diff --git a/TitanEngine/Global.Engine.Hider.cpp b/TitanEngine/Global.Engine.Hider.cpp index 8f85f9e..ce9b88e 100644 --- a/TitanEngine/Global.Engine.Hider.cpp +++ b/TitanEngine/Global.Engine.Hider.cpp @@ -19,13 +19,9 @@ static bool isAtleastVista() return isAtleastVista; } -static bool isWindows64() //TODO: unclear behaviour, will return true when on wow64, but should not return true, because the system structures are x32 in that case +//TODO: unclear behaviour, will return true when on wow64, but should not return true, because the system structures are x32 in that case +static bool isWindows64() { -#ifdef _WIN64 - return true; -#else - return false; -#endif; SYSTEM_INFO si = {0}; typedef void (WINAPI *tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo); tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo"); @@ -42,19 +38,48 @@ static bool isWindows64() //TODO: unclear behaviour, will return true when on wo return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64); } -void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide) +static void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide, bool x64) { - const BYTE patchCheckRemoteDebuggerPresent[5] = + const BYTE patchCheckRemoteDebuggerPresent32[5] = + { + 0x33, 0xC0, //XOR EAX,EAX + 0xC2, 0x08, 0x00 //RETN 0x8 + }; + const BYTE patchGetTickCount32[3] = { 0x33, 0xC0, //XOR EAX,EAX - 0xC2, 0x08, 0x00 - }; //RETN 0x8 + 0xC3 //RETN + }; + const BYTE patchCheckRemoteDebuggerPresent64[6] = + { + 0x48, 0x31, 0xC0, //XOR RAX,RAX + 0xC2, 0x08, 0x00 //RETN 0x8 + }; + const BYTE patchGetTickCount64[4] = + { + 0x48, 0x31, 0xC0, //XOR RAX,RAX + 0xC3 //RETN + }; - const BYTE patchGetTickCount[3] = + const BYTE* patchCheckRemoteDebuggerPresent; + int patchCheckRemoteDebuggerPresentSize; + const BYTE* patchGetTickCount; + int patchGetTickCountSize; + + if(x64) //x64 patches { - 0x33, 0xC0, //XOR EAX,EAX - 0xC3 - }; //RETN + patchCheckRemoteDebuggerPresent=patchCheckRemoteDebuggerPresent64; + patchCheckRemoteDebuggerPresentSize=sizeof(patchCheckRemoteDebuggerPresent64); + patchGetTickCount=patchGetTickCount64; + patchGetTickCountSize=sizeof(patchGetTickCount64); + } + else //x86 patches + { + patchCheckRemoteDebuggerPresent=patchCheckRemoteDebuggerPresent32; + patchCheckRemoteDebuggerPresentSize=sizeof(patchCheckRemoteDebuggerPresent32); + patchGetTickCount=patchGetTickCount32; + patchGetTickCountSize=sizeof(patchGetTickCount32); + } ULONG_PTR APIPatchAddress = 0; DWORD OldProtect = 0; @@ -62,53 +87,47 @@ void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide) if(Hide) { - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect)) + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect)) { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect); } - - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect)) + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect)) { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, sizeof(patchGetTickCount), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, patchGetTickCountSize, &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, OldProtect, &OldProtect); } } else { - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect)) + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect)) { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect); } - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - - if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect)) + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect)) { - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), sizeof(patchGetTickCount), &ueNumberOfBytesRead); - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), patchGetTickCountSize, &ueNumberOfBytesRead); + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, OldProtect, &OldProtect); } } } - //Quote from The Ultimate Anti-Debugging Reference by Peter Ferrie //Flags field exists at offset 0x0C in the heap