From ca6e6bee6598d208e6ecfacc4691b4864bc6c4cf Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Thu, 1 Dec 2022 14:55:46 -0500 Subject: [PATCH] Add yield bypass --- C/AntiDebugPlugin/KernelApis.h | 1 + C/AntiDebugPlugin/dllmain.cpp | 15 ++++++++++++--- C/LogSyscallsPlugin/dllmain.cpp | 7 ++++++- C/LogSyscallsPlugin/probedefs.h | 19 +++++++++++++++++++ C/STrace/driver.cpp | 2 +- 5 files changed, 39 insertions(+), 5 deletions(-) diff --git a/C/AntiDebugPlugin/KernelApis.h b/C/AntiDebugPlugin/KernelApis.h index bbb287f..60d9e1f 100644 --- a/C/AntiDebugPlugin/KernelApis.h +++ b/C/AntiDebugPlugin/KernelApis.h @@ -99,6 +99,7 @@ typedef CCHAR KPROCESSOR_MODE; #define OBJ_VALID_ATTRIBUTES 0x00001FF2L #define STATUS_END_OF_FILE ((NTSTATUS)0xC0000011L) +#define STATUS_NO_YIELD_PERFORMED ((NTSTATUS)0x40000024L) #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ diff --git a/C/AntiDebugPlugin/dllmain.cpp b/C/AntiDebugPlugin/dllmain.cpp index e9bb341..59cbc3f 100644 --- a/C/AntiDebugPlugin/dllmain.cpp +++ b/C/AntiDebugPlugin/dllmain.cpp @@ -127,6 +127,7 @@ extern "C" __declspec(dllexport) void StpInitialize(PluginApis& pApis) { g_Apis.pSetCallback("QuerySystemInformation", PROBE_IDS::IdQuerySystemInformation); g_Apis.pSetCallback("OpenProcess", PROBE_IDS::IdOpenProcess); g_Apis.pSetCallback("SystemDebugControl", PROBE_IDS::IdSystemDebugControl); + g_Apis.pSetCallback("YieldExecution", PROBE_IDS::IdYieldExecution); NTSTATUS status = PsCreateSystemThread(&g_hGlobalPollThrd,(ACCESS_MASK)0,NULL,(HANDLE)0,NULL,GlobalPollThread,NULL); @@ -234,12 +235,12 @@ allocated if the case is taken. This basically is a technique to declare a globa #define NEW_SCOPE(code) [&]() DECLSPEC_NOINLINE { code }() // no change to retval -DECLSPEC_NOINLINE void noop() { +DECLSPEC_NOINLINE void NTAPI noop() { volatile uint64_t noop = 0x1337; } // Do same checks as original, but otherwise nothing except say ok -DECLSPEC_NOINLINE NTSTATUS NoopNtSetInformationThread( +DECLSPEC_NOINLINE NTSTATUS NTAPI NoopNtSetInformationThread( HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, @@ -290,7 +291,7 @@ DECLSPEC_NOINLINE NTSTATUS NoopNtSetInformationThread( return STATUS_SUCCESS; } -DECLSPEC_NOINLINE NTSTATUS noop_openprocess_accessdenied(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId) { +DECLSPEC_NOINLINE NTSTATUS NTAPI noop_openprocess_accessdenied(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId) { if (ProcessHandle) { HANDLE newValue = 0; g_Apis.pTraceAccessMemory(&newValue, (ULONG_PTR)ProcessHandle, sizeof(newValue), 1, false); @@ -313,6 +314,10 @@ DECLSPEC_NOINLINE NTSTATUS NTAPI NoopNtSystemDebugControl( return STATUS_ACCESS_DENIED; } +DECLSPEC_NOINLINE NTSTATUS NTAPI NoopNtYieldExecutionFail() { + return STATUS_NO_YIELD_PERFORMED; +} + void LogAntiDbg(const char* Msg, CallerInfo& callerinfo) { LOG_INFO("[ANTI-DBG]%s\n", Msg); PrintStackTrace(callerinfo); @@ -482,6 +487,10 @@ extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32 