Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 02-05-2014, 06:11
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Released V0007:
- fixed a BSOD
- plugins for x64_dbg (use the command 'TitanHide')

Latest release can always be downloaded from:
https://bitbucket.org/mrexodia/titanhide/downloads

Greetings,

Mr. eXoDia
Attached Files
File Type: rar ServiceManager.rar (14.4 KB, 9 views)

Last edited by mr.exodia; 10-28-2015 at 09:11.
Reply With Quote
  #17  
Old 02-05-2014, 08:24
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Hi
very Good and very fast ,,,I still make the test on v006 Lol
anyway.

For (TitanHideTest)
I make very tiny change ,because let this prog go in sycal make my eyes flash .
Quote:
Test: <<<<<<<<
char title[256]="";
sprintf(title, "pid: %d", (int)GetCurrentProcessId());
SetConsoleTitleA(title);
while(1)
{
printf("ProcessDebugFlags: %d\n", CheckProcessDebugFlags());
printf("ProcessDebugPort: %d\n", CheckProcessDebugPort());
printf("ProcessDebugObjectHandle: %d\n", CheckProcessDebugObjectHandle());
printf("NtQueryObject: %d\n", CheckObjectList());
printf("CheckSystemDebugger: %d\n", CheckSystemDebugger());
printf("CheckNtClose: %d\n", CheckNtClose());
//printf("ThreadHideFromDebugger: %d\n", HideFromDebugger());
puts("");
//Sleep(1000);
system("Pause"); <<<<<<
printf("\n"); <<<<<<
goto Test; <<<<<<


By the way I have checked "CheckProcessDebugFlags "

and find something go wrrong in ur x64_dbg (x32)
-CheckProcessDebugFlags come when the debugger try to handle exception which is a trap could be the coder have use it to check if u debug his software or not Like this example :Author: Dejan Lukan with my little tiny changes
Quote:
Test:
BOOL bExceptionHit = FALSE;
__try {
_asm
{
pushfd
or dword ptr [esp], 0x100
popfd
// Set the Trap Flag
// Load value into EFLAGS register
nop
}
}
__except(EXCEPTION_EXECUTE_HANDLER) {
bExceptionHit = TRUE;

// An exception has been raised ¨C
// there is no debugger.
}

if (bExceptionHit == FALSE)
printf("A debugger is present.n");
else
printf("There is no debugger present.n");

/* wait */
getchar();
system("Pause");
goto Test;

return 0;
anyway in olly u can Ignore this exception and make the software handle this exception ,but it ur Deubger x64_dbg (x32) ,I think ur deubgger not see this exception at all and not mention it at command bar and pass it so the the
CheckProcessDebugFlags =1 in ur Deubgger .
Lol alot of lab lab ,sorry for bother u .

anyway my Advice is to not ram this (CheckProcessDebugFlags) in Kernel mode ,let keep it in user mode by the debugger it self ,that my opinion .

Thanks again for ur Good work .
Attached Files
File Type: rar TitanHideTest.rar (9.8 KB, 2 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following 2 Users Gave Reputation+1 to ahmadmansoor For This Useful Post:
mr.exodia (02-05-2014), Zipdecode (02-05-2014)
  #18  
Old 02-05-2014, 10:27
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
kernel32!CloseHandle

My friend and about kernel32!CloseHandle it is the same for CheckProcessDebugFlags by Keeping it in User Mode insted of Kernel mode
because some times we need to check this API for other prog so it is not good to make it in Kernel mode ( I think )
Quote:
http://www.symantec.com/connect/articles/windows-anti-debug-reference
(5) kernel32!CloseHandle and NtClose

APIs making user of the ZwClose syscall (such as CloseHandle, indirectly) can be used to detect a debugger. When a process is debugged, calling ZwClose with an invalid handle will generate a STATUS_INVALID_HANDLE (0xC0000008) exception.

As with all anti-debugs that rely on information made directly available from the kernel (therefore involving a syscall), the only proper way to bypass the "CloseHandle" anti-debug is to either modify the syscall data from ring3, before it is called, or set up a kernel hook.

This anti-debug, though extremely powerful, does not seem to be widely used by malicious programs.
example
Quote:
__try {
CloseHandle((HANDLE)0x1953);
} __except(1) {
return TRUE;
}

return FALSE;
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
The Following User Gave Reputation+1 to ahmadmansoor For This Useful Post:
mr.exodia (02-05-2014)
  #19  
Old 02-05-2014, 18:42
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@ahmadmansoor: How would you fool NtQueryInformationProcess without being in kernel mode? I tried NtSetInformationProcess with the DebugFlag, but I don't think it worked very well...

Notice that not every process is hidden, just the PID you specify.

