api based anti-debugging using NTQueryInformationProcess

[adwiteeya agrawal]

Hello,
I am working on a review for anti-debugging techniques. So there is this particular API based technique which suggests using ntqueryinformationprocess to acces the process debug flags using run time dynamic linking. Now as per [msdn] the function takes five arguments however i get an error unless i compile it without any arguments (i also verified by looking up various websites that i was passing the arguments correctly.)  But then for a previous method which i was working on had the same problem with NtSetinformationthread. So i simply compiled it with no arguments and later modified the exe in olly to pass the arguments like this http://adwiteeya.com/blog/one-hell-of-a-debug/. But this isnt working for ntqueryinformationprocess function. I did try looking up the reason but i am not really a programmer so it would be really helpful if somebody can break this down for me. Also i have some other doubts
1. Is the handle to the current process a fixed value ? is italways equal to -2 or -1 by any chance ?
2. I always receive a pointer to ZwQueryInformationProcess or Zwsetinformationthread when looking up NTquery and Ntset. Are they same ? (because after reading about both the version on msdn i couldnt see any diff plus the Zwset worked!) ?
3. one of the parameter that was passed was > &debugFlags. To pass this i modified the code in Olly as
Lea eax,ebp+64 (because the value in hex was 64 below ebp)
push eax
4. Any bugs here :
{
    HMODULE hmod;
    FARPROC ZwQueryInformationProcess;
    int status;
    DWORD debugFlag=0;

    hmod = LoadLibrary("ntdll.dll");
    ZwQueryInformationProcess = GetProcAddress(hmod, "ZwQueryInformationProcess");

    status=(_NtQueryInformationProcess) ();
    //status = (_NtQueryInformationProcess) (-1, 0xf1, &debugFlag, 4, NULL); // 31 (0xf1)is the enum for DebugProcessFlags
    printf("ProcessDebugFlag Returned: %08X\n", debugFlag);

    if (debugFlag == 0x00000000) MessageBox(NULL, "Debugger Detected via ProcessDebugFlags", "Debugger Detected", MB_OK);
    if (debugFlag == 0x00000001) MessageBox(NULL, "No Debugger Detected", "No Debugger", MB_OK);
}
5. And also after reading on various forums i do realize that ms can change the structure for this function and this might stop working any time... but  i did try running this on xp sp2 too... plus when i actually call the function i can see the stack that all the arguments have been passed appropriately!

[Dhanesh k]

ehm, you are mixing up lot of things here:

A neat example is available here: http://www.codeproject.com/Articles/29469/Introduction-Into-Windows-Anti-Debugging

1. Handle of current process is not a fixed value, get it using GetCurrentProcess()

2. From user mode ZW and NT APIs call the same stub which does SYSENTER. Only in Kernel mode, ZW sets the previous mode as kernel, while NT calls doesn't change the mode AFAIK.

3. Look at the earlier example.

4. Lot of issues. See the example.

5. It can change. Anything XP+ should work. (Try running in a 32bit OS. Messing around WoW64 is not pretty - can easily get lost if you are looking for ant-dbg specific things).

btw: try to typedef the call/function pointer properly, rather than compiling with generic farproc and modifying in the exe every time - or doing asm inlining and spoiling the decent looking C code ;)

typedef return_type (__calling_convention *Friendly_Function_Name)(int x, char *y, ...)

Regards,
Dhanesh

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Abhay Yadav]

http://www.veracode.com/images/pdf/whitepaper_antidebugging.pdf

this link can be helpful to you...........

--
Abhay Kant Yadav
Exploit Developer
Secfence Technology
www.secfence.com

[ronnie johndas]

1, it can be -1, for now, but it is recommended to use GetCurrentProcess(), -1 is a pseudo handle and can change.

2. it is 0x1f not 0xf1.