LogAntiDbg("NtSystemDebugControl", callerinfo); ctx.redirect_syscall((uint64_t)&NoopNtSystemDebugControl); break; + case PROBE_IDS::IdYieldExecution: + LogAntiDbg("NtYieldExecution", callerinfo); + ctx.redirect_syscall((uint64_t)&NoopNtYieldExecutionFail); + break; default: break; } diff --git a/C/LogSyscallsPlugin/dllmain.cpp b/C/LogSyscallsPlugin/dllmain.cpp index 919eaaa..6422678 100644 --- a/C/LogSyscallsPlugin/dllmain.cpp +++ b/C/LogSyscallsPlugin/dllmain.cpp @@ -980,7 +980,7 @@ void LiveKernelDump(LiveKernelDumpFlags flags) } extern "C" __declspec(dllexport) bool StpIsTarget(CallerInfo & callerinfo) { - if (strcmp(callerinfo.processName, "a.exe") == 0) { + if (strcmp(callerinfo.processName, "BasicHello.exe") == 0) { return true; } return false; @@ -1017,6 +1017,11 @@ extern "C" __declspec(dllexport) void StpCallbackEntry(ULONG64 pService, ULONG32 for (uint64_t type_id : argTypes) { uint64_t argValue = ctx.read_argument(argIdx); switch (type_id) { + case get_type_id(): + PRINTER( + string_printf(argsString, sprintf_tmp_buf, "%d - MEM_INFO: %s %d", argIdx, get_enum_value_name(argValue), argValue); + ); + break; case get_type_id(): PRINTER( string_printf(argsString, sprintf_tmp_buf, "%d - BOOLEAN: %s", argIdx, argValue ? "TRUE" : "FALSE"); diff --git a/C/LogSyscallsPlugin/probedefs.h b/C/LogSyscallsPlugin/probedefs.h index 4a0c78d..577c7a8 100644 --- a/C/LogSyscallsPlugin/probedefs.h +++ b/C/LogSyscallsPlugin/probedefs.h @@ -536,6 +536,25 @@ enum class VIRTUAL_MEMORY_INFORMATION_CLASS MaxVmInfoClass }; +enum class MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, // MEMORY_BASIC_INFORMATION + MemoryWorkingSetInformation, // MEMORY_WORKING_SET_INFORMATION + MemoryMappedFilenameInformation, // UNICODE_STRING + MemoryRegionInformation, // MEMORY_REGION_INFORMATION + MemoryWorkingSetExInformation, // MEMORY_WORKING_SET_EX_INFORMATION // since VISTA + MemorySharedCommitInformation, // MEMORY_SHARED_COMMIT_INFORMATION // since WIN8 + MemoryImageInformation, // MEMORY_IMAGE_INFORMATION + MemoryRegionInformationEx, // MEMORY_REGION_INFORMATION + MemoryPrivilegedBasicInformation, + MemoryEnclaveImageInformation, // MEMORY_ENCLAVE_IMAGE_INFORMATION // since REDSTONE3 + MemoryBasicInformationCapped, // 10 + MemoryPhysicalContiguityInformation, // MEMORY_PHYSICAL_CONTIGUITY_INFORMATION // since 20H1 + MemoryBadInformation, // since WIN11 + MemoryBadInformationAllProcesses, // since 22H1 + MaxMemoryInfoClass +}; + enum class PROCESSINFOCLASS : UINT32 { ProcessBasicInformation, // q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION diff --git a/C/STrace/driver.cpp b/C/STrace/driver.cpp index 5429710..e3d1e3b 100644 --- a/C/STrace/driver.cpp +++ b/C/STrace/driver.cpp @@ -186,7 +186,7 @@ extern "C" __declspec(dllexport) void StpCallbackReturn(ULONG64 pService, ULONG3 if (KeGetCurrentIrql() > DISPATCH_LEVEL) { return; } - + TraceSystemApi->EnterProbe(); if (!TraceSystemApi->isCallFromInsideProbe()) { TLSData* ptlsData = TraceSystemApi->getRawTLSData();