I agree with you on NtClose though, it could affect performance very badly, if it is done incorrectly. But because it is now an SSDT hook (and later I will also use direct pointers to the original API) it is just a call & check if the current PID is hidden (simple lookup), which doesn't slow down the program.

About the trap flag: I will check this, I think I forward all the non-debugger exceptions to the program (by calling ContinueDebugEvent with the DBG_CONTINUE flag), but I didn't check this for all exceptions yet (GUARD_PAGE for example is now automatically forwarded to the application when it is no memory breakpoint).

Do you have an example for NtClose on x64? I tried many things, but it doesn't seem to work as an anti-debug trick.

Greetings,

Mr. eXoDia
Reply With Quote
  #20  
Old 02-06-2014, 02:42
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hi,

I tested this trap flag example, the exception gets reported as first chance (this is supposed to happen for all exceptions) and when you run again, the debugger is NOT detected, which means the exception was forwarded to the application.

The closehandle trick indeed detects x32_dbg... but that's because it forwards the exception to the program (as it's supposed to), but you could write a simple plugin that skips all STATUS_INVALID_HANDLE exceptions (by calling TitanEngine's SetNextContinueStatus function).

What kind of idea(s) do you have for 'keeping things in usermode'? I looked a little around, but it's not possible without hooking in usermode, something I want to avoid.

Greetings
Reply With Quote
  #21  
Old 02-06-2014, 04:38
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
Post

hi
this is a Quick solution .
http://fy.chalmers.se/~appro/LD_*-gallery/WINLOGOUT.c

Pls read this too:
http://forum.sysinternals.com/howto-...opic18892.html

So we need to work Get this
ZwDuplicateObject,ZwQueryInformationProcess,ZwQuerySystemInformation
quotation:
An unusual aspect of calling NtQuerySystemInformation with SystemHandleInformation is that if you supply a buffer which is too small, it returns STATUS_INFO_LENGTH_MISMATCH (0xc0000004) instead of giving you the correct buffer size in ReturnLength. This means you will have to guess the buffer size. A common technique is to call NtQuerySystemInformation in a loop until it succeeds with STATUS_SUCCESS (0), reallocating and doubling the buffer size each time it fails with STATUS_INFO_LENGTH_MISMATCH.

/* Dump processes and find this session's CSRSS.EXE */
Let get PID of CSRSS.EXE
then retrieve of ZwQuerySystemInformation and go in a Loop to get compare with STATUS_INFO_LENGTH_MISMATCH ,untill it is not equel
quotation:
After you have the list of handles, you will probably want to get the types and names of the handles. There is no way to do this without duplicating the handle into your own process, so we can do that using DuplicateHandle (NOTE: in the source code I use NtDuplicateObject, but it's the same idea)

after we get a valid not equel STATUS_INFO_LENGTH_MISMATCH
then we go throu this handle table and check OpenProcess if it is not Null
then Close this Handle I think .
By the way mr.exodia I think u don't have to give this care about CloseHandle
because a very rare Protector use this technical .
so it is not a big deal at all ,This is my Opinion .
Attached Files
File Type: rar WINLOGOUT.rar (229.5 KB, 4 views)
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #22  
Old 02-06-2014, 05:39
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hm,

So I would have to enum all handles in order to check if the used handle is valid? Maybe it's easier to remove the exception that is added to the chain after a process to hide and an exception is found.

Maybe it's possible to use NtDuplicateHandle to check if the handle is valid??

I will check all this.

Greetings
Reply With Quote
  #23  
Old 02-06-2014, 06:20
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
@mr.exodia
You might want to look at the implementation of NtClose in ntoskrnl.exe. AFAIR, NtClose raises an exception by means of a user mode call back through ntdll (KiRaiseUserExceptionDispatcher). If you need help with that, just ping me and I'll jump in if you like

@Ahmadmansoor
Not sure if the code you suggested makes sense for the NtClose anti debugging trick since that technique works by closing an invalid handle, so there is no point in enumerating all system handles, no?

Btw, I do agree that NtClose is not really critical, since any decent debugger should allow you to simply swallow the exception and continue execution. As a consequence, the debuggee won't even notice that NtClose raised an exception.
However, VMProtect uses it, so one could argue that this "trick" is somewhat common.

Last edited by mcp; 02-06-2014 at 06:29.
Reply With Quote
The Following User Gave Reputation+1 to mcp For This Useful Post:
mr.exodia (02-08-2014)
  #24  
Old 02-06-2014, 06:34
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@mcp: yea, my previous implementation was to hook this callback function (returning directlt when the exception came from ntclose), but it doesnt seem like a clean way.

Jump in if you want I can give yoy write accws to the repo if yoy want

Greetings
Reply With Quote
  #25  
Old 02-06-2014, 07:22
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
After quickly looking at ntsokrnl.exe in IDA it seems that the function that raises the exception in user mode is indeed KeRaiseUserException (which in turn redirects control flow via the trap frame to its user mode equivalent: KiRaiseUserExceptionDispatcher in ntdll, which in turn will simply call the RaiseException user mode API IIRC).