On Tue, Jul 16, 2013 at 9:26 PM, adwiteeya agrawal <adwiteey...@gmail.com> wrote:

--

null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
Thanks and Regards

Ronnie Johndas

[adwiteeya agrawal]

@DAN thanks a lot, your answer was the one stop solution and it helped me much more than just the case that i talked about here.
@abhay, that's where i learned about this whole technique from.
@Ronnie yeah i had corrected that! :) Thanks anyways! :)

[ronnie johndas]

if ur researching ANti-debugs, then i wud recommend The ultimate anti-debugging reference, peter ferrie

http://pferrie.host22.com/papers/antidebug.pdf

is u have not read it already.

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Abhay Yadav]

ronnie thanks for valuable information...................
 

[adwiteeya agrawal]

Aah! Yes i do have that in my list (i downloaded it from the ledengofrandom) :)
But i am currently trying to windup first with tyler shields repository :)
thank you :)

[fubar]

-2 for getcurrentthread()

-1 for getcurrentprocess()

might as well hardcode that

NtSetInformationThread(-2,0x11,0,0);

thats it.

if you want overkill, go for manual int 2e in x86 arch and copy far jump's bytes and call them somewhere else with correct value in eax register.

and for the record NtQIP and NtSIT are very different from each other.

the former just detects and reveals the presence of debugger in a well placed structure. (can be modified by use of plugins and thwarted easily) 

the latter detects and detaches debugger which is equivalent to killing the process with olly 1.1 (most widely used). (can be modified with plugins again and thwarted)

however the latter if called from a trampoline of int2e (x86) or far jump in x64 with correct stack setup nothing would work apart from manually walking through the whole code and see where it calls the far jump.

[ronnie johndas]

int 2e doesn;t work on xp systems that he is running this on (not sure abt sp). It is a privileged instruction and will throw an exception. Replaced by sysenter. 

--

null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Abhay Yadav]

#include <stdio.h>
#include <winternl.h>
#include <Windows.h>
typedef NTSTATUS (WINAPI *pNtQueryInformationProcess)(HANDLE ,UINT ,PVOID ,ULONG , PULONG);
void main()
{
  DWORD NoDebugInherit = 0;
    NTSTATUS Status;

    // Get NtQueryInformationProcess
    pNtQueryInformationProcess NtQIP = (pNtQueryInformationProcess)
        GetProcAddress( GetModuleHandle( TEXT("ntdll.dll") ),
        "NtQueryInformationProcess" );

    Status = NtQIP(GetCurrentProcess(),
            0x1f, // ProcessDebugFlags
            &NoDebugInherit, 4, NULL);

if(NoDebugInherit == FALSE)
{
    MessageBox(NULL, TEXT("Please close your debugging application and restart the program"), TEXT("Debugger Found!"), 0);
    ExitProcess(0);
}
else
{
    MessageBox(NULL, TEXT("NO DEBUGGER!"), TEXT("NO DEBUGGER"),0);
    ExitProcess(0);
}
}

i have wrote this code check if it is correct................

i am also learning about all the anti-debugging technique...........

[Dhanesh k]

+1 Ronnie.

There are lot of issues in hardcoding values, be it handles (-1, -2) or the SYSCALL number.

From MSDN:
A pseudo handle is a special constant, currently (HANDLE)-1, that is interpreted as the current process handle. For compatibility with future operating systems, it is best to call GetCurrentProcess instead of hard-coding this constant value.

SYSCALL numbers changes in OS versions and even in SP versions. So if you are writing a hardcoded value for SYSCALL number, it may never work in newer/older OS. Windows is designed to be like that only, so that developers doesn't have to remember any SYSCALL number and just use the wrapper functions available in NTDLL, k32 , u32 etc...

Meanwhile you can have a dis-asm engine and disassemble NT* functions, get their SYSCALL number in that particular OS(in runtime), and do a SYSENTER. Too much work for a anti-dbg PoC.

