Add NtSystemDebugControl anti-dbg (#252)

* Add NtSystemDebugControl anti-dbg * Update CI * force 2022 Co-authored-by: Stephen Eckels <stephen.eckels@mandiant.com>
ayoubfaouzi · Nov 4, 2022 · 6cd41fa · 6cd41fa
1 parent bed03d2
commit 6cd41fa
Show file tree

Hide file tree

Showing 11 changed files with 81 additions and 13 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -2,13 +2,13 @@ name: Build
 on: [pull_request, push]
 jobs:
   build:
-    runs-on: windows-2019
+    runs-on: windows-2022
 
     steps:
     - uses: actions/checkout@v2
 
     - name: Add MSBuild to PATH
-      uses: microsoft/setup-msbuild@v1.0.2
+      uses: microsoft/setup-msbuild@v1.1.3
 
     - name: Restore NuGet packages
       run: nuget restore ${{env.SOLUTION_FILE_PATH}}

diff --git a/Tools/ATAIdentifyDump/ATAIdentifyDump.vcxproj b/Tools/ATAIdentifyDump/ATAIdentifyDump.vcxproj
@@ -23,32 +23,32 @@
     <ProjectGuid>{245D8670-A888-4ECC-9B51-80584E55B701}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>ATAIdentifyDump</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>

diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -68,6 +68,7 @@ int main(void)
 		exec_check(&WUDF_IsUserDebuggerPresent, TEXT("Checking WudfIsUserDebuggerPresent API "));
 		exec_check(&NtSetInformationThread_ThreadHideFromDebugger, TEXT("Checking NtSetInformationThread with ThreadHideFromDebugger "));
 		exec_check(&CloseHandle_InvalideHandle, TEXT("Checking CloseHandle with an invalide handle "));
+		exec_check(&NtSystemDebugControl_Command, TEXT("Checking NtSystemDebugControl"));
 		exec_check(&UnhandledExcepFilterTest, TEXT("Checking UnhandledExcepFilterTest "));
 		exec_check(&OutputDebugStringAPI, TEXT("Checking OutputDebugString "));
 		exec_check(&HardwareBreakpoints, TEXT("Checking Hardware Breakpoints "));

diff --git a/al-khaser/AntiDebug/NtSystemDebugControl.cpp b/al-khaser/AntiDebug/NtSystemDebugControl.cpp
@@ -0,0 +1,19 @@
+#include "pch.h"
+
+BOOL NtSystemDebugControl_Command() {
+	auto NtSystemDebugControl_ = static_cast<pNtSystemDebugControl>(API::GetAPI(API_IDENTIFIER::API_NtSystemDebugControl));
+
+	auto status = NtSystemDebugControl_(SYSDBG_COMMAND::SysDbgCheckLowMemory, 0, 0, 0, 0, 0);
+
+	const auto STATUS_DEBUGGER_INACTIVE = 0xC0000354L;
+	const auto STATUS_ACCESS_DENIED = 0xC0000022L;
+	if (status == STATUS_DEBUGGER_INACTIVE) {
+		return FALSE;
+	} else {
+		// kernel debugger found
+		if (status != STATUS_ACCESS_DENIED) {
+			// usermode debugger too
+		}
+		return TRUE;
+	}
+}
diff --git a/al-khaser/AntiDebug/NtSystemDebugControl.h b/al-khaser/AntiDebug/NtSystemDebugControl.h
@@ -0,0 +1 @@
+BOOL NtSystemDebugControl_Command();
diff --git a/al-khaser/Shared/APIs.cpp b/al-khaser/Shared/APIs.cpp
@@ -17,6 +17,7 @@ API_DATA ApiData[] = {
 	{ API_IDENTIFIER::API_IsWow64Process,				    "kernel32.dll",		"IsWow64Process",			    	API_OS_BITS::ANY,		API_OS_VERSION::WIN_XP_SP2,		API_OS_VERSION::NONE },
 	{ API_IDENTIFIER::API_LdrEnumerateLoadedModules,	    "ntdll.dll",		"LdrEnumerateLoadedModules",    	API_OS_BITS::ANY,		API_OS_VERSION::WIN_XP_SP1,		API_OS_VERSION::NONE },
 	{ API_IDENTIFIER::API_NtClose,						    "ntdll.dll",		"NtClose",					    	API_OS_BITS::ANY,		API_OS_VERSION::WIN_XP,			API_OS_VERSION::NONE },
+	{ API_IDENTIFIER::API_NtSystemDebugControl,             "ntdll.dll",        "NtSystemDebugControl",             API_OS_BITS::ANY,       API_OS_VERSION::WIN_XP,         API_OS_VERSION::NONE },
 	{ API_IDENTIFIER::API_NtCreateDebugObject,			    "ntdll.dll",		"NtCreateDebugObject",		    	API_OS_BITS::ANY,		API_OS_VERSION::WIN_XP,			API_OS_VERSION::NONE },
 	{ API_IDENTIFIER::API_NtDelayExecution,				    "ntdll.dll",		"NtDelayExecution",			    	API_OS_BITS::ANY,		API_OS_VERSION::WIN_XP,			API_OS_VERSION::NONE },
 	{ API_IDENTIFIER::API_NtOpenDirectoryObject,		    "ntdll.dll",		"NtOpenDirectoryObject",	    	API_OS_BITS::ANY,		API_OS_VERSION::WIN_XP,			API_OS_VERSION::NONE },

diff --git a/al-khaser/Shared/APIs.h b/al-khaser/Shared/APIs.h
@@ -13,6 +13,7 @@ enum API_IDENTIFIER
 	API_IsWow64Process,
 	API_LdrEnumerateLoadedModules,
 	API_NtClose,
+	API_NtSystemDebugControl,
 	API_NtCreateDebugObject,
 	API_NtDelayExecution,
 	API_NtOpenDirectoryObject,

diff --git a/al-khaser/Shared/ApiTypeDefs.h b/al-khaser/Shared/ApiTypeDefs.h
@@ -26,6 +26,47 @@ typedef DWORD(WINAPI * pRtlCreateUserThread)(
 	OUT LPVOID					ClientID
 	);
 typedef NTSTATUS(WINAPI* pNtClose)(HANDLE);
+typedef enum _SYSDBG_COMMAND {
+	SysDbgQueryModuleInformation,
+	SysDbgQueryTraceInformation,
+	SysDbgSetTracepoint,
+	SysDbgSetSpecialCall,
+	SysDbgClearSpecialCalls,
+	SysDbgQuerySpecialCalls,
+	SysDbgBreakPoint,
+	SysDbgQueryVersion,
+	SysDbgReadVirtual,
+	SysDbgWriteVirtual,
+	SysDbgReadPhysical,
+	SysDbgWritePhysical,
+	SysDbgReadControlSpace,
+	SysDbgWriteControlSpace,
+	SysDbgReadIoSpace,
+	SysDbgWriteIoSpace,
+	SysDbgReadMsr,
+	SysDbgWriteMsr,
+	SysDbgReadBusData,
+	SysDbgWriteBusData,
+	SysDbgCheckLowMemory,
+	SysDbgEnableKernelDebugger,
+	SysDbgDisableKernelDebugger,
+	SysDbgGetAutoKdEnable,
+	SysDbgSetAutoKdEnable,
+	SysDbgGetPrintBufferSize,
+	SysDbgSetPrintBufferSize,
+	SysDbgGetKdUmExceptionEnable,
+	SysDbgSetKdUmExceptionEnable,
+	SysDbgGetTriageDump,
+	SysDbgGetKdBlockEnable,
+	SysDbgSetKdBlockEnable,
+} SYSDBG_COMMAND, * PSYSDBG_COMMAND;
+typedef NTSTATUS(NTAPI* pNtSystemDebugControl)(
+	IN SYSDBG_COMMAND Command,
+	IN PVOID InputBuffer,
+	IN ULONG InputBufferLength,
+	OUT PVOID OutputBuffer,
+	IN ULONG OutputBufferLength,
+	OUT PULONG ReturnLength);
 typedef NTSTATUS(WINAPI *pNtCreateDebugObject)(OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG);
 typedef NTSTATUS(WINAPI *pNtCreateThreadEx)(
 	OUT PHANDLE ThreadHandle,

diff --git a/al-khaser/al-khaser.vcxproj b/al-khaser/al-khaser.vcxproj
@@ -23,32 +23,32 @@
     <ProjectGuid>{77AEFBC3-0ECE-46AD-A113-966AAAA838E1}</ProjectGuid>
     <Keyword>Win32Proj</Keyword>
     <RootNamespace>alkhaser</RootNamespace>
-    <WindowsTargetPlatformVersion>10.0.18362.0</WindowsTargetPlatformVersion>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
     <ConfigurationType>Application</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
-    <PlatformToolset>v141</PlatformToolset>
+    <PlatformToolset>v143</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
@@ -187,6 +187,7 @@
     <ClInclude Include="AntiDebug\NtQueryObject_ObjectInformation.h" />
     <ClInclude Include="AntiDebug\NtQuerySystemInformation_SystemKernelDebuggerInformation.h" />
     <ClInclude Include="AntiDebug\NtSetInformationThread_ThreadHideFromDebugger.h" />
+    <ClInclude Include="AntiDebug\NtSystemDebugControl.h" />
     <ClInclude Include="AntiDebug\NtYieldExecution.h" />
     <ClInclude Include="AntiDebug\OutputDebugStringAPI.h" />
     <ClInclude Include="AntiDebug\PageExceptionBreakpointCheck.h" />
@@ -263,6 +264,7 @@
     <ClCompile Include="AntiDebug\NtQueryObject_ObjectTypeInformation.cpp" />
     <ClCompile Include="AntiDebug\NtQuerySystemInformation_SystemKernelDebuggerInformation.cpp" />
     <ClCompile Include="AntiDebug\NtSetInformationThread_ThreadHideFromDebugger.cpp" />
+    <ClCompile Include="AntiDebug\NtSystemDebugControl.cpp" />
     <ClCompile Include="AntiDebug\NtYieldExecution.cpp" />
     <ClCompile Include="AntiDebug\OutputDebugStringAPI.cpp" />
     <ClCompile Include="AntiDebug\PageExceptionBreakpointCheck.cpp" />

diff --git a/al-khaser/al-khaser.vcxproj.filters b/al-khaser/al-khaser.vcxproj.filters
@@ -292,6 +292,7 @@
     <ClInclude Include="AntiVM\HyperV.h">
       <Filter>AntiVM\Header</Filter>
     </ClInclude>
+    <ClInclude Include="AntiDebug\NtSystemDebugControl.h" />
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="al-khaser.cpp" />
@@ -482,6 +483,7 @@
     <ClCompile Include="AntiVM\HyperV.cpp">
       <Filter>AntiVM\Source</Filter>
     </ClCompile>
+    <ClCompile Include="AntiDebug\NtSystemDebugControl.cpp" />
   </ItemGroup>
   <ItemGroup>
     <MASM Include="AntiDebug\int2d_x86.asm">
@@ -501,7 +503,6 @@
     </MASM>
   </ItemGroup>
   <ItemGroup>
-    <None Include="packages.config" />
     <None Include="..\README.md" />
     <None Include="..\CHANGELOG.md" />
   </ItemGroup>

diff --git a/al-khaser/pch.h b/al-khaser/pch.h
@@ -78,6 +78,7 @@
 #include "AntiDebug/NtQueryInformationProcess_ProcessDebugObject.h"
 #include "AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.h"
 #include "AntiDebug/CloseHandle_InvalidHandle.h"
+#include "AntiDebug/NtSystemDebugControl.h"
 #include "AntiDebug/UnhandledExceptionFilter_Handler.h"
 #include "AntiDebug/OutputDebugStringAPI.h"
 #include "AntiDebug/HardwareBreakpoints.h"