So the control flow actually works like this:
When NtClose is invoked it will actually let ObpCloseHandle do all the dirty work. This function does some checks on the handle, and the current process state and then attempts to close the given handle.
This function will then invoke KeRaiseUserException if the given handle is invalid, was passed in from user mode (and is not a process/thread handle), and the debug port in PEPROCESS of the current process is set. So by setting this flag to NULL, you should be able to silence the exception in user mode.
However, I'm not sure what other side effects this might have! Does the debugger continue to work afterwards? That would require some testing I guess ;-)
Reply With Quote
The Following User Gave Reputation+1 to mcp For This Useful Post:
mr.exodia (02-08-2014)
  #26  
Old 02-08-2014, 20:59
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@mcp:

Today I tested setting the DebugPort to 0 in the PEPROCESS structure, it works fine like this:
Code:
ULONG pid=(ULONG)PsGetCurrentProcessId();
    NTSTATUS ret;
    if(HiderIsHidden(pid, HideNtClose))
    {
        Log("[TITANHIDE] NtClose by %d\n", pid);
        PVOID OldDebugPort=SetDebugPort(PsGetCurrentProcess(), 0);
        ret=NtClose(Handle);
        SetDebugPort(PsGetCurrentProcess(), OldDebugPort);
    }
    else
        ret=NtClose(Handle);
There is however a problem, which is that the EPROCESS structure according to http://www.nirsoft.net/kernel_struct/vista/EPROCESS.html doesn't seem to work on windows XP (it's a vista structure definition). I think I need to install every OS to check the structure definitions using WinDbg...

And about:
Quote:
Btw, I do agree that NtClose is not really critical, since any decent debugger should allow you to simply swallow the exception and continue execution. As a consequence, the debuggee won't even notice that NtClose raised an exception.
I don't agree at all, a decent debugger passes all unhandled exceptions back to the original program. It would be easy to detect if a debugger doesn't pass the 0xC0000008 exception, by simply throwing it yourself. It would require hooking NtClose in usermode for this trick to work and hooking in usermode is something I want to avoid.

Greetings
Reply With Quote
  #27  
Old 02-08-2014, 21:48
Insid3Code's Avatar
Insid3Code Insid3Code is offline
Family
 
Join Date: May 2013
Location: Algeria
Posts: 84
Rept. Given: 47
Rept. Rcvd 60 Times in 30 Posts
Thanks Given: 24
Thanks Rcvd at 108 Times in 56 Posts
Insid3Code Reputation: 60
Quote:
There is however a problem, which is that the EPROCESS structure according to http://www.nirsoft.net/kernel_struct/vista/EPROCESS.html doesn't seem to work on windows XP (it's a vista structure definition). I think I need to install every OS to check the structure definitions using WinDbg...
Windows XP SP3 X86
0x0BC DebugPort
Windows 7 SP1 X86
0x0EC DebugPort
Windows 7 SP1 X64
0x1F0 DebugPort
__________________
Computer Forensics
Reply With Quote
The Following User Gave Reputation+1 to Insid3Code For This Useful Post:
mr.exodia (02-08-2014)
  #28  
Old 02-08-2014, 22:08
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@Insid3Code: Thanks! I will add these to the function...

Greetings
Reply With Quote
  #29  
Old 02-08-2014, 23:49
mr.exodia mr.exodia is offline
Retired Moderator
 
Join Date: Nov 2011
Posts: 784
Rept. Given: 492
Rept. Rcvd 1,122 Times in 305 Posts
Thanks Given: 90
Thanks Rcvd at 711 Times in 333 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Also found these:
Vista x86: 0xD4
Vista x64: 0x150
xp x86: 0xBC
xp x64: 0x148

Last edited by mr.exodia; 02-08-2014 at 23:57.
Reply With Quote
  #30  
Old 02-09-2014, 01:36
mcp mcp is offline
Friend
 
Join Date: Dec 2011
Posts: 73
Rept. Given: 4
Rept. Rcvd 12 Times in 11 Posts
Thanks Given: 7
Thanks Rcvd at 47 Times in 35 Posts
mcp Reputation: 12
Well, you can of course throw the exception yourself to test if this exception is always swallowed. However, I don't know any malware/packer that does this, so right now one could argue that hooking NtClose is more of a "comfort feature" than a requirement for an anti-anti-debugging plugin/driver. Issue is that the offset is very much kernel dependent, and therefore dealing with NtClose is quite brittle.
Anyways, glad, the DebugPort patching works ;-)
Reply With Quote
Reply

Tags
driver, hiding, ssdt, titanhide, x64

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 18:21.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )