From 4eb3cdbc3675a1d75ba69fdace02b10e804f38ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EC=84=9C=EC=9E=AC=EC=99=84?= Date: Wed, 15 Nov 2023 19:33:08 +0900 Subject: [PATCH] #2: Final? --- Protector/AntiDebug.hpp | 43 ++++++++++++++++++------- Protector/AntiLibrary.hpp | 11 ++++--- Protector/AntiProcess.hpp | 62 +++++++++++++++++++++---------------- Protector/Core.cpp | 6 +++- Protector/Protector.vcxproj | 2 ++ 5 files changed, 79 insertions(+), 45 deletions(-) diff --git a/Protector/AntiDebug.hpp b/Protector/AntiDebug.hpp index abd6285..e73cce4 100644 --- a/Protector/AntiDebug.hpp +++ b/Protector/AntiDebug.hpp @@ -3,17 +3,22 @@ inline bool BasicDebugTriggered() { if (IsDebuggerPresent()) + { + printf("DETECTED/DEBUG/IsDebuggerPresent\n"); return true; + } //get peb #ifdef _WIN64 PPEB peb = (PPEB)__readgsqword(0x60); - #else +#else PPEB peb = (PPEB)__readfsdword(0x30); - #endif +#endif auto NtGlobalFlag = peb->NtGlobalFlag; if (NtGlobalFlag & 0x70) + { + printf("DETECTED/DEBUG/NtGlobalFlag:%p\n", NtGlobalFlag); return true; - + } return false; } inline bool HWBPDebugTriggered() @@ -23,8 +28,10 @@ inline bool HWBPDebugTriggered() GetThreadContext(GetCurrentThread(), &ctx); if (ctx.Dr0 != 0 || ctx.Dr1 != 0 || ctx.Dr2 != 0 || ctx.Dr3 != 0) + { + printf("DETECTED/DEBUG/HWBP/Dr0:%p, Dr1:%p, Dr2:%p, Dr3:%p\n", ctx.Dr0, ctx.Dr1, ctx.Dr2, ctx.Dr3); return true; - + } return false; } inline bool HypervisorDebugTriggered() @@ -33,28 +40,40 @@ inline bool HypervisorDebugTriggered() { __asm { - __emit 0xf3; - __emit 0x90; - __emit 0x00; + //pushf + __emit 0x9C + //or dword ptr [esp], 0x100 + __emit 0x81 + __emit 0x0C + __emit 0x24 + __emit 0x00 + __emit 0x01 + __emit 0x00 + __emit 0x00 + //popf + __emit 0x9D + //cpuid + __emit 0x0F + __emit 0xA2 + __emit 0x90 } } __except (EXCEPTION_EXECUTE_HANDLER) { - return true; + return false; } - - return false; + //if detected, it will crash } inline DWORD AntiDebugTriggered() { if (BasicDebugTriggered()) - return 1; + return 1; if (HWBPDebugTriggered()) return 2; - if (HypervisorDebugTriggered()) + if (HypervisorDebugTriggered()) return 3; return 0; diff --git a/Protector/AntiLibrary.hpp b/Protector/AntiLibrary.hpp index 43a26fb..d8cf9e7 100644 --- a/Protector/AntiLibrary.hpp +++ b/Protector/AntiLibrary.hpp @@ -152,10 +152,7 @@ typedef struct _PEB } PEB, * PPEB; void NTAPI TlsCallback(PVOID DllHandle, DWORD dwReason, PVOID Reserved) { - if (dwReason == DLL_PROCESS_ATTACH) - { - printf("Checking library %p\n", DllHandle); - } + //TODO: CreateThread detection } #pragma data_seg(".CRT$XLX") PIMAGE_TLS_CALLBACK p_thread_callback[] = { TlsCallback, 0 }; @@ -179,6 +176,10 @@ __forceinline void CheckLibrary() //get module auto mod = CONTAINING_RECORD(curr, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); + if (mod->DllBase == GetModuleHandle(NULL)) + { + continue; + } //get module name auto path = malloc(mod->FullDllName.Length + sizeof(wchar_t)); memcpy(path, mod->FullDllName.Buffer, mod->FullDllName.Length); @@ -189,7 +190,7 @@ __forceinline void CheckLibrary() std::list SignChain; if (!CheckFileDigitalSignature((LPCWSTR)path, NULL, catalogFile, signType, SignChain)) { - printf("Failed to check digital signature of %ws\n", path); + printf("DETECTED/LDR/CheckLibrary: %ws\n", path); continue; } //printf("file: %ws\n", path); diff --git a/Protector/AntiProcess.hpp b/Protector/AntiProcess.hpp index 79b4d1b..eefe7bf 100644 --- a/Protector/AntiProcess.hpp +++ b/Protector/AntiProcess.hpp @@ -364,7 +364,9 @@ BOOL WINAPI EnumWindowsCallback(HWND hWnd, LPARAM lParam) { if (wcsstr(WindowName, BlacklistedWindowName[i])) { - GetWindowThreadProcessId(hWnd, (LPDWORD)lParam); + //GetWindowThreadProcessId(hWnd, (LPDWORD)lParam); + std::wstring* detectedWindowName = (std::wstring*)lParam; + *detectedWindowName = WindowName; return FALSE; } } @@ -373,21 +375,24 @@ BOOL WINAPI EnumWindowsCallback(HWND hWnd, LPARAM lParam) __forceinline void CheckProcessHasMyHandle(void) { ULONG returnLength = 0; - NTSTATUS status = NtQuerySystemInformation(SystemExtendedHandleInformation, nullptr, 0, &returnLength); - if (status != STATUS_INFO_LENGTH_MISMATCH) - return; - - ULONG bufferSize = returnLength; - PSYSTEM_HANDLE_INFORMATION_EX handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)malloc(bufferSize); - if (!handleInfo) - return; - - status = NtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, bufferSize, &returnLength); - if (status) - { - free(handleInfo); - return; - } + PSYSTEM_HANDLE_INFORMATION_EX handleInfo = nullptr; + NTSTATUS status = STATUS_INFO_LENGTH_MISMATCH; + do + { + if (returnLength) + { + if (handleInfo) + { + handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)realloc(handleInfo, returnLength); + } + else + { + handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)malloc(returnLength); + } + } + status = NtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, returnLength, &returnLength); + } + while (status == STATUS_INFO_LENGTH_MISMATCH); //loop handles for (int i = 0; i < handleInfo->NumberOfHandles; i++) @@ -400,7 +405,7 @@ __forceinline void CheckProcessHasMyHandle(void) if (!hProcess) continue; HANDLE hDupHandle = nullptr; - DuplicateHandle(hProcess, (HANDLE)handle.HandleValue, GetCurrentProcess(), &hDupHandle, 0, FALSE, 0); + DuplicateHandle(hProcess, (HANDLE)handle.HandleValue, GetCurrentProcess(), &hDupHandle, PROCESS_QUERY_LIMITED_INFORMATION, FALSE, 0); if (!hDupHandle) { CloseHandle(hProcess); @@ -408,13 +413,12 @@ __forceinline void CheckProcessHasMyHandle(void) } //check handle access has PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION - if ((handle.GrantedAccess & PROCESS_QUERY_INFORMATION) == 0 && (handle.GrantedAccess & PROCESS_QUERY_LIMITED_INFORMATION) == 0) + /*if ((handle.GrantedAccess & PROCESS_QUERY_INFORMATION) == 0 && (handle.GrantedAccess & PROCESS_QUERY_LIMITED_INFORMATION) == 0) { CloseHandle(hProcess); CloseHandle(hDupHandle); continue; - } - + }*/ if (GetProcessId(hDupHandle) != GetCurrentProcessId()) { CloseHandle(hProcess); @@ -432,7 +436,7 @@ __forceinline void CheckProcessHasMyHandle(void) if (!CheckFileDigitalSignature(path, nullptr, catalogFile, signType, SignChain)) { //TODO: Send log to server. - + printf("DETECTED/HANDLE/Unknown process has our handle. path: %ws\n", path); } CloseHandle(hProcess); @@ -443,19 +447,22 @@ __forceinline void CheckProcessHasMyHandle(void) __forceinline void CheckProcess(void) { CheckProcessHasMyHandle(); - DWORD detectedProcessId = 0; - EnumWindows(EnumWindowsCallback, (LPARAM)&detectedProcessId); - - if (detectedProcessId) + + std::wstring detectedWindowName; + EnumWindows(EnumWindowsCallback, (LPARAM)&detectedWindowName); + + if (!detectedWindowName.empty()) { //TODO: Send log to server. - HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, detectedProcessId); + printf("DETECTED/WINDOW/Blacklisted windows has been found. name: %ws\n", detectedWindowName.c_str()); + /*HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, detectedProcessId); if (hProcess) { TerminateProcess(hProcess, 0); CloseHandle(hProcess); - } + }*/ } + return; PROCESSENTRY32 pe32{}; pe32.dwSize = sizeof(PROCESSENTRY32); HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); @@ -470,6 +477,7 @@ __forceinline void CheckProcess(void) if (wcsstr(pe32.szExeFile, BlacklistedProcessName[i])) { //TODO: Send log to server. + printf("DETECTED/WINDOW/Blacklisted process has been found. name: %ws\n", pe32.szExeFile); } } bRet = Process32Next(hSnapshot, &pe32); diff --git a/Protector/Core.cpp b/Protector/Core.cpp index 0154142..8b12579 100644 --- a/Protector/Core.cpp +++ b/Protector/Core.cpp @@ -49,7 +49,7 @@ DWORD WINAPI AntiCodeIntegrityThread(LPVOID lpParam) Sleep(5000); if (!verifier->Verify()) { - //TODO: Send log to server. + printf("DETECTED/CODE_INTEGRITY/CodeIntegrity check failed\n"); } lastCodeIntegrityCheckTime = GetTickCount64(); } @@ -60,18 +60,22 @@ __forceinline void CheckThreadWorking(void) DWORD64 currentTime = GetTickCount64(); if (currentTime - lastDebugCheckTime > 10000 && lastDebugCheckTime != 0) { + printf("DETECTED/SUSPEND_THREAD/AntiDebugThread\n"); __debugbreak(); //force make exception to crash } if (currentTime - lastLibraryCheckTime > 10000 && lastLibraryCheckTime != 0) { + printf("DETECTED/SUSPEND_THREAD/AntiLibraryThread\n"); __debugbreak(); //force make exception to crash } if (currentTime - lastProcessCheckTime > 10000 && lastProcessCheckTime != 0) { + printf("DETECTED/SUSPEND_THREAD/AntiProcessThread\n"); __debugbreak(); //force make exception to crash } if (currentTime - lastCodeIntegrityCheckTime > 10000 && lastCodeIntegrityCheckTime != 0) { + printf("DETECTED/SUSPEND_THREAD/AntiCodeIntegrityThread\n"); __debugbreak(); //force make exception to crash } } diff --git a/Protector/Protector.vcxproj b/Protector/Protector.vcxproj index b8e4ec9..0794366 100644 --- a/Protector/Protector.vcxproj +++ b/Protector/Protector.vcxproj @@ -76,6 +76,7 @@ true WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) true + Async Console @@ -90,6 +91,7 @@ true WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) true + Async Console