Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-04-2015, 17:37
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 80
Rept. Given: 45
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 23
Thanks Rcvd at 100 Times in 53 Posts
Insid3Code Reputation: 60
Using RtlAdjustPrivilege to detect debugger.

A basic way using RtlAdjustPrivilege to detect the debugger (OllyDbg and IDA demo 6.6)

As usually but not (enabled by default) for all debugger, the Debugger must acquiring debug privilege to work with its complete capacity.
The snippet is simple and probably already used but I write it as simple as possible to get a clear ASM code inside the debugger.

RtlAdjustPrivilege: Enables or disables a privilege from the calling thread or process.

PHP Code:
NTSTATUS RtlAdjustPrivilege
 
(
  
ULONG    Privilege,     //[In]    Privilege index to change.
  
BOOLEAN  Enable,        //[In]    If TRUE, then enable the privilege otherwise disable.
  
BOOLEAN  CurrentThread//[In]    If TRUE, then enable in calling thread, otherwise process.
  
PBOOLEAN Enabled        //[Out]    Whether privilege was previously enabled or disabled.
 

RtlAdjustPrivilege store the previous status into boolean variable.

Our work is to read the contents of this variable after calling RtlAdjustPrivilege with SE_DEBUG_PRIVILEGE as parameter, and of course if a status is already enabled then we have a likely debugging situation.

PHP Code:
/*
 * -------------------------------------------------
 * Using RtlAdjustPrivilege to detect debugger.
 * Tested on (OllyDbg and IDA demo 6.6)
 * Released 03/2015.
 * [by Insid3Code from I3CT]
 * -------------------------------------------------
*/

#include <windows.h>
#include <ntdll.h>

#ifdef _WIN64
#define captionMsg L"Application 64-bit"
#else
#define captionMsg L"Application 32-bit"
#endif

int WINAPI iWinMain() {
    
//Boolean to check after calling RtlAdjustPrivilege.
    
BOOLEAN bPreviousPrivilegeStatus

    
RtlAdjustPrivilege(
        
SE_DEBUG_PRIVILEGE,
        
FALSE// avoid to adjust privilege (DISABLE IT).
        
FALSE,
        &
bPreviousPrivilegeStatus);

// check if SE_DEBUG_PRIVILEGE was already acquired then voluntary crash the application,
// by calling memset with invalid pointer as parameter.        
    
if (bPreviousPrivilegeStatus
        
memset(NULL01); //<-- BOOM! PADA BOOM!!!

    
MessageBoxW(
        
NULL,
        
L"Nothing!",
        
captionMsg,
        
MB_ICONINFORMATION);

    return 
0;

Attached: Source, screenshots and binary (32bit/64bit)
Attached Files
File Type: rar RtlAdjustPrivilege.rar (48.6 KB, 19 views)
__________________
Computer Forensics
Reply With Quote
The Following User Says Thank You to Insid3Code For This Useful Post:
nimaarek (09-09-2017)
  #2  
Old 03-05-2015, 00:38
Archer's Avatar
Archer Archer is offline
retired
 
Join Date: Aug 2005
Posts: 229
Rept. Given: 1
Rept. Rcvd 46 Times in 19 Posts
Thanks Given: 2
Thanks Rcvd at 372 Times in 51 Posts
Archer Reputation: 46
Detection by opening csrss process is based on the similar principle. It can be fixed by running a debuggee with a privilege-stripped token.
Reply With Quote
  #3  
Old 03-05-2015, 13:35
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 80
Rept. Given: 45
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 23
Thanks Rcvd at 100 Times in 53 Posts
Insid3Code Reputation: 60
It seems (Tuts4You Forum) that the desired result is uncontrollable, and some conditions which must be fulfilled, such Run as administrator (UAC) and debug privilege which must already acquired by the Debugger...

As mentioned by Archer there are similarity with detecting the debugger by trying to open "csrss.exe" process with PROCESS_ALL_ACCESS as parameter (debug privilege needed) also limited by the same conditions mentioned above.

PHP Code:
#include <windows.h>
#include <ntdll.h>

#ifdef _WIN64
#define captionMsg L"64-bit Application"
#else
#define captionMsg L"32-bit Application"
#endif

int WINAPI iWinMain() {

    
HANDLE ProcessHandle NULL;
    
OBJECT_ATTRIBUTES ObjectAttributes;
    
CLIENT_ID ClientId;

    
ObjectAttributes.Length sizeof(OBJECT_ATTRIBUTES);
    
ObjectAttributes.RootDirectory 0;
    
ObjectAttributes.ObjectName NULL;
    
ObjectAttributes.Attributes OBJ_CASE_INSENSITIVE;
    
ObjectAttributes.SecurityDescriptor NULL;
    
ObjectAttributes.SecurityQualityOfService NULL;

    
ClientId.UniqueProcess CsrGetProcessId(); // getting "csrss.exe" ProcessId.
    
ClientId.UniqueThread 0;

    
NtOpenProcess(
        &
ProcessHandle,
        
PROCESS_ALL_ACCESS// This parameter need SeDebugPrivilege.
        
&ObjectAttributes,
        &
ClientId);

    if (
ProcessHandle != NULL)
        
memset(NULL01); //<-- BOOM! PADA BOOM!!!

    
MessageBoxW(
        
NULL,
        
L"Nothing!",
        
captionMsg,
        
MB_ICONINFORMATION);
    return 
0;

Then to complete this topic (Debug Privilege), attached second sample based on "csrss.exe" process handling.

Regards
Attached Files
File Type: rar csrssDBG.rar (1.8 KB, 7 views)
__________________
Computer Forensics
Reply With Quote
Reply

Tags
rtladjustprivilege

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Detect It Easy 2.0 hors Community Tools 15 08-01-2020 23:39
Detect It Easy 0.73 Dreamer Community Tools 85 11-03-2019 23:08
Another way to detect OllyDbg and another debugger TQN General Discussion 2 08-03-2004 09:12


All times are GMT +8. The time now is 07:00.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2020 )