Protected Mode Segmentation as a powerful anti-debugging measure [Archive]

Indy
June 19th, 2011, 06:56
j00ru
Quote:
real-mode
POC((c) Indy): Switch to V8086 mode(and back) to bypass APC-dispatcher(KiUserApcDispatcher()).
Code:
%NTERR macro

	.if Eax

		Int 3

	.endif

endm



.code

CreateHiddenThread proc uses ebx esi edi Ip:PVOID

Local Context:CONTEXT

Local RegionAddress:PVOID, RegionSize:ULONG

Local ThreadHandle:HANDLE

Local ClientId:CLIENT_ID

	mov RegionAddress,4

	mov RegionSize,PAGE_SIZE

	invoke ZwAllocateVirtualMemory, NtCurrentProcess, addr RegionAddress, 0, addr RegionSize, MEM_COMMIT or MEM_RESERVE or MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE

	%NTERR

	invoke RtlCreateUserThread, NtCurrentProcess, NULL, TRUE, 0, NULL, NULL, -1, 0, addr ThreadHandle, addr ClientId

	%NTERR

	mov Context.ContextFlags,CONTEXT_CONTROL or CONTEXT_SEGMENTS

	invoke ZwGetContextThread, ThreadHandle, addr Context

	%NTERR

; Cs:Ip

	mov Context.regEip,2

	mov Context.regSegCs,0

	mov Context.regEFlags,EFLAGS_VM or EFLAGS_MASK

	mov ebx,Context.regEsp

	mov dword ptr ds:[2],90FEEBF9H	; Stc/Jmp $

	invoke ZwSetContextThread, ThreadHandle, addr Context

	%NTERR

	invoke ZwResumeThread, ThreadHandle, NULL

	%NTERR

	.repeat

		invoke ZwGetContextThread, ThreadHandle, addr Context

		%NTERR

		test Context.regEFlags,EFLAGS_CF

	.until !Zero?

	invoke ZwSuspendThread, ThreadHandle, NULL

	%NTERR

	mov ecx,Ip

	mov Context.regSegCs,KGDT_R3_CODE or RPL_MASK

	mov Context.regSegDs,KGDT_R3_DATA or RPL_MASK

	mov Context.regSegEs,KGDT_R3_DATA or RPL_MASK

	mov Context.regSegSs,KGDT_R3_DATA or RPL_MASK

	mov Context.regSegFs,KGDT_R3_TEB or RPL_MASK

	mov Context.regEsp,ebx

	mov Context.regEip,ecx

	mov Context.regEFlags,EFLAGS_MASK

	invoke ZwSetContextThread, ThreadHandle, addr Context

	%NTERR

	invoke ZwFreeVirtualMemory, NtCurrentProcess, addr RegionAddress, addr RegionSize, MEM_RELEASE

	invoke ZwResumeThread, ThreadHandle, NULL

	%NTERR

	ret

CreateHiddenThread endp



Payload proc Arg:PVOID

Local Response:ULONG

	invoke ZwRaiseHardError, STATUS_SUCCESS, 1, 0, 0, OptionOkCancel, addr Response

	invoke RtlExitUserThread, STATUS_SUCCESS

Payload endp



Entry proc

Local Context:CONTEXT

	mov Context.ContextFlags,CONTEXT_CONTROL

	mov Context.regEbp,ebp

	mov Context.regEip,offset Cont

	mov Context.regSegCs,KGDT_R3_CODE or RPL_MASK

	mov Context.regEFlags,EFLAGS_MASK	; !TF

	mov Context.regEsp,esp

	mov Context.regSegSs,KGDT_R3_DATA or RPL_MASK

	invoke ZwContinue, addr Context, FALSE

	test eax,eax

Cont:

	invoke CreateHiddenThread, addr Payload

	ret

Entry endp

end Entry