How do I defeat the ZwQueryInformationProcess() anti-debugging protection for the ProcessDebugPort class? Unlike isDebuggerPresent() I found this really hard to bypass in my skill...
Does anyone know how to bypass this api function?
- it requires a driver to intercept the function and change the behavior. It can't be bypassed at the application level.peter ferrie– peter ferrie2016-08-19 16:05:26 +00:00Commented Aug 19, 2016 at 16:05
- @peterferrie if it is a query for ProcessDebugPort cant we overwrite the OutBuff on returning from syscallblabb– blabb2016-08-19 20:18:04 +00:00Commented Aug 19, 2016 at 20:18
- @blabb, to do that you would have to hook the syscall itself, because anything higher than that can be bypassed, and now you're a driver. Then you have to track which process is being checked, since remote process with debugger might be legitimate. Process handle might not be -1, but real handle which would require resolving first.peter ferrie– peter ferrie2016-08-26 17:05:25 +00:00Commented Aug 26, 2016 at 17:05
- @peterferrie i posted an answer can you please take a look and tell if this cant be done ?blabb– blabb2016-08-26 20:30:54 +00:00Commented Aug 26, 2016 at 20:30
Add a comment |
1 Answer
#include "zwopenproc.h" int main (void) { hNtdll=GetModuleHandle("ntdll.dll"); if(hNtdll) { *(FARPROC *)&ZwQIP = GetProcAddress(hNtdll,"ZwQueryInformationProcess"); hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId()); ZwQIP(hProc,ProcessImageFileName,OutBuff,sizeof(OutBuff),&Rlen); printf("ImageName=%wZ\n",OutBuff); ZwQIP(hProc,ProcessDebugPort,&DbgPort,4, &Rlen); switch( DbgPort ) { case 0xffffffff: printf("some bugs are debugging us\n"); break; case 0x0: printf("no bugs are debugging us\n"); break; default: printf ("who knows if bugs are debugging us\n"); break; } } return 0; } executing this code without debugger
zwopenproc.exe ImageName=\Device\HarddiskVolume4\test\zwqiproc\zwopenproc.exe no bugs are debugging us executing inside debugger results in detection
cdb -g -G zwopenproc.exe | tail -2 ImageName=\Device\HarddiskVolume4\test\zwqiproc\zwopenproc.exe some bugs are debugging us +++++++++++++++++++++++++++++++++++++++++++++++ executing inside debugger and overwriting the return buffer using a script results in no detection
cdb -G -c "$$>a< zwqip.txt" zwopenproc.exe | tail -6 Process Id 2064 Parent Process 3716 Base Priority 8 . 0 id: 810 create name: zwopenproc.exe ImageName=\Device\HarddiskVolume4\test\zwqiproc\zwopenproc.exe no bugs are debugging us <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< printf "%x\n" , 2064 810 contents of script file
cat zwqip.txt bp ntdll!ZwQueryInformationProcess ".if( poi(@esp+8) != 7 ){gc} .else { !handle poi(@esp+4 ) f ; | ; gu ; ed dbgport 0; gc } " g 
- sure, but now change GetCurrentProcessId() to another pid and then debug that pid legitimately. Unless your script knows which handle refers to your process (can also be -1 for current process, or even a random handle value), you'll either hide the legitimate case and reveal yourself, or fail to report the error and reveal yourself.peter ferrie– peter ferrie2016-09-02 16:34:22 +00:00Commented Sep 2, 2016 at 16:34