This repository was archived by the owner on Nov 4, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathObjectHandle.cpp
More file actions
154 lines (132 loc) · 4 KB
/
ObjectHandle.cpp
File metadata and controls
154 lines (132 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#include "ObjectHandle.h"
#include"head.h"
extern bool isDebugged;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING;
typedef struct _OBJECT_TYPE_INFORMATION
{
UNICODE_STRING TypeName;
ULONG TotalNumberOfHandles;
ULONG TotalNumberOfObjects;
} OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
typedef struct _OBJECT_ALL_INFORMATION
{
ULONG NumberOfObjects;
OBJECT_TYPE_INFORMATION ObjectTypeInformation[1];
} OBJECT_ALL_INFORMATION, * POBJECT_ALL_INFORMATION;
typedef enum _OBJECT_INFORMATION_CLASS {
ObjectBasicInformation,
ObjectTypeInformation
} OBJECT_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI* TNtQueryObject)(
HANDLE Handle,
OBJECT_INFORMATION_CLASS ObjectInformationClass,
PVOID ObjectInformation,
ULONG ObjectInformationLength,
PULONG ReturnLength
);
enum { ObjectAllTypesInformation = 3 };
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
void ObjectHandle::check1()
{
HANDLE hToken;
BOOL fOk = FALSE;
HMODULE hNtdll = LoadLibraryA("ntdll.dll");
if (!hNtdll)
return;
TCsrGetProcessId pfnCsrGetProcessId = (TCsrGetProcessId)GetProcAddress(hNtdll, "CsrGetProcessId");
if (!pfnCsrGetProcessId)
return;
HANDLE hCsr = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pfnCsrGetProcessId());
if (hCsr != NULL)
{
isDebugged = true;
CloseHandle(hCsr);
return;
}
else
return;
}
bool ObjectHandle::check2()
{
bool bDebugged = false;
NTSTATUS status;
LPVOID pMem = nullptr;
ULONG dwMemSize;
POBJECT_ALL_INFORMATION pObjectAllInfo;
PBYTE pObjInfoLocation;
HMODULE hNtdll;
TNtQueryObject pfnNtQueryObject;
hNtdll = LoadLibraryA("ntdll.dll");
if (!hNtdll)
return false;
pfnNtQueryObject = (TNtQueryObject)GetProcAddress(hNtdll, "NtQueryObject");
if (!pfnNtQueryObject)
return false;
status = pfnNtQueryObject(
NULL,
(OBJECT_INFORMATION_CLASS)ObjectAllTypesInformation,
&dwMemSize, sizeof(dwMemSize), &dwMemSize);
if (STATUS_INFO_LENGTH_MISMATCH != status)
goto NtQueryObject_Cleanup;
pMem = VirtualAlloc(NULL, dwMemSize, MEM_COMMIT, PAGE_READWRITE);
if (!pMem)
goto NtQueryObject_Cleanup;
status = pfnNtQueryObject(
(HANDLE)-1,
(OBJECT_INFORMATION_CLASS)ObjectAllTypesInformation,
pMem, dwMemSize, &dwMemSize);
if (!SUCCEEDED(status))
goto NtQueryObject_Cleanup;
pObjectAllInfo = (POBJECT_ALL_INFORMATION)pMem;
pObjInfoLocation = (PBYTE)pObjectAllInfo->ObjectTypeInformation;
for (UINT i = 0; i < pObjectAllInfo->NumberOfObjects; i++)
{
POBJECT_TYPE_INFORMATION pObjectTypeInfo =
(POBJECT_TYPE_INFORMATION)pObjInfoLocation;
if (wcscmp(L"DebugObject", pObjectTypeInfo->TypeName.Buffer) == 0)
{
if (pObjectTypeInfo->TotalNumberOfObjects > 0)
bDebugged = true;
break;
}
// Get the address of the current entries
// string so we can find the end
pObjInfoLocation = (PBYTE)pObjectTypeInfo->TypeName.Buffer;
// Add the size
pObjInfoLocation += pObjectTypeInfo->TypeName.Length;
// Skip the trailing null and alignment bytes
ULONG tmp = ((ULONG)pObjInfoLocation) & -4;
// Not pretty but it works
pObjInfoLocation = ((PBYTE)tmp) + sizeof(DWORD);
}
NtQueryObject_Cleanup:
if (pMem)
VirtualFree(pMem, 0, MEM_RELEASE);
if (bDebugged)
isDebugged = isDebugged;
return bDebugged;
}
bool ObjectHandle::check3()
{
bool ifDebugging;
__try
{
CloseHandle((HANDLE)0xBBBBBBBB);
return false;
}
__except (1)
{
return true;
}
}
void ObjectHandle::start()
{
check1();
check2();
if (check3() != false)
isDebugged = true;
}