x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

- added x64 API patches

This commit is contained in:
mr.exodia 2014-03-05 00:01:24 +01:00
parent 9502654a71
commit 87e9e7c461
1 changed files with 80 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
TitanEngine/Global.Engine.Hider.cpp
View File

@ -19,13 +19,9 @@ static bool isAtleastVista()
return isAtleastVista;
}
static bool isWindows64() //TODO: unclear behaviour, will return true when on wow64, but should not return true, because the system structures are x32 in that case
//TODO: unclear behaviour, will return true when on wow64, but should not return true, because the system structures are x32 in that case
static bool isWindows64()
{
#ifdef _WIN64
return true;
#else
return false;
#endif;
SYSTEM_INFO si = {0};
typedef void (WINAPI *tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);
tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
@ -42,19 +38,48 @@ static bool isWindows64() //TODO: unclear behaviour, will return true when on wo
return (si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64);
}
void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide)
static void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide, bool x64)
{
const BYTE patchCheckRemoteDebuggerPresent[5] =
const BYTE patchCheckRemoteDebuggerPresent32[5] =
{
0x33, 0xC0, //XOR EAX,EAX
0xC2, 0x08, 0x00
}; //RETN 0x8
0xC2, 0x08, 0x00 //RETN 0x8
};
const BYTE patchGetTickCount32[3] =
{
0x33, 0xC0, //XOR EAX,EAX
0xC3 //RETN
};
const BYTE patchCheckRemoteDebuggerPresent64[6] =
{
0x48, 0x31, 0xC0, //XOR RAX,RAX
0xC2, 0x08, 0x00 //RETN 0x8
};
const BYTE patchGetTickCount64[4] =
{
0x48, 0x31, 0xC0, //XOR RAX,RAX
0xC3 //RETN
};
const BYTE patchGetTickCount[3] =
const BYTE* patchCheckRemoteDebuggerPresent;
int patchCheckRemoteDebuggerPresentSize;
const BYTE* patchGetTickCount;
int patchGetTickCountSize;
if(x64) //x64 patches
{
0x33, 0xC0, //XOR EAX,EAX
0xC3
}; //RETN
patchCheckRemoteDebuggerPresent=patchCheckRemoteDebuggerPresent64;
patchCheckRemoteDebuggerPresentSize=sizeof(patchCheckRemoteDebuggerPresent64);
patchGetTickCount=patchGetTickCount64;
patchGetTickCountSize=sizeof(patchGetTickCount64);
}
else //x86 patches
{
patchCheckRemoteDebuggerPresent=patchCheckRemoteDebuggerPresent32;
patchCheckRemoteDebuggerPresentSize=sizeof(patchCheckRemoteDebuggerPresent32);
patchGetTickCount=patchGetTickCount32;
patchGetTickCountSize=sizeof(patchGetTickCount32);
}
ULONG_PTR APIPatchAddress = 0;
DWORD OldProtect = 0;
@ -63,52 +88,46 @@ void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide)
if(Hide)
{
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect))
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect);
}
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect))
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, sizeof(patchGetTickCount), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, patchGetTickCountSize, &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, OldProtect, &OldProtect);
}
}
else
{
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), PAGE_EXECUTE_READWRITE, &OldProtect))
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), sizeof(patchCheckRemoteDebuggerPresent), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchCheckRemoteDebuggerPresent), OldProtect, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "CheckRemoteDebuggerPresent"), patchCheckRemoteDebuggerPresentSize, &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchCheckRemoteDebuggerPresentSize, OldProtect, &OldProtect);
}
APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS);
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), PAGE_EXECUTE_READWRITE, &OldProtect))
if (VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, PAGE_EXECUTE_READWRITE, &OldProtect))
{
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), sizeof(patchGetTickCount), &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, sizeof(patchGetTickCount), OldProtect, &OldProtect);
WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetTickCount"), patchGetTickCountSize, &ueNumberOfBytesRead);