Regards,
Dhanesh

On Thu, Jul 18, 2013 at 1:16 PM, ronnie johndas <ronnie....@gmail.com> wrote:

[fubar]

well i dont think that matters, every piece of binary is not meant to be executed on all new favours of windows.

and hardcoding 12 values isn't a big task for a close to complete solution. (including all sp and os versions)

also C++ and high level languages are made for code compilation, then why does metasploit uses asm?

sometimes to get results we have to go low level. i really dont think a person can not write code for 12 hardcoded values. it might be what like 120 bytes more? does that matter?

specially when its solving a problem of anti debugging.

and do not forget a person has hw bp at NtSIT so he will grab your pretty code that is disassembling NtSIT for grabbing eax value.

while hardcoding 12 values we get a good solution, i.e. no bp stopping us. and you cant think all binaries meant to execute on windows 7 will always work on win 8. everyone ships updates so there goes the fallacy in compatibility issues.

point: hardcoding does get rid of researchers and is pain in the ass if you have been debugging some samples i have been trying to reverse.

[fubar]

my point was the final transition can be grabbed and setup with correct stack. some malwares do that for api calling.

setup params and in x64 direct far jump fs:0xc0 via trampoline

setup params and in x86 depending on OS type some do int2e, some do sysenter.

This actually renders usermode sandboxes and those that do not rely on ssdt useless.

i have seen cuckoo failing on this since it just places 0xe9 (jump) and replaces first 5 bytes of main main API's for hooking and reporting.

[Dhanesh k]

I am not sure about rest of the places, but I write and I have seen people writing softwares which run on multiple versions of OS. (few times even different OS - source compatible).

Hardcoding 12 values may be trivial, but you can't guarantee your software will work in next OS or service pack. In case it is a serious software, I dont think anybody will design it like that. [aah, the updates, everybody likes updates - and everyone can push the updates before the software crashes!!!]

And why do you think metasploit is written in ASM?. It is written in Ruby. Shellcodes are written in ASM. (Converted to hex of-course)

And how many Windows shellcodes do you see that uses int2e/SYSCALL for API calling? Why does almost every reliable shellcode in Windows, grabs PEB(fs:0x30) to find k32 base addr? [some people hardcode the API addrs, and tell it to modify according to current OS/addr - that is lame though]

If you think after all the hardcoding + calling SYSENTER manually will make ur malware/application fully detect debuggers, I am sorry to say, it WONT. Just because it detects publicly available sandbox/debugger doesn't mean people have no-other way to debug those targets.

And how much time it will take to scan assembly for int2e/SYSENTER instruction. I am sure a decent disassembler can scan in couple of seconds if not in milliseconds.

(or we can do a trace if it is a SMC - you don't even need to debug for tracing - binary instrumentation[debugging is just one way of doing it]). There are ways to bypass.

I am assuming you are from malware analysis background. SSDT/IDT hooking is no more thanks to patch-guard(at least in newer version of Windows).[attack vs protection will go on, though]. IRP handler hooks still works AFAIK.

Point: hardcoding values gets rid of  some researchers, not everyone.It is neither recommended nor future proof(not even service pack future proof per say).

Regards,
Dhanesh

[Dhanesh k]

Apologies if I drag this discussion into a totally different place/level. I am pretty sure OP has got more than what he asked :).

Peace out!

Regards,
Dhanesh

[adwiteeya agrawal]

Abhay here is the working code :

#include <windows.h>
#include <stdio.h>
#include <iostream>


int main(void)
{
     typedef unsigned long (__stdcall *pfnNtQueryInformationProcess)(IN  HANDLE, IN  unsigned int, OUT PVOID, IN ULONG, OUT PULONG);

     pfnNtQueryInformationProcess NtQueryInfoProcess = NULL;
     unsigned long Ret;
     unsigned long IsRemotePresent = 0;

     HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
     NtQueryInfoProcess = (pfnNtQueryInformationProcess)
     GetProcAddress(hNtDll, "NtQueryInformationProcess");

     if(NtQueryInfoProcess == NULL)
        {
               // Handle however it fits your needs but as before,
               // if this is missing there are some SERIOUS issues with the OS
                  }
    
     Ret = NtQueryInfoProcess(GetCurrentProcess(), 0x1f, &IsRemotePresent, 4, NULL);
     if(Ret == 0x00000000 && IsRemotePresent != 1)
        {
              // Debugger is present
              MessageBox(NULL, "Please close your debugging application and restart the program","Debugger Found!", 0);
 
               ExitProcess(0);
         
          }
    return 0;
}

[fubar]

yeah sure

i am not talking about a software, its just a trick in a binary

hello! we are discussing on anti debugging, its just a trick. i personally dont think any sane person will include an anti debug trick in a corporate software. Its only meant for malwares nothing else(my POV).

metasploit is in asm? please! what i meant was implied ofcourse anyone can see its framework is in ruby but all payloads are what concerns me more because they are the core foundation of it.

