Skip to content

Commit

Permalink
#2 : 대부분 코드 수정 완료
Browse files Browse the repository at this point in the history
  • Loading branch information
@winocreative
winocreative committed Nov 13, 2023
1 parent 5c7b2d7 commit fdce5bd
Show file tree
Hide file tree
Showing 10 changed files with 2,050 additions and 12 deletions.
10 changes: 5 additions & 5 deletions Protector/AntiDebug.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,16 +37,16 @@ inline bool HypervisorDebugTriggered()
return false;
}

inline bool AntiDebugTriggered()
inline DWORD AntiDebugTriggered()
{
if (BasicDebugTriggered())
return true;
return 1;

if (HWBPDebugTriggered())
return true;
return 2;

if (HypervisorDebugTriggered())
return true;
return 3;

return false;
return 0;
}
184 changes: 182 additions & 2 deletions Protector/AntiLibrary.cpp
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,198 @@
#include <Windows.h>

#include <stdio.h>
#include <string>
#include "Utils.hpp"
#pragma comment(linker, "/INCLUDE:_tls_used") //Use TLS

typedef struct _PEB_LDR_DATA
{
ULONG Length;
BOOLEAN Initialized;
HANDLE SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
BOOLEAN ShutdownInProgress;
HANDLE ShutdownThreadId;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
typedef const UNICODE_STRING* PCUNICODE_STRING;
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
union
{
LIST_ENTRY InInitializationOrderLinks;
LIST_ENTRY InProgressLinks;
};
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
union
{
UCHAR FlagGroup[4];
ULONG Flags;
struct
{
ULONG PackagedBinary : 1;
ULONG MarkedForRemoval : 1;
ULONG ImageDll : 1;
ULONG LoadNotificationsSent : 1;
ULONG TelemetryEntryProcessed : 1;
ULONG ProcessStaticImport : 1;
ULONG InLegacyLists : 1;
ULONG InIndexes : 1;
ULONG ShimDll : 1;
ULONG InExceptionTable : 1;
ULONG ReservedFlags1 : 2;
ULONG LoadInProgress : 1;
ULONG LoadConfigProcessed : 1;
ULONG EntryProcessed : 1;
ULONG ProtectDelayLoad : 1;
ULONG ReservedFlags3 : 2;
ULONG DontCallForThreads : 1;
ULONG ProcessAttachCalled : 1;
ULONG ProcessAttachFailed : 1;
ULONG CorDeferredValidate : 1;
ULONG CorImage : 1;
ULONG DontRelocate : 1;
ULONG CorILOnly : 1;
ULONG ReservedFlags5 : 3;
ULONG Redirected : 1;
ULONG ReservedFlags6 : 2;
ULONG CompatDatabaseProcessed : 1;
} s;
} u;
USHORT ObsoleteLoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _PEB
{
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
union
{
BOOLEAN BitField;
struct
{
BOOLEAN ImageUsesLargePages : 1;
BOOLEAN IsProtectedProcess : 1;
BOOLEAN IsImageDynamicallyRelocated : 1;
BOOLEAN SkipPatchingUser32Forwarders : 1;
BOOLEAN IsPackagedProcess : 1;
BOOLEAN IsAppContainer : 1;
BOOLEAN IsProtectedProcessLight : 1;
BOOLEAN IsLongPathAwareProcess : 1;
} s1;
} u1;

HANDLE Mutant;

PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
PVOID AtlThunkSListPtr;
PVOID IFEOKey;
union
{
ULONG CrossProcessFlags;
struct
{
ULONG ProcessInJob : 1;
ULONG ProcessInitializing : 1;
ULONG ProcessUsingVEH : 1;
ULONG ProcessUsingVCH : 1;
ULONG ProcessUsingFTH : 1;
ULONG ProcessPreviouslyThrottled : 1;
ULONG ProcessCurrentlyThrottled : 1;
ULONG ReservedBits0 : 25;
} s2;
} u2;
union
{
PVOID KernelCallbackTable;
PVOID UserSharedInfoPtr;
} u3;
ULONG SystemReserved[1];
ULONG AtlThunkSListPtr32;
PVOID ApiSetMap;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[2];

PVOID ReadOnlySharedMemoryBase;
PVOID SharedData; // HotpatchInformation
PVOID* ReadOnlyStaticServerData;

PVOID AnsiCodePageData; // PCPTABLEINFO
PVOID OemCodePageData; // PCPTABLEINFO
PVOID UnicodeCaseTableData; // PNLSTABLEINFO

ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
} PEB, * PPEB;
void NTAPI TlsCallback(PVOID DllHandle, DWORD dwReason, PVOID Reserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
//Check if debugger is present
if (IsDebuggerPresent())
ExitProcess(0);
printf("Checking library %p\n", DllHandle);
}
}
#pragma data_seg(".CRT$XLX")
PIMAGE_TLS_CALLBACK p_thread_callback[] = { TlsCallback, 0 };
#pragma data_seg()

//TODO: PEB LDR -> Sign
__forceinline void CheckLibrary()
{
//get peb
#ifdef _WIN64
PPEB peb = (PPEB)__readgsqword(0x60);
#else
PPEB peb = (PPEB)__readfsdword(0x30);
#endif
//get ldr
PPEB_LDR_DATA ldr = peb->Ldr;

//loop through modules
auto head = &ldr->InLoadOrderModuleList;
for (auto curr = head->Flink; curr != head; curr = curr->Flink)
{
//get module
auto mod = CONTAINING_RECORD(curr, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);

