当前位置:网站首页>New de debugging
New de debugging
2022-06-24 15:36:00 【franket】
First , We will introduce two new methods related to thread suspension . They are not the most revolutionary or useful , But I will try my best .
Bypass process freeze
This is a Microsoft stay 19H1 Add a cute little thread creation tag in . Have you ever thought about why In the thread creation flag There is Loophole ? ok , This vulnerability is already full of what I call a flag THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE
( I don't know its actual name ), Its value is naturally 0x40
.
To demonstrate what it does , I will show PsSuspendProcess How it works :
NTSTATUS PsSuspendProcess(_EPROCESS* Process) { const auto currentThread = KeGetCurrentThread(); KeEnterCriticalRegionThread(currentThread); NTSTATUS status = STATUS_SUCCESS; if ( ExAcquireRundownProtection(&Process->RundownProtect) ) { auto targetThread = PsGetNextProcessThread(Process, nullptr); while ( targetThread ) { // Our flag in action if ( !targetThread->Tcb.MiscFlags.BypassProcessFreeze ) PsSuspendThread(targetThread, nullptr); targetThread = PsGetNextProcessThread(Process, targetThread); } ExReleaseRundownProtection(&Process->RundownProtect); } else status = STATUS_PROCESS_IS_TERMINATING; if ( Process->Flags3.EnableThreadSuspendResumeLogging ) EtwTiLogSuspendResumeProcess(status, Process, Process, 0); KeLeaveCriticalRegionThread(currentThread); return status; }
As you can see ,NtSuspendProcess
This call PsSuspendProcess
Only threads with this flag will be ignored . Another benefit is that the thread will not be suspended NtDebugActiveProcess
! as far as I am concerned , Once the thread is created with this thread , You cannot query or disable this flag , So you can't do much about it .
In terms of its usefulness , I want to say that this is just a good way to prevent dumping , When you are in Processhacker Middle click “ Pause ” when , It will cause confusion , And the process continues , Like nothing happened .
Example
for example , This is a bit of interesting code , It will continue to print I am running
. I'm sure , Seeing this when backing up can cause a lot of confusion , Why hell would stop his own process .
#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x40 NTSTATUS printer(void*) { while(true) { std::puts("I am running\n"); Sleep(1000); } return STATUS_SUCCESS; } HANDLE handle; NtCreateThreadEx(&handle, MAXIMUM_ALLOWED, nullptr, NtCurrentProcess(), &printer, nullptr, THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE, 0, 0, 0, nullptr); NtSuspendProcess(NtCurrentProcess());
Hang up on me
Continue the trend of disorderly behavior NtSuspendProcess
, We will again abuse how it detects whether our process is suspended .
The trick is , The pause count is a signed 8 A value . Just like the last one , Here's some code to let you know how it works inside :
ULONG KeSuspendThread(_ETHREAD *Thread) { auto irql = KeRaiseIrql(DISPATCH_LEVEL); KiAcquireKobjectLockSafe(&Thread->Tcb.SuspendEvent); auto oldSuspendCount = Thread->Tcb.SuspendCount; if ( oldSuspendCount == MAXIMUM_SUSPEND_COUNT ) // 127 { _InterlockedAnd(&Thread->Tcb.SuspendEvent.Header.Lock, 0xFFFFFF7F); KeLowerIrql(irql); ExRaiseStatus(STATUS_SUSPEND_COUNT_EXCEEDED); } auto prcb = KeGetCurrentPrcb(); if ( KiSuspendThread(Thread, prcb) ) ++Thread->Tcb.SuspendCount; _InterlockedAnd(&Thread->Tcb.SuspendEvent.Header.Lock, 0xFFFFFF7F); KiExitDispatcher(prcb, 0, 1, 0, irql); return oldSuspendCount; }
If you look at the first code example ,PsSuspendProcess
It has no error checking , I don't care if I don't suspend threads anymore . So what happens when you make a phone call NtResumeProcess
Well ? It reduces the pending count ! What we need to do is to make the most of it , When someone decides to suspend and resume us , They will actually keep the count in a state that they were not in before .
Example
The following simple code is quite effective :
- Visual Studio- Prevent it from pausing the process after attaching .
- WinDbg- Detected while connecting .
- x64dbg- The pause button becomes coarse , With such as “ The program is not running ” Error messages like that , Until you manually switch to the main thread .
- ScyllaHide- Use an older version
NtSuspendProcess
And cause it to detect , But it has been fixed after my report .
for(size_t i = 0; i < 128; ++i) NtSuspendThread(thread, nullptr); while(true) { if(NtSuspendThread(thread, nullptr) != STATUS_SUSPEND_COUNT_EXCEEDED) std::puts("I was suspended\n"); Sleep(1000); }
Conclusion
If any , I hope this shows that it is best not to rely on NtSuspendProcess
The tools you expect to handle potentially malicious or protected code . I hope you like this article , And hope to have more content in the next few weeks .
边栏推荐
- Teach you how to view version information with mongodb
- Typescript raw data type
- Openinstall joins hands with the book chain to help channel data analysis and create the era of Book Networking
- MySQL replication series 6- tables related to replication information
- How to modify the login user name of easynvr video monitoring system?
- Which securities company is better and safer for great wisdom to choose when opening an account
- CVPR2022 | 可精簡域適應
- 07. Tencent cloud IOT device side learning - Data Template
- leetcode 139. Word break word split (medium)
- Security Analysis on mining trend of dogecoin, a public cloud
猜你喜欢
国产最长寿的热销手机,苹果也不是对手,总算让国产手机找回面子
Two way combination of business and technology to build a bank data security management system
Record the range of data that MySQL update will lock
为什么企业实施WMS仓储管理系统很容易失败
推荐几款超级实用的数据分析利器
运营商5G用户渗透远远比4G慢,5G的普及还得看中国广电
Bitmap of redis data structure
CVPR 2022 - Interpretation of selected papers of meituan technical team
还在担心漏测吗?快来使用jacoco统计下代码覆盖率
【C语言刷题——Leetcode12道题】带你起飞,飞进垃圾堆
随机推荐
运营商5G用户渗透远远比4G慢,5G的普及还得看中国广电
Which account of Dongfang fortune is safer and better
10 hands-free idea plug-ins. These codes do not need to be written (the second bullet)
Task priority motion planning of floating base
高速公路服务区智能一体机解决方案
Teach you how to view version information with mongodb
The 30 pictures bring the network protocol layer by layer to life. It's really fragrant!
Universal file online preview project, open source!
This website teaches you to imitate more than 100 well-known websites!
A simple and powerful developer toolkit box3 cc
Is it safe to open an account in flush? What preparation is needed
熬夜整理出的软件测试【高频】面试题大全(2022最新)
VNC Viewer方式的远程连接树莓派
Esp32 series -- comparison of esp32 series
MySQL 开发规范
Cvpr2022 | domaine compact adaptable
在Gradle 中对Junit5 测试框架引用
Analysis of similarities and differences between redis and memcached in cache use
【Prometheus】5. Alertmanager alarm (incomplete)
Wi-Fi 7 来啦,它到底有多强?