Add yield bypass

mandiant · Dec 1, 2022 · ca6e6be · ca6e6be
1 parent b3cb96c
commit ca6e6be
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 5 deletions.
diff --git a/C/AntiDebugPlugin/KernelApis.h b/C/AntiDebugPlugin/KernelApis.h
@@ -99,6 +99,7 @@ typedef CCHAR KPROCESSOR_MODE;
 #define OBJ_VALID_ATTRIBUTES                0x00001FF2L
 
 #define STATUS_END_OF_FILE               ((NTSTATUS)0xC0000011L)
+#define STATUS_NO_YIELD_PERFORMED        ((NTSTATUS)0x40000024L)
 
 #define InitializeObjectAttributes( p, n, a, r, s ) { \
     (p)->Length = sizeof( OBJECT_ATTRIBUTES );          \

diff --git a/C/AntiDebugPlugin/dllmain.cpp b/C/AntiDebugPlugin/dllmain.cpp
@@ -127,6 +127,7 @@ extern "C" __declspec(dllexport) void StpInitialize(PluginApis& pApis) {
     g_Apis.pSetCallback("QuerySystemInformation", PROBE_IDS::IdQuerySystemInformation);
     g_Apis.pSetCallback("OpenProcess", PROBE_IDS::IdOpenProcess);
     g_Apis.pSetCallback("SystemDebugControl", PROBE_IDS::IdSystemDebugControl);
+    g_Apis.pSetCallback("YieldExecution", PROBE_IDS::IdYieldExecution);
 
     NTSTATUS status = PsCreateSystemThread(&g_hGlobalPollThrd,(ACCESS_MASK)0,NULL,(HANDLE)0,NULL,GlobalPollThread,NULL);
 
@@ -234,12 +235,12 @@ allocated if the case is taken. This basically is a technique to declare a globa
 #define NEW_SCOPE(code) [&]() DECLSPEC_NOINLINE { code }()
 
 // no change to retval
-DECLSPEC_NOINLINE void noop() {
+DECLSPEC_NOINLINE void NTAPI noop() {
     volatile uint64_t noop = 0x1337;
 }
 
 // Do same checks as original, but otherwise nothing except say ok
-DECLSPEC_NOINLINE NTSTATUS NoopNtSetInformationThread(
+DECLSPEC_NOINLINE NTSTATUS NTAPI NoopNtSetInformationThread(
     HANDLE ThreadHandle,
     THREADINFOCLASS ThreadInformationClass,
     PVOID ThreadInformation,
@@ -290,7 +291,7 @@ DECLSPEC_NOINLINE NTSTATUS NoopNtSetInformationThread(
     return STATUS_SUCCESS;
 }
 
-DECLSPEC_NOINLINE NTSTATUS noop_openprocess_accessdenied(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId) {
+DECLSPEC_NOINLINE NTSTATUS NTAPI noop_openprocess_accessdenied(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId) {
     if (ProcessHandle) {
         HANDLE newValue = 0;
         g_Apis.pTraceAccessMemory(&newValue, (ULONG_PTR)ProcessHandle, sizeof(newValue), 1, false);
@@ -313,6 +314,10 @@ DECLSPEC_NOINLINE NTSTATUS NTAPI NoopNtSystemDebugControl(
     return STATUS_ACCESS_DENIED;
 }
 
+DECLSPEC_NOINLINE NTSTATUS NTAPI NoopNtYieldExecutionFail() {
+    return STATUS_NO_YIELD_PERFORMED;
+}
+
 void LogAntiDbg(const char* Msg, CallerInfo& callerinfo) {
     LOG_INFO("[ANTI-DBG]%s\n", Msg);
     PrintStackTrace(callerinfo);
@@ -482,6 +487,10 @@ extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32
         LogAntiDbg("NtSystemDebugControl", callerinfo);
         ctx.redirect_syscall((uint64_t)&NoopNtSystemDebugControl);
         break;
+    case PROBE_IDS::IdYieldExecution:
+        LogAntiDbg("NtYieldExecution", callerinfo);
+        ctx.redirect_syscall((uint64_t)&NoopNtYieldExecutionFail);
+        break;
     default:
         break;
     }

diff --git a/C/LogSyscallsPlugin/dllmain.cpp b/C/LogSyscallsPlugin/dllmain.cpp
@@ -980,7 +980,7 @@ void LiveKernelDump(LiveKernelDumpFlags flags)
 }
 
 extern "C" __declspec(dllexport) bool StpIsTarget(CallerInfo & callerinfo) {
-	if (strcmp(callerinfo.processName, "a.exe") == 0) {
+	if (strcmp(callerinfo.processName, "BasicHello.exe") == 0) {
 		return true;
 	}
 	return false;
@@ -1017,6 +1017,11 @@ extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32
 	for (uint64_t type_id : argTypes) {
 		uint64_t argValue = ctx.read_argument(argIdx);
 		switch (type_id) {
+		case get_type_id<MY_MEMORY_INFORMATION_CLASS>():
+			PRINTER(
+				string_printf(argsString, sprintf_tmp_buf, "%d - MEM_INFO: %s %d", argIdx, get_enum_value_name<MEMORY_INFORMATION_CLASS>(argValue), argValue);
+			);
+			break;
 		case get_type_id<MY_BOOLEAN>(): 
 			PRINTER(
 				string_printf(argsString, sprintf_tmp_buf, "%d - BOOLEAN: %s", argIdx, argValue ? "TRUE" : "FALSE");

diff --git a/C/LogSyscallsPlugin/probedefs.h b/C/LogSyscallsPlugin/probedefs.h
@@ -536,6 +536,25 @@ enum class VIRTUAL_MEMORY_INFORMATION_CLASS
     MaxVmInfoClass
 };
 
+enum class MEMORY_INFORMATION_CLASS
+{
+    MemoryBasicInformation, // MEMORY_BASIC_INFORMATION
+    MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION
+    MemoryMappedFilenameInformation, // UNICODE_STRING
+    MemoryRegionInformation, // MEMORY_REGION_INFORMATION
+    MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION // since VISTA
+    MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION // since WIN8
+    MemoryImageInformation, // MEMORY_IMAGE_INFORMATION
+    MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION
+    MemoryPrivilegedBasicInformation,
+    MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3
+    MemoryBasicInformationCapped, // 10
+    MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1
+    MemoryBadInformation, // since WIN11
+    MemoryBadInformationAllProcesses, // since 22H1
+    MaxMemoryInfoClass
+};
+
 enum class PROCESSINFOCLASS : UINT32
 {
     ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION

diff --git a/C/STrace/driver.cpp b/C/STrace/driver.cpp
@@ -186,7 +186,7 @@ extern "C" __declspec(dllexport) void StpCallbackReturn(ULONG64 pService, ULONG3
     if (KeGetCurrentIrql() > DISPATCH_LEVEL) {
         return;
     }
-
+    
     TraceSystemApi->EnterProbe();
     if (!TraceSystemApi->isCallFromInsideProbe()) {
         TLSData* ptlsData = TraceSystemApi->getRawTLSData();