//get module name
auto path = malloc(mod->FullDllName.Length + sizeof(wchar_t));
memcpy(path, mod->FullDllName.Buffer, mod->FullDllName.Length);
((wchar_t*)path)[mod->FullDllName.Length / sizeof(wchar_t)] = 0;

std::wstring catalogFile;
std::string signType;
std::list<SIGN_NODE_INFO> SignChain;
if (!CheckFileDigitalSignature((LPCWSTR)path, NULL, catalogFile, signType, SignChain))
{
printf("Failed to check digital signature of %ws\n", path);
continue;
}
printf("file: %ws\n", path);
PrintSignatureInfo(signType, catalogFile, SignChain);
}
system("pause");
}
156 changes: 156 additions & 0 deletions Protector/AntiProcess.cpp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
#include "AntiProcess.hpp"
#include <Windows.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include "Utils.hpp"
typedef NTSTATUS(NTAPI* t_NtQuerySystemInformation)(_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Out_opt_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength);
typedef NTSTATUS(NTAPI* t_NtQueryObject)(_In_opt_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_opt_ PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength);
typedef NTSTATUS(NTAPI* t_NtQueryInformationProcess)(_In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationClass, _Out_ PVOID ProcessInformation, _In_ ULONG ProcessInformationLength, _Out_opt_ PULONG ReturnLength);
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004

t_NtQuerySystemInformation NtQuerySystemInformation = (t_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
t_NtQueryObject NtQueryObject = (t_NtQueryObject)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryObject");

const wchar_t* BlacklistedWindowName[] = {
L"OllyDbg",
L"IDA Pro",
L"Cheat Engine",
L"Process Hacker",
L"Process Explorer",
L"Process Monitor"
};
const wchar_t* BlacklistedProcessName[] = {
L"ollydbg.exe",
L"idaq.exe",
L"idaq64.exe",
L"ida.exe",
L"ida64.exe",
L"Cheat Engine.exe",
L"cheatengine-x86_64.exe",
L"cheatengine-i386.exe",
L"Process Hacker.exe",
L"ProcessHacker.exe",
L"procdump.exe",
L"procmon.exe"
};

BOOL EnumWindowsCallback(HWND hWnd, LPARAM lParam)
{
wchar_t WindowName[256] = { 0 };
GetWindowTextW(hWnd, WindowName, 256);
for (int i = 0; i < sizeof(BlacklistedWindowName) / sizeof(wchar_t*); i++)
{
if (wcsstr(WindowName, BlacklistedWindowName[i]))
{
GetWindowThreadProcessId(hWnd, (LPDWORD)lParam);
return FALSE;
}
}
return TRUE;
}
__forceinline void CheckProcessHasMyHandle(void)
{
ULONG returnLength = 0;
NTSTATUS status = NtQuerySystemInformation(SystemExtendedHandleInformation, nullptr, 0, &returnLength);
if (status != STATUS_INFO_LENGTH_MISMATCH)
return;

ULONG bufferSize = returnLength;
PSYSTEM_HANDLE_INFORMATION_EX handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)malloc(bufferSize);
if (!handleInfo)
return;

status = NtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, bufferSize, &returnLength);
if (status)
{
free(handleInfo);
return;
}

//loop handles
for (int i = 0; i < handleInfo->NumberOfHandles; i++)
{
const auto& handle = handleInfo->Handles[i];

if (handle.ObjectTypeIndex == 7 && handle.UniqueProcessId != GetCurrentProcessId()) //Process
{
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, FALSE, handle.UniqueProcessId);
if (!hProcess)
continue;
HANDLE hDupHandle = nullptr;
DuplicateHandle(hProcess, (HANDLE)handle.HandleValue, GetCurrentProcess(), &hDupHandle, 0, FALSE, 0);
if (!hDupHandle)
{
CloseHandle(hProcess);
continue;
}

//check handle access has PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION
if ((handle.GrantedAccess & PROCESS_QUERY_INFORMATION) == 0 && (handle.GrantedAccess & PROCESS_QUERY_LIMITED_INFORMATION) == 0)
{
CloseHandle(hProcess);
CloseHandle(hDupHandle);
continue;
}

if (GetProcessId(hDupHandle) != GetCurrentProcessId())
{
CloseHandle(hProcess);
CloseHandle(hDupHandle);
continue;
}
//Á¶»ç µå°¡ÀÚ.

wchar_t path[MAX_PATH] = { 0 };
GetModuleFileNameExW(hProcess, nullptr, path, MAX_PATH);

std::string signType;
std::wstring catalogFile;
std::list<SIGN_NODE_INFO> SignChain;
if (!CheckFileDigitalSignature(path, nullptr, catalogFile, signType, SignChain))
{
//TODO: Send log to server.

}

CloseHandle(hProcess);
CloseHandle(hDupHandle);
}
}
}
__forceinline void CheckProcess(void)
{
CheckProcessHasMyHandle();
DWORD detectedProcessId = 0;
EnumWindows(EnumWindowsCallback, (LPARAM)&detectedProcessId);

if (detectedProcessId)
{
//TODO: Send log to server.
HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, detectedProcessId);
if (hProcess)
{
TerminateProcess(hProcess, 0);
CloseHandle(hProcess);
}
}
PROCESSENTRY32 pe32{};
pe32.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
return;

BOOL bRet = Process32First(hSnapshot, &pe32);
while (bRet)
{
for (int i = 0; i < sizeof(BlacklistedProcessName) / sizeof(wchar_t*); i++)
{
if (wcsstr(pe32.szExeFile, BlacklistedProcessName[i]))
{
//TODO: Send log to server.
}
}
bRet = Process32Next(hSnapshot, &pe32);
}
CloseHandle(hSnapshot);
}
Loading

0 comments on commit fdce5bd

Please sign in to comment.