From 1b3aeeb8bdd728740c45b561a674091616b1964c Mon Sep 17 00:00:00 2001 From: NtQuery Date: Tue, 4 Mar 2014 19:09:39 +0100 Subject: [PATCH] better hidedebugger code, some fixes --- TitanEngine/Global.Engine.Hider.cpp | 16 ++++++++++++---- TitanEngine/TitanEngine.Hider.cpp | 10 +++------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/TitanEngine/Global.Engine.Hider.cpp b/TitanEngine/Global.Engine.Hider.cpp index a5d6ddb..48f2708 100644 --- a/TitanEngine/Global.Engine.Hider.cpp +++ b/TitanEngine/Global.Engine.Hider.cpp @@ -19,10 +19,16 @@ static bool isAtleastVista() return isAtleastVista; } -void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide) +void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide) { - const BYTE patchCheckRemoteDebuggerPresent[5] = {0x33, 0xC0, 0xC2, 0x08, 0x00}; - const BYTE patchGetTickCount[3] = {0x33, 0xC0, 0xC3}; + const BYTE patchCheckRemoteDebuggerPresent[5] = { + 0x33, 0xC0, //XOR EAX,EAX + 0xC2, 0x08, 0x00}; //RETN 0x8 + + const BYTE patchGetTickCount[3] = { + 0x33, 0xC0, //XOR EAX,EAX + 0xC3}; //RETN + ULONG_PTR APIPatchAddress = NULL; DWORD OldProtect; SIZE_T ueNumberOfBytesRead = 0; @@ -126,7 +132,9 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) { if(PatchAPILevel == UE_HIDE_BASIC) { - FixAntidebugApiInProcess(hProcess, Hide); +#ifndef _WIN64 + FixAntidebugApiInProcess32(hProcess, Hide); +#endif } return true; diff --git a/TitanEngine/TitanEngine.Hider.cpp b/TitanEngine/TitanEngine.Hider.cpp index dadc90d..6644f17 100644 --- a/TitanEngine/TitanEngine.Hider.cpp +++ b/TitanEngine/TitanEngine.Hider.cpp @@ -5,18 +5,14 @@ // TitanEngine.Hider.functions: __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) { + typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); ULONG RequiredLen = 0; void * PebAddress = 0; PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); - if(!myProcessBasicInformation) + + if(!myProcessBasicInformation) return 0; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); -#else - typedef NTSTATUS(__fastcall *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); -#endif - fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess"); if(cNtQueryInformationProcess != NULL)