当前位置:网站首页>New de debugging
New de debugging
2022-06-24 15:36:00 【franket】
First , We will introduce two new methods related to thread suspension . They are not the most revolutionary or useful , But I will try my best .
Bypass process freeze
This is a Microsoft stay 19H1 Add a cute little thread creation tag in . Have you ever thought about why In the thread creation flag There is Loophole ? ok , This vulnerability is already full of what I call a flag THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE
( I don't know its actual name ), Its value is naturally 0x40
.
To demonstrate what it does , I will show PsSuspendProcess How it works :
NTSTATUS PsSuspendProcess(_EPROCESS* Process) { const auto currentThread = KeGetCurrentThread(); KeEnterCriticalRegionThread(currentThread); NTSTATUS status = STATUS_SUCCESS; if ( ExAcquireRundownProtection(&Process->RundownProtect) ) { auto targetThread = PsGetNextProcessThread(Process, nullptr); while ( targetThread ) { // Our flag in action if ( !targetThread->Tcb.MiscFlags.BypassProcessFreeze ) PsSuspendThread(targetThread, nullptr); targetThread = PsGetNextProcessThread(Process, targetThread); } ExReleaseRundownProtection(&Process->RundownProtect); } else status = STATUS_PROCESS_IS_TERMINATING; if ( Process->Flags3.EnableThreadSuspendResumeLogging ) EtwTiLogSuspendResumeProcess(status, Process, Process, 0); KeLeaveCriticalRegionThread(currentThread); return status; }
As you can see ,NtSuspendProcess
This call PsSuspendProcess
Only threads with this flag will be ignored . Another benefit is that the thread will not be suspended NtDebugActiveProcess
! as far as I am concerned , Once the thread is created with this thread , You cannot query or disable this flag , So you can't do much about it .
In terms of its usefulness , I want to say that this is just a good way to prevent dumping , When you are in Processhacker Middle click “ Pause ” when , It will cause confusion , And the process continues , Like nothing happened .
Example
for example , This is a bit of interesting code , It will continue to print I am running
. I'm sure , Seeing this when backing up can cause a lot of confusion , Why hell would stop his own process .
#define THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE 0x40 NTSTATUS printer(void*) { while(true) { std::puts("I am running\n"); Sleep(1000); } return STATUS_SUCCESS; } HANDLE handle; NtCreateThreadEx(&handle, MAXIMUM_ALLOWED, nullptr, NtCurrentProcess(), &printer, nullptr, THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE, 0, 0, 0, nullptr); NtSuspendProcess(NtCurrentProcess());
Hang up on me
Continue the trend of disorderly behavior NtSuspendProcess
, We will again abuse how it detects whether our process is suspended .
The trick is , The pause count is a signed 8 A value . Just like the last one , Here's some code to let you know how it works inside :
ULONG KeSuspendThread(_ETHREAD *Thread) { auto irql = KeRaiseIrql(DISPATCH_LEVEL); KiAcquireKobjectLockSafe(&Thread->Tcb.SuspendEvent); auto oldSuspendCount = Thread->Tcb.SuspendCount; if ( oldSuspendCount == MAXIMUM_SUSPEND_COUNT ) // 127 { _InterlockedAnd(&Thread->Tcb.SuspendEvent.Header.Lock, 0xFFFFFF7F); KeLowerIrql(irql); ExRaiseStatus(STATUS_SUSPEND_COUNT_EXCEEDED); } auto prcb = KeGetCurrentPrcb(); if ( KiSuspendThread(Thread, prcb) ) ++Thread->Tcb.SuspendCount; _InterlockedAnd(&Thread->Tcb.SuspendEvent.Header.Lock, 0xFFFFFF7F); KiExitDispatcher(prcb, 0, 1, 0, irql); return oldSuspendCount; }
If you look at the first code example ,PsSuspendProcess
It has no error checking , I don't care if I don't suspend threads anymore . So what happens when you make a phone call NtResumeProcess
Well ? It reduces the pending count ! What we need to do is to make the most of it , When someone decides to suspend and resume us , They will actually keep the count in a state that they were not in before .
Example
The following simple code is quite effective :
- Visual Studio- Prevent it from pausing the process after attaching .
- WinDbg- Detected while connecting .
- x64dbg- The pause button becomes coarse , With such as “ The program is not running ” Error messages like that , Until you manually switch to the main thread .
- ScyllaHide- Use an older version
NtSuspendProcess
And cause it to detect , But it has been fixed after my report .
for(size_t i = 0; i < 128; ++i) NtSuspendThread(thread, nullptr); while(true) { if(NtSuspendThread(thread, nullptr) != STATUS_SUSPEND_COUNT_EXCEEDED) std::puts("I was suspended\n"); Sleep(1000); }
Conclusion
If any , I hope this shows that it is best not to rely on NtSuspendProcess
The tools you expect to handle potentially malicious or protected code . I hope you like this article , And hope to have more content in the next few weeks .
边栏推荐
- 国产最长寿的热销手机,苹果也不是对手,总算让国产手机找回面子
- When installing Wireshark, npcap cannot be installed successfully. It is recommended to use WinPcap first
- Analysis of dompurify
- FPGA based analog I ² C protocol system design (Part I)
- MySQL toolset: the official export tool mysqlpump
- Precautions for using JMeter suite to build a pressure test environment
- Motion planning of floating base robot
- How to allow easydss online classroom system to upload an on-demand file with a space in the file name?
- Linux记录-4.22 MySQL5.37安装(补充)
- leetcode 139. Word break word split (medium)
猜你喜欢
为什么企业实施WMS仓储管理系统很容易失败
Step by step introduction to sqlsugar based development framework (9) -- Realizing field permission control with WinForm control
Oracle RAC configuration multipathing
List of PostgreSQL
Do you really know the difference between H5 and applet?
As a developer, what is the most influential book for you?
He is also a junior test engineer. Why is his salary high? The interview must be brilliant at these points
【我的OpenGL学习进阶之旅】OpenGL的坐标系的学习笔记
刚刚阿里面软件测试回来,3+1面任职阿里P7,年薪28*15薪
【C语言刷题——Leetcode12道题】带你起飞,飞进垃圾堆
随机推荐
Golang implements BigInteger large number calculation
How to build a high-performance go cache Library
Concurrent writing of maps in golang
Wi-Fi 7 来啦,它到底有多强?
Is it safe to open an account for stock speculation in the top ten securities app rankings in China
Is it safe for futures companies to open accounts
Istio practical skill: enable accesslog locally
A brief introduction to the lexical analysis of PostgreSQL
How to achieve long-term development of voice social source code?
The security market has entered a trillion era, and the security B2B online mall system has been accurately connected to deepen the enterprise development path
Two way combination of business and technology to build a bank data security management system
Task priority motion planning of floating base
MySQL toolset: the official export tool mysqlpump
As a developer, what is the most influential book for you?
Multimeter resistance measurement diagram and precautions
[log service CLS] a taste of Tencent cloud log service CLS
QoS Technology in network
为什么企业实施WMS仓储管理系统很容易失败
How to optimize performance
Logstash introduction and simple case