[quote]Windows shellcodes do you see that uses int2e/SYSCALL for API calling[/quote]

again it was implied whatever way you want depending on OS type let it be int2e for incredibly old systems or sysenter for x86 or call fs:[0xc0] idc.

seriously? you hardcode 12 values of eax for different os and sp's thats compatible for all OS's (current) and executes correctly on reboots? how come aslr got introduced in this? aslr randomizes baseaddress on every reboot so hardcoding values are useless after reboot needless to say. how are they even related? :)

ofcourse everything is debuggable, detect API at ssdt but no user will do that as to my knowledge simply because of lack of tools. (assumption)

and i have seen malwares which do that, specifically those authors hell bent on protecting their binary. a little search in damagelabs or kernelmode would get you few samples.

[quote]And how much time it will take to scan assembly for int2e/SYSENTER instruction. I am sure a decent disassembler can scan in couple of seconds if not in milliseconds.[/quote]

oh yes someone who has gone to such pain to protect his stuff will do sysenter/fs;[0xc0] in plain sight. i think they can encode values of code and decode them at runtime and execute it. in which case i dont think any scanner would detect that unless you knew how encoded stuff is decoded and where its present which would be too late to forsee after NTSit just detached the debugger and reencoded the code at that point. for the same reason one the greatest malwares the world has ever seen Zeus's config panel couldnt be decoded just by analyzing the binary. one had to step through its calls to understand its implementation. needless to say if malware is big enough, like those which come with plethora of junk code and api calls and torbundle (>1.98Mb) task would be preposterously challenging.

[quote]SSDT/IDT hooking is no more thanks to patch-guard(at least in newer version of Windows).[attack vs protection will go on, though]. IRP handler hooks still works AFAIK.[/quote]

malware analysis are generally in xp from my POV. at least i do so everytime. and there are tools which hook ssdt to name API calls rather than doing so in usermode where war can always go on.

yes OP got what he asked for, sorry for elongation.

i dont analyze malwares when people already perform such tasks, i create them and study their tactics to protect myself.

[Dhanesh k]

I thought of not replying anymore, but as you started to quote partial and point things, I may have to do similar, not that low though :P

[quote] personally dont think any sane person will include an anti debug trick in a corporate software. Its only meant for malwares nothing else(my POV). [/quote]

You don't play much games, do you? Ever heard about DRM/copy protection???

Your POV is narrow, unfortunately.

[quote]

again it was implied whatever way you want depending on OS type let it be int2e for incredibly old systems or sysenter for x86 or call fs:[0xc0] idc.

seriously? you hardcode 12 values of eax for different os and sp's thats compatible for all OS's (current) and executes correctly on reboots? how come aslr got introduced in this? aslr randomizes baseaddress on every reboot so hardcoding values are useless after reboot needless to say. how are they even related? :)

[/quote]

Your quote from previous post: while hardcoding 12 values we get a good solution, i.e. no bp stopping us.

I am sorry, I never supported hardcoding, as I always pointed, hardcoding is bad. You only started hardcoding for all OS versions and SPs.

My quote: And how many Windows shellcodes do you see that uses int2e/SYSCALL for API calling? Why does almost every reliable shellcode in Windows, grabs PEB(fs:0x30) to find k32 base addr? [some people hardcode the API addrs, and tell it to modify according to current OS/addr - that is lame though]

That was a question: almost everybody goes for PEB while writing shellcode and dont use SYSCALL/int2e. Why? - obviously -  going with PEB is the most trusted way.

