NtQueryInformationProcess anti-debug
wmsuper opened this issue · comments
wmsuper commented
An anti-debugging technique was found in SProtect (virtualization protector,like vmprotect).
Think about the following code:
void* Information = malloc(InfoSize);
status = X64_NtQueryInformationProcess(CurrentProcess, ProcessDebugObjectHandle, Information, 8, (PULONG)Information);
//ReturnLength and ProcessInformation point to same memory area
TitanHide is unable to close debugobject handle because handle is overwrite (handle==sizeof(handle)==8)
if(CantTouchThis != nullptr){
BOOLEAN AuditOnClose;
const NTSTATUS HandleStatus = ObQueryObjectAuditingByHandle(CantTouchThis, &AuditOnClose); //"CantTouchThis" is 8 in windows x64
if(HandleStatus != STATUS_INVALID_HANDLE)
ObCloseHandle(CantTouchThis, ExGetPreviousMode());}
Matthijs Lavrijsen commented
Thanks! This should be fixed now.