullDllName.Buffer, mod->FullDllName.Length);
@@ -189,7 +190,7 @@ __forceinline void CheckLibrary()
         std::list<SIGN_NODE_INFO> SignChain;
         if (!CheckFileDigitalSignature((LPCWSTR)path, NULL, catalogFile, signType, SignChain))
         {
-            printf("Failed to check digital signature of %ws\n", path);
+            printf("DETECTED/LDR/CheckLibrary: %ws\n", path);
             continue;
         }
         //printf("file: %ws\n", path);

Protector/AntiProcess.hpp

@@ -364,7 +364,9 @@ BOOL WINAPI EnumWindowsCallback(HWND hWnd, LPARAM lParam)
     {
         if (wcsstr(WindowName, BlacklistedWindowName[i]))
         {
-            GetWindowThreadProcessId(hWnd, (LPDWORD)lParam);
+            //GetWindowThreadProcessId(hWnd, (LPDWORD)lParam);
+			std::wstring* detectedWindowName = (std::wstring*)lParam;
+			*detectedWindowName = WindowName;
             return FALSE;
         }
     }
@@ -373,21 +375,24 @@ BOOL WINAPI EnumWindowsCallback(HWND hWnd, LPARAM lParam)
 __forceinline void CheckProcessHasMyHandle(void)
 {
     ULONG returnLength = 0;
-    NTSTATUS status = NtQuerySystemInformation(SystemExtendedHandleInformation, nullptr, 0, &returnLength);
-    if (status != STATUS_INFO_LENGTH_MISMATCH)
-        return;
-
-    ULONG bufferSize = returnLength;
-    PSYSTEM_HANDLE_INFORMATION_EX handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)malloc(bufferSize);
-    if (!handleInfo)
-        return;
-
-    status = NtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, bufferSize, &returnLength);
-    if (status)
-    {
-        free(handleInfo);
-        return;
-    }
+	PSYSTEM_HANDLE_INFORMATION_EX handleInfo = nullptr;
+	NTSTATUS status = STATUS_INFO_LENGTH_MISMATCH;
+	do
+	{
+		if (returnLength)
+		{
+			if (handleInfo)
+			{
+				handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)realloc(handleInfo, returnLength);
+			}
+			else
+			{
+				handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)malloc(returnLength);
+			}
+		}
+		status = NtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, returnLength, &returnLength);
+	}
+	while (status == STATUS_INFO_LENGTH_MISMATCH);
 
     //loop handles
     for (int i = 0; i < handleInfo->NumberOfHandles; i++)
@@ -400,21 +405,20 @@ __forceinline void CheckProcessHasMyHandle(void)
             if (!hProcess)
                 continue;
             HANDLE hDupHandle = nullptr;
-            DuplicateHandle(hProcess, (HANDLE)handle.HandleValue, GetCurrentProcess(), &hDupHandle, 0, FALSE, 0);
+            DuplicateHandle(hProcess, (HANDLE)handle.HandleValue, GetCurrentProcess(), &hDupHandle, PROCESS_QUERY_LIMITED_INFORMATION, FALSE, 0);
             if (!hDupHandle)
             {
                 CloseHandle(hProcess);
                 continue;
             }
 
             //check handle access has PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION
-            if ((handle.GrantedAccess & PROCESS_QUERY_INFORMATION) == 0 && (handle.GrantedAccess & PROCESS_QUERY_LIMITED_INFORMATION) == 0)
+            /*if ((handle.GrantedAccess & PROCESS_QUERY_INFORMATION) == 0 && (handle.GrantedAccess & PROCESS_QUERY_LIMITED_INFORMATION) == 0)
             {
                 CloseHandle(hProcess);
                 CloseHandle(hDupHandle);
                 continue;
-            }
-
+            }*/
             if (GetProcessId(hDupHandle) != GetCurrentProcessId())
             {
                 CloseHandle(hProcess);
@@ -432,7 +436,7 @@ __forceinline void CheckProcessHasMyHandle(void)
             if (!CheckFileDigitalSignature(path, nullptr, catalogFile, signType, SignChain))
             {
                 //TODO: Send log to server.
-
+				printf("DETECTED/HANDLE/Unknown process has our handle. path: %ws\n", path);
             }
 
             CloseHandle(hProcess);
@@ -443,19 +447,22 @@ __forceinline void CheckProcessHasMyHandle(void)
 __forceinline void CheckProcess(void)
 {
     CheckProcessHasMyHandle();
-    DWORD detectedProcessId = 0;
-    EnumWindows(EnumWindowsCallback, (LPARAM)&detectedProcessId);
-
-    if (detectedProcessId)
+
+    std::wstring detectedWindowName;
+    EnumWindows(EnumWindowsCallback, (LPARAM)&detectedWindowName);
+
+    if (!detectedWindowName.empty())
     {
         //TODO: Send log to server.
-        HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, detectedProcessId);
+		printf("DETECTED/WINDOW/Blacklisted windows has been found. name: %ws\n", detectedWindowName.c_str());
+        /*HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, detectedProcessId);
         if (hProcess)
         {
             TerminateProcess(hProcess, 0);
             CloseHandle(hProcess);
-        }
+        }*/
     }
+	return;
     PROCESSENTRY32 pe32{};
     pe32.dwSize = sizeof(PROCESSENTRY32);
     HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
@@ -470,6 +477,7 @@ __forceinline void CheckProcess(void)
             if (wcsstr(pe32.szExeFile, BlacklistedProcessName[i]))
             {
                 //TODO: Send log to server.
+				printf("DETECTED/WINDOW/Blacklisted process has been found. name: %ws\n", pe32.szExeFile);
             }
         }
         bRet = Process32Next(hSnapshot, &pe32);

Protector/Core.cpp

@@ -49,7 +49,7 @@ DWORD WINAPI AntiCodeIntegrityThread(LPVOID lpParam)
         Sleep(5000);
         if (!verifier->Verify())
         {
-            //TODO: Send log to server.
+            printf("DETECTED/CODE_INTEGRITY/CodeIntegrity check failed\n");
         }
         lastCodeIntegrityCheckTime = GetTickCount64();
     }
@@ -60,18 +60,22 @@ __forceinline void CheckThreadWorking(void)
     DWORD64 currentTime = GetTickCount64();
     if (currentTime - lastDebugCheckTime > 10000 && lastDebugCheckTime != 0)
     {
+        printf("DETECTED/SUSPEND_THREAD/AntiDebugThread\n");
         __debugbreak(); //force make exception to crash
     }
     if (currentTime - lastLibraryCheckTime > 10000 && lastLibraryCheckTime != 0)
     {
+        printf("DETECTED/SUSPEND_THREAD/AntiLibraryThread\n");
         __debugbreak(); //force make exception to crash
     }
     if (currentTime - lastProcessCheckTime > 10000 && lastProcessCheckTime != 0)
     {
+        printf("DETECTED/SUSPEND_THREAD/AntiProcessThread\n");
         __debugbreak(); //force make exception to crash
     }
     if (currentTime - lastCodeIntegrityCheckTime > 10000 && lastCodeIntegrityCheckTime != 0)
     {
+        printf("DETECTED/SUSPEND_THREAD/AntiCodeIntegrityThread\n");
         __debugbreak(); //force make exception to crash
     }
 }

Protector/Protector.vcxproj

@@ -76,6 +76,7 @@
       <SDLCheck>true</SDLCheck>
       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
+      <ExceptionHandling>Async</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -90,6 +91,7 @@
       <SDLCheck>true</SDLCheck>
       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
+      <ExceptionHandling>Async</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>