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, patchGetTickCountSize, OldProtect, &OldProtect);
}
}
}
//Quote from The Ultimate Anti-Debugging Reference by Peter Ferrie
//Flags field exists at offset 0x0C in the heap on the 32-bit versions of Windows NT, Windows 2000, and Windows XP; and at offset 0x40 on the 32-bit versions of Windows Vista and later.
//Flags field exists at offset 0x14 in the heap on the 64-bit versions of Windows XP, and at offset 0x70 in the heap on the 64-bit versions of Windows Vista and later.
//ForceFlags field exists at offset 0x10 in the heap on the 32-bit versions of Windows NT, Windows 2000, and Windows XP; and at offset 0x44 on the 32-bit versions of Windows Vista and later.
//ForceFlags field exists at offset 0x18 in the heap on the 64-bit versions of Windows XP, and at offset 0x74 in the heap on the 64-bit versions of Windows Vista and later.
int getHeapFlagsOffset()
static int getHeapFlagsOffset(bool x64)
{
if (isWindows64())
if (x64) //x64 offsets
{
if (isAtleastVista())
{
@ -119,7 +138,7 @@ int getHeapFlagsOffset()
return 0x14;
}
}
else
else //x86 offsets
{
if (isAtleastVista())
{
@ -132,9 +151,9 @@ int getHeapFlagsOffset()
}
}
int getHeapForceFlagsOffset()
static int getHeapForceFlagsOffset(bool x64)
{
if (isWindows64())
if (x64) //x64 offsets
{
if (isAtleastVista())
{
@ -145,7 +164,7 @@ int getHeapForceFlagsOffset()
return 0x18;
}
}
else
else //x86 offsets
{
if (isAtleastVista())
{
@ -158,7 +177,7 @@ int getHeapForceFlagsOffset()
}
}
bool FixPebInProcess(HANDLE hProcess, bool Hide)
static bool FixPebInProcess(HANDLE hProcess, bool Hide)
{
PEB_CURRENT myPEB = {0};
SIZE_T ueNumberOfBytesRead = 0;
@ -197,26 +216,22 @@ bool FixPebInProcess(HANDLE hProcess, bool Hide)
myPEB64.NtGlobalFlag &= ~0x70;
#endif
heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset());
heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset());
//TODO: finish Heap Flag Anti-Anti-Debug
/*
*(ULONG*)flagPtr_ &= HEAP_GROWABLE;
*(ULONG*)forceFlagPtr_ = 0;
*/
//TODO: backup heap flags
ULONG flagPtr_=0;
ReadProcessMemory(hProcess, heapFlagsAddress, &flagPtr_, sizeof(ULONG), 0);
ULONG forceFlagPtr_=0;
ReadProcessMemory(hProcess, heapForceFlagsAddress, &forceFlagPtr_, sizeof(ULONG), 0);
#ifdef _WIN64
heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(true));
heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(true));
#else
heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset(false));
heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset(false));
#endif //_WIN64
ReadProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0);
ReadProcessMemory(hProcess, heapForceFlagsAddress, &heapForceFlags, sizeof(DWORD), 0);
flagPtr_&=HEAP_GROWABLE;
forceFlagPtr_=0;
heapFlags&=HEAP_GROWABLE;
heapForceFlags=0;
WriteProcessMemory(hProcess, heapFlagsAddress, &flagPtr_, sizeof(ULONG), 0);
WriteProcessMemory(hProcess, heapForceFlagsAddress, &forceFlagPtr_, sizeof(ULONG), 0);
WriteProcessMemory(hProcess, heapFlagsAddress, &heapFlags, sizeof(DWORD), 0);
WriteProcessMemory(hProcess, heapForceFlagsAddress, &heapForceFlags, sizeof(DWORD), 0);
}
else
{
@ -234,11 +249,9 @@ bool FixPebInProcess(HANDLE hProcess, bool Hide)
WriteProcessMemory(hProcess, AddressOfPEB64, (void*)&myPEB64, sizeof(PEB64), &ueNumberOfBytesRead);
}
#endif
return true;
}
}
return false;
}
@ -250,11 +263,12 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
{
if(PatchAPILevel == UE_HIDE_BASIC)
{
#ifndef _WIN64
FixAntidebugApiInProcess32(hProcess, Hide);
#ifdef _WIN64
FixAntidebugApiInProcess(hProcess, Hide, true);
#else
FixAntidebugApiInProcess(hProcess, Hide, false);
#endif
}
return true;
}
}
@ -263,10 +277,9 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
}
#ifndef _WIN64
typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
bool IsThisProcessWow64()
{
typedef BOOL (WINAPI * tIsWow64Process)(HANDLE hProcess,PBOOL Wow64Process);
BOOL bIsWow64 = FALSE;
tIsWow64Process fnIsWow64Process = (tIsWow64Process)GetProcAddress(GetModuleHandleA("kernel32.dll"), "IsWow64Process");
@ -277,5 +290,4 @@ bool IsThisProcessWow64()
return (bIsWow64 != FALSE);
}
#endif