Thanks for the lecture about ASLR, I should have never guessed :P (see the bold part)

[quote]

ofcourse everything is debuggable, detect API at ssdt but no user will do that as to my knowledge simply because of lack of tools. (assumption)

[/quote]

Never saw any tools dealing with SSDT/IDT/SSSDT - you havn't seen much Kernel related tools, that doesn't mean it doesn't exist. If malware can do that, why do you think the tools are not there? its not hard to write a tool, if you can write a malware which does stuffs on SSDT or any other kernel object - just needs a interface in ring3 and all things can be done in ring 0. (If patchguard is not there of-course)

[quote]

oh yes someone who has gone to such pain to protect his stuff will do sysenter/fs;[0xc0] in plain sight. i think they can encode values of code and decode them at runtime and execute it. in which case i dont think any scanner would detect that unless you knew how encoded stuff is decoded and where its present which would be too late to forsee after NTSit just detached the debugger and reencoded the code at that point

[/quote]

You havn't seen much tracing either, never worked on instrumentation frameworks like DynamoRIO or PIN??. I have already written in the post, that if it is SMC (self modifying code), a tracer can easily figure out the next instruction - so it can look for SYSCALL/int 2e and easily bypass your encoded/encrypted code, which does on the fly encoding/decoding. it has to decrypt before executing anyway right, before executing it tracer can look at the code - never late for bypass. Too bad - your self modifying code is no good for an instruction tracer.

[quote]

one had to step through its calls to understand its implementation. needless to say if malware is big enough, like those which come with plethora of junk code and api calls and torbundle (>1.98Mb) task would be preposterously challenging

[/quote]

It is challenging to analyze the big malwares. Whats the fun if its not.

Stepping through call/ cutting the junk instructions - obfuscation - custom VM implementation - all are there, all are broken - you just need enough time, skill and custom tools. Junk codes are not much of an issue once you know what exactly to look for - creative junks are interesting though!. Again a good instruction tracer with quite complicated taint analysis will be able to cut down lot of junk on a generic target. If the target is studied manually for initial time and tailored the tracer accordingly, we can spit out the good binary easily. [It may seem like blabbering, but I have written a generic one for a CTF, it went quite well].

[quote]

malware analysis are generally in xp from my POV. at least i do so everytime. and there are tools which hook ssdt to name API calls rather than doing so in usermode where war can always go on.

[/quote]

And you talk about ASLR, nice!

Sorry for this ranted post. I am no expert either. That doesn't mean you can write your POV and expect it to be right.

Regards,

Dhanesh

[fubar]

heard of drm -> yes i am frequent in game cheating forums, thats where i get my little knowledge. haven't worked with drm and i dont intend to, so my pov. =)

neither do i support hardcoding unless its getting the solution for time being, updates are for improving funcionality and solving such mess.

going through peb for calling different api is trusted way, though if we have only one api so essential that it does a major work and i dont have to implement other techniques which can be bypassed by just changing 1 byte at  fs:0x30 +2. i would definetly go for that, but thanks for educating me about PEB's usage for calling different apis when i just tried to call NTSIT due to its importance. nevertheless i have tl;dr so i possibly missed the bold part and its importance. and the question you ask of me about hardcoding, think of all hardcoding you do in your programming. (not offsets) everyone does that to get work done where solution is unique. nvm chuck it.

[quote]talks of aslr[/quote] i don't understand how you mix two different things in one statement just to flame, when aslr was being compared to hardcoding which is hilarious and my usage of xp simply because i dont have to deal with constant changing bases and relocation which irritates me and not to mention that i have the privilege of easy debugging.

i should rather not list some chinese tools which monitor ssdt for api monitoring (better than ring3 monitoring) simply because i can't copy their names and for a bigger reason few people know about them. wow! you just confirmed that, unless you were trolling.

[quote]never worked on instrumentation frameworks like DynamoRIO or PIN?[/quote]

i am a programmer sire' i dont do instrumentation.