on the 32-bit versions of Windows NT, Windows 2000, and Windows XP; and at offset 0x40 on the 32-bit versions of Windows Vista and later. //Flags field exists at offset 0x14 in the heap on the 64-bit versions of Windows XP, and at offset 0x70 in the heap on the 64-bit versions of Windows Vista and later. //ForceFlags field exists at offset 0x10 in the heap on the 32-bit versions of Windows NT, Windows 2000, and Windows XP; and at offset 0x44 on the 32-bit versions of Windows Vista and later. //ForceFlags field exists at offset 0x18 in the heap on the 64-bit versions of Windows XP, and at offset 0x74 in the heap on the 64-bit versions of Windows Vista and later. -int getHeapFlagsOffset() +static int getHeapFlagsOffset(bool x64) { - if (isWindows64()) + if (x64) //x64 offsets { if (isAtleastVista()) { @@ -119,7 +138,7 @@ int getHeapFlagsOffset() return 0x14; } } - else + else //x86 offsets { if (isAtleastVista()) { @@ -132,9 +151,9 @@ int getHeapFlagsOffset() } } -int getHeapForceFlagsOffset() +static int getHeapForceFlagsOffset(bool x64) { - if (isWindows64()) + if (x64) //x64 offsets { if (isAtleastVista()) { @@ -145,7 +164,7 @@ int getHeapForceFlagsOffset() return 0x18; } } - else + else //x86 offsets { if (isAtleastVista()) { @@ -158,7 +177,7 @@ int getHeapForceFlagsOffset() } } -bool FixPebInProcess(HANDLE hProcess, bool Hide) +static bool FixPebInProcess(HANDLE hProcess, bool Hide) { PEB_CURRENT myPEB = {0}; SIZE_T ueNumberOfBytesRead = 0; @@ -197,26 +216,22 @@ bool FixPebInProcess(HANDLE hProcess, bool Hide) myPEB64.NtGlobalFlag &= ~0x70; #endif - heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset()); - heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset()); - //TODO: finish Heap Flag Anti-Anti-Debug - - /* - *(ULONG*)flagPtr_ &= HEAP_GROWABLE; - *(ULONG*)forceFlagPtr_ = 0; - */ - //TODO: backup heap flags - ULONG flagPtr_=0; - ReadProcessMemory(hProcess, heapFlagsAddress, &flagPtr_, sizeof(ULONG), 0); - ULONG forceFlagPtr_=0; - ReadProcessMemory(hProcess, heapForceFlagsAddress, &forceFlagPtr_, sizeof(ULONG), 0); +#ifdef _WIN64 + heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(true)); + heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(true)); +#else + heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(false)); + heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(false)); +#endif //_WIN64 + ReadProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0); + ReadProcessMemory(hProcess, heapForceFlagsAddress, &heapForceFlags, sizeof(DWORD), 0); - flagPtr_&=HEAP_GROWABLE; - forceFlagPtr_=0; + heapFlags&=HEAP_GROWABLE; + heapForceFlags=0; - WriteProcessMemory(hProcess, heapFlagsAddress, &flagPtr_, sizeof(ULONG), 0); - WriteProcessMemory(hProcess, heapForceFlagsAddress, &forceFlagPtr_, sizeof(ULONG), 0); + WriteProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0); + WriteProcessMemory(hProcess, heapForceFlagsAddress, &heapForceFlags, sizeof(DWORD), 0); } else { @@ -234,11 +249,9 @@ bool FixPebInProcess(HANDLE hProcess, bool Hide) WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead); } #endif - return true; } } - return false; } @@ -250,11 +263,12 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) { if(PatchAPILevel == UE_HIDE_BASIC) { -#ifndef _WIN64 - FixAntidebugApiInProcess32(hProcess, Hide); +#ifdef _WIN64 + FixAntidebugApiInProcess(hProcess, Hide, true); +#else + FixAntidebugApiInProcess(hProcess, Hide, false); #endif } - return true; } } @@ -263,10 +277,9 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) } #ifndef _WIN64 -typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process); - bool IsThisProcessWow64() { + typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process); BOOL bIsWow64 = FALSE; tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process"); @@ -277,5 +290,4 @@ bool IsThisProcessWow64() return (bIsWow64 != FALSE); } - #endif \ No newline at end of file