Merge pull request ayoubfaouzi#200 from LordNoteworthy/Noteworthy

add trap flag anti debug
LYingSiMon · Feb 3, 2020 · 654b266 · 654b266
2 parents 6e66d44 + d7fd5d8
commit 654b266
Show file tree

Hide file tree

Showing 8 changed files with 73 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 
 #### 0.80
 
+- Anti anti-debug trick: trap flag.
 - Add check for well known names used by malware sandboxes.
 - Improve ProcessDebugObject anti-debug check thanks to @Mattiwatti
 

diff --git a/README.md b/README.md
@@ -67,6 +67,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 - Memory Breakpoints (PAGE_GUARD)
 - Interrupt 0x2d
 - Interrupt 1
+- Trap Flag
 - Parent Process (Explorer.exe)
 - SeDebugPrivilege (Csrss.exe)
 - NtYieldExecution / SwitchToThread

diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -23,7 +23,7 @@ int main(void)
 	BOOL	ENABLE_DUMPING_CHECK = TRUE;
 	BOOL	ENABLE_ANALYSIS_TOOLS_CHECK = TRUE;
 	BOOL	ENABLE_ANTI_DISASSM_CHECKS = TRUE;
-
+	
 	/* Resize the console window for better visibility */
 	resize_console_window();
 
@@ -70,6 +70,7 @@ int main(void)
 		exec_check(&SoftwareBreakpoints, TEXT("Checking Software Breakpoints "));
 		exec_check(&Interrupt_0x2d, TEXT("Checking Interupt 0x2d "));
 		exec_check(&Interrupt_3, TEXT("Checking Interupt 1 "));
+		exec_check(&TrapFlag, TEXT("Checking trap flag"));
 		exec_check(&MemoryBreakpoints_PageGuard, TEXT("Checking Memory Breakpoints PAGE GUARD "));
 		exec_check(&IsParentExplorerExe, TEXT("Checking If Parent Process is explorer.exe "));
 		exec_check(&CanOpenCsrss, TEXT("Checking SeDebugPrivilege "));

diff --git a/al-khaser/AntiDebug/TrapFlag.cpp b/al-khaser/AntiDebug/TrapFlag.cpp
@@ -0,0 +1,57 @@
+#include "pch.h"
+
+#include "TrapFlag.h"
+
+/*
+	This technique is similar to exceptions based debugger detections.
+	You enable the trap flag in the current process and check whether
+	an exception is raised or not. If an exception is not raised, you
+	can assume that a debugger has “swallowed” the exception for us,
+	and that the program is being traced. The beauty of this approach
+	is that it detects every debugger, user mode or kernel mode,
+	because they all use the trap flag for tracing a program.
+
+	Vectored Exception Handling is used here because SEH is an
+	anti-debug trick in itself.
+*/
+
+static BOOL SwallowedException = TRUE;
+
+static LONG CALLBACK VectoredHandler(
+	_In_ PEXCEPTION_POINTERS ExceptionInfo
+)
+{
+	SwallowedException = FALSE;
+	if (ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
+	{
+		//Increase EIP/RIP to continue execution.
+#ifdef _WIN64
+		ExceptionInfo->ContextRecord->Rip++;
+#else
+		ExceptionInfo->ContextRecord->Eip++;
+#endif
+		return EXCEPTION_CONTINUE_EXECUTION;
+	}
+	return EXCEPTION_CONTINUE_SEARCH;
+}
+
+
+
+BOOL TrapFlag()
+{
+	PVOID Handle = AddVectoredExceptionHandler(1, VectoredHandler);
+	SwallowedException = TRUE;
+
+#ifdef _WIN64
+	UINT64 eflags = __readeflags();
+#else
+	UINT eflags = __readeflags();
+#endif
+
+	//  Set the trap flag
+	eflags |= 0x100;
+	__writeeflags(eflags);
+
+	RemoveVectoredExceptionHandler(Handle);
+	return SwallowedException;
+}
diff --git a/al-khaser/AntiDebug/TrapFlag.h b/al-khaser/AntiDebug/TrapFlag.h
@@ -0,0 +1,3 @@
+#pragma once
+
+BOOL TrapFlag();
diff --git a/al-khaser/al-khaser.vcxproj b/al-khaser/al-khaser.vcxproj
@@ -198,6 +198,7 @@
     <ClInclude Include="AntiDebug\SharedUserData_KernelDebugger.h" />
     <ClInclude Include="AntiDebug\SoftwareBreakpoints.h" />
     <ClInclude Include="AntiDebug\TLS_callbacks.h" />
+    <ClInclude Include="AntiDebug\TrapFlag.h" />
     <ClInclude Include="AntiDebug\UnhandledExceptionFilter_Handler.h" />
     <ClInclude Include="AntiDebug\WriteWatch.h" />
     <ClInclude Include="AntiDebug\WUDF_IsDebuggerPresent.h" />
@@ -269,6 +270,7 @@
     <ClCompile Include="AntiDebug\SharedUserData_KernelDebugger.cpp" />
     <ClCompile Include="AntiDebug\SoftwareBreakpoints.cpp" />
     <ClCompile Include="AntiDebug\TLS_callbacks.cpp" />
+    <ClCompile Include="AntiDebug\TrapFlag.cpp" />
     <ClCompile Include="AntiDebug\UnhandledExceptionFilter_Handler.cpp" />
     <ClCompile Include="AntiDebug\WriteWatch.cpp" />
     <ClCompile Include="AntiDebug\WUDF_IsDebuggerPresent.cpp" />
@@ -322,6 +324,7 @@
     <MASM Include="AntiDisassm\AntiDisassm_x86.asm">
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
       <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">true</ExcludedFromBuild>
+      <UseSafeExceptionHandlers Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">true</UseSafeExceptionHandlers>
     </MASM>
   </ItemGroup>
   <ItemGroup>

diff --git a/al-khaser/al-khaser.vcxproj.filters b/al-khaser/al-khaser.vcxproj.filters
@@ -280,6 +280,9 @@
     <ClInclude Include="AntiDisassm\pch.h">
       <Filter>AntiDisassm\Header</Filter>
     </ClInclude>
+    <ClInclude Include="AntiDebug\TrapFlag.h">
+      <Filter>AntiDebug\Header</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="al-khaser.cpp" />
@@ -458,6 +461,9 @@
     <ClCompile Include="AntiDisassm\AntiDisassm.cpp">
       <Filter>AntiDisassm\Source</Filter>
     </ClCompile>
+    <ClCompile Include="AntiDebug\TrapFlag.cpp">
+      <Filter>AntiDebug\Source</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <MASM Include="AntiDebug\int2d_x86.asm">

diff --git a/al-khaser/pch.h b/al-khaser/pch.h