[quote]SMC [/quote] pardon my lack of tech jargon

[quote]Self-modifying and dynamically generated code can potentially cause problems with DynamoRIO.[/quote]

i dunno i read this somewhere, though i have just one question, its an instrumentation framework right? just one creative thought, if result of an API call or any dynamic value is used to compute on the fly decoding ?

relocated or nominal code injection? (exe and dll)  i can see many problems but i am sure 1000's of people using ollydebugger to manually step into keygenme's should use binary instrumentation techniques. at least i would give it a try to see what i gives then come here.

[quote]you just need enough time[/quote] what can i say, you answer from my side. though i still dont understand the aslr thing, is it a joke? xD

with enough time things can be done, unfortunately thats a problem. =)

peace out!

[Dhanesh k]

Not sure what exactly your point is, but I am rather amused to see a malware writer who doesn't understand SMC[quite amused, I must say].

Good that you looked in to DynamoRIO, did you try PIN btw? Hopefully you have never heard of tracing, even though our beloved ollydbg has it, and prolly you may not be knowing about single stepping with TF=1. Relocation/code injection/API return used for decrypting - all these points that you have no idea of tracing/instrumentation. Try to write a tracer in PIN/custom debugger, you may get some idea about instrumenting/tracing(and how execution happens actually).[ as you are a programmer, it wont take much time though].

So malware programmer who doesn't know SMC/tracing, I must say - your POV is narrow - try to expand it rather than blindly opposing because you have never heard of it/done it.

Regards,
Dhanesh

Note: apologies for spamming the discussion board. There wont be any replies from my side in this thread. 

--

[fubar]

last reply:

i said i am not familiar with jargon -> SMC.

we call that metamorphic mutation in our language. i dont see how dfq do i not know it when i just said i didnt knew SMC *meant* self modifying code?

whats LLNM? find it and i'll be surprised if you didn't know what it means. O_O you call it SMC or give it fancy terms how do i know what it means?

as for Self Modifying code, you prolly have only seen of code decoding Random jibberish and then calling them (because i dont think CTF writers wrote even a semi Metamorphic engine in their Challenges) while i have seen engines not encrypting (polymorphism), actually modifying the code and reusing with 89% ratio. (partial metamorphism)

and funnily enough i have created one of them 2 years back with 79% bloated code. But i dont think i need to show off and get the little e-Fame that which you seek while constantly trying to negate every aspect of what i say without even realizing what i mean.

and as for olly doing tracing and me with no knowledge of it , dude seriously i LOL'd

its like media, i say something you twist and turn the actual meaning break the sentence and idk what you get in the end.

yeah right, i have no idea on instrumentation -> run Zeus,Spyeye's injected webfakes,ngr,bff,blaze,morpheus,ZingW with your BI. oldest piece of malware..

you think instrumentation will not break where debuggers break? yeah right. Perform it, find the samples by name on virustotal.

[aur...@gmail.com]

What's LLNM ? I did google couldn't find shit on it...

Sent on my BlackBerry® from Vodafone

---

From: fubar <kaelsunstr...@gmail.com>

Sender: null-...@googlegroups.com

Date: Fri, 19 Jul 2013 02:33:46 -0700 (PDT)

To: <null-...@googlegroups.com>

ReplyTo: null-...@googlegroups.com

Subject: [null] Re: api based anti-debugging using NTQueryInformationProcess

--

[fubar]

LLNM is a slang in north india.

http://j00ru.vexillium.org/ntapi_64/ here, found that NtSIT has only 1 value of eax for all flavors of windows.  so i'd be hardcoding 1 value that gives me smallest anti debugger code.

Happy Hunting!

Unless ofcourse folks at metasploit have wrongly printed this cheatsheet.

[code]

mov eax,0xa

xor ecx,ecx

push 0

push 0

push 0x11

push -2

lea edx,dword ptr [esp]

call fs:[0xc0] ; can be changed  but unfortunately i didnt have that much time.

int3

[/code]

And ofcourse above is possible in x64 flavours. change fs:0xc0 to sysenter and one more thing to get it working with xp and ther x86 arch.