# what is this note this note record things i learned in study anti sandbox # progess studying al-khaser(source code) link : https://github.com/LordNoteworthy/al-khaser # TODO ring0 antidebug study # tls callback ## tls into https://learn.microsoft.com/en-us/windows/win32/procthread/thread-local-storage ## callback funtion callback funtion will be called when main thread/others thread create/detach (this will cause different dwreason) because of this ?, malware can check whether is in debug/vm (mitre : injection seem workable here?) ## checking implemention(key code) ``` //note : linker and reg callback is neccessary //callback will be call during the execute of while while (tls_callback_process_event == NULL && ++fuse != BLOWN) { SwitchToThread(); } // we will check dwReason here, if it is attach -> fail the test VOID WINAPI tls_callback(PVOID hModule, DWORD dwReason, PVOID pContext) if (dwReason == DLL_PROCESS_ATTACH) { OutputDebugString(L"TLS callback: process attach"); tls_callback_process_data = 0xDEADBEEF; SetEvent(tls_callback_process_event); } ``` ## reference https://learn.microsoft.com/en-us/windows/win32/procthread/thread-local-storage https://xz.aliyun.com/t/12057 https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain # IsDebuggerPresentAPI we will call the win32 api *IsDebuggerPresent()* to check if process is in user debug mode (return PEB->BeingDebugged flag) # checkRemoteDebuggerPresentAPI call *ntqueryinformationprocess* with *processinfoclass* = 7 *ntqueryinformationprocess* -> retrieve info about process(get port of debugger for process) Q : what did this api check? https://www.52pojie.cn/thread-1432590-1-1.html ## hint : above two api is check at ring3 ring0 study : https://www.52pojie.cn/thread-1426244-1-1.html (TODO) # ntglobalflag gs register : for os , manage thread-specific memory(windows) TODO : check gs register from gdb? check *ntglobalflag* (some flag will be set if debug mode is open) ``` __readgsqword(0x60) + 0xBC) ``` TODO : how to get process PEB # readHeapFlags(getforce flags : after 0x70, also 4bytes) we can check the flags in heap to specify if process under debugger(added debug process creation flags in CreateProcess) ``` pProcessHeap = (PINT64)(__readgsqword(0x60) + 0x30); pHeapFlags = (PUINT32)(*pProcessHeap + 0x70); ``` # lowfragmentionheap check frontendheap == NULL # direct call ntqueryinfoprocess just the implementation of checkRemoteDebuggerPresentAPI use ntqueryinformationprocess to check if nodebuginherit exitst Q : NoDebugInherit not in manual. read wrong api manual= = Q2 : 0x1e not match in manual?(0x1f also not) # WUDFPlatform.dll three check debug funtion can use Q : the usage of this dll? # ntsetinfothread 1. set aligof 2. init two api(set/get thread info) 3. check windows version 4. 0x11 == ThreadHideFromDebugger (https://geoffchappell.com/studies/windows/km/ntoskrnl/api/ps/psquery/class.htm) TODO : this funtion include hook checking, so come back after learining hook (antidebug part) basically, this funtion just use api to block the debugger # ANTI-DEBUG TRICK NOTE link : https://anti-debug.checkpoint.com/ ## debug flags ### overview some flag will be set if program is in debug mode, we can specify these flag by using API or read system tables in memory #### IsdebuggerPresent() check PEB->BeingDebugged #### CheckRemoteDebuggerPresent() use *NtQueryInformationProcess* with class = 7 internel Q : what is the principle of gdb?(why port) #### NtQueryInformationProcess() getcurrentprocess -> 7 -> check port getcurrentprocess -> 0x1f -> get EPROCESS !nodebuginherit -> 0x1e -> get debug object(kernel object) #### QueryProcessDebugInformation 從heap讀一個Flags Q : struct of heap? #### NtQuerySystemInformation 0x23 class <- (1) enable(2) notpresent #### mitigation 1. change epb 2. hook and set/modify return value ### manual check #### PEB -> BeingDebugged Flag note : fs/gs -> thread informaion block #### ntGlobalFlag flag will be set if process is created by debugger #### heap flags 1.Flags 2.ForceFlags #### heap protection 1.針對tail 2.針對next memory block #### KUSER_SHARED_DATA 0x7ffe02d4 = 0x7ffe0000(location of struct) + 0x02d4(KdDebuggerEnabled) 0x01 or 0x02 will be set if kernel debugger working ## object handle ### openProcess() csrss.exe can only be opened when process is admin&has debug privileges ### CreateFile() CREATE_PROCESS_DEBUG_EVENT : event that process being open(debugger first received event) 如果debugger正在運行，則CreateFileA會失敗(debugger會因為有handle沒有關?)? ### CloseHandle() 當process在debugger下，嘗試關一個不存在的handle會throw exception ### LoadLibrary() 和Createfile類似，只是不同event被觸發 ### ntqueryobject() 如果有任何debugger開始被使用，有kernel object(debug object)會被create，可以透過ntqueryobject來訪問這個object是否有被創造 user1 -> malware -> call ntqeuryobject -> debug object user2 -> normal -> debugger -> debug object ### mitigations 基本上都可以用hook並修改return value來達成