Merge pull request ayoubfaouzi#215 from LordNoteworthy/Noteworthy

New Anti-Debug: Low Fragmentation Heap
lck0 · Aug 31, 2020 · 9fbe13a · 9fbe13a
2 parents 8c7a5f3 + cd4dc5c
commit 9fbe13a
Show file tree

Hide file tree

Showing 10 changed files with 160 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+#### 0.81
+
+- Add anti-debug trick: Low Fragmentation Heap.
 
 #### 0.80
 

diff --git a/README.md b/README.md
@@ -49,6 +49,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
 - Process Environment Block (NtGlobalFlag)
 - ProcessHeap (Flags)
 - ProcessHeap (ForceFlags)
+- Low Fragmentation Heap (LFH)
 - NtQueryInformationProcess (ProcessDebugPort)
 - NtQueryInformationProcess (ProcessDebugFlags)
 - NtQueryInformationProcess (ProcessDebugObject)

diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -57,6 +57,7 @@ int main(void)
 		exec_check(&NtGlobalFlag, TEXT("Checking PEB.NtGlobalFlag "));
 		exec_check(&HeapFlags, TEXT("Checking ProcessHeap.Flags "));
 		exec_check(&HeapForceFlags, TEXT("Checking ProcessHeap.ForceFlags "));
+		exec_check(&LowFragmentationHeap, TEXT("Checking Low Fragmentation Heap"));
 		exec_check(&NtQueryInformationProcess_ProcessDebugPort, TEXT("Checking NtQueryInformationProcess with ProcessDebugPort "));
 		exec_check(&NtQueryInformationProcess_ProcessDebugFlags, TEXT("Checking NtQueryInformationProcess with ProcessDebugFlags "));
 		exec_check(&NtQueryInformationProcess_ProcessDebugObject, TEXT("Checking NtQueryInformationProcess with ProcessDebugObject "));

diff --git a/al-khaser/AntiDebug/LowFragmentationHeap.cpp b/al-khaser/AntiDebug/LowFragmentationHeap.cpp
@@ -0,0 +1,61 @@
+#include "pch.h"
+#include "LowFragmentationHeap.h"
+
+
+BOOL
+LowFragmentationHeap(
+	VOID
+)
+/*++
+
+Routine Description:
+	Originally found by Souhail Hammou:
+	http://rce4fun.blogspot.com/2014/02/anti-debugging-trick-checking-for-low.html
+	Under a debugger, the process does not have a Low Fragmentation Heap (LFH)
+	The routine simply checks weather the nt!_HEAP.FrontEndHeap is NULL.
+
+Arguments:
+
+	None
+
+Return Value:
+
+	TRUE - if debugger was detected
+	FALSE - otherwise
+--*/
+{
+
+	PINT_PTR FrontEndHeap = NULL;
+
+	// Get the default process heap.
+	HANDLE hHeap = GetProcessHeap();
+
+	// The FrontEndHeap offset of the _HEAP structure
+	// is found on different locations depending of the OS.
+
+	if (IsWindowsVista() || IsWindows7()) {
+#if defined (ENV64BIT)
+		FrontEndHeap = (PINT_PTR)((CHAR*)hHeap + 0x178);
+
+#elif defined(ENV32BIT)
+		FrontEndHeap = (PINT_PTR)((CHAR*)hHeap + 0xd4);
+#endif
+	}
+
+	if (IsWindows8or8PointOne()) {
+#if defined (ENV64BIT)
+		FrontEndHeap = (PINT_PTR)((CHAR*)hHeap + 0x170);
+
+#elif defined(ENV32BIT)
+		FrontEndHeap = (PINT_PTR)((CHAR*)hHeap + 0xd0);
+#endif
+	}
+
+	// In Windows 10. the offset changes very often.
+	// Ignoring it from now.
+	if (*FrontEndHeap == NULL) {
+		return TRUE;
+	}
+
+	return FALSE;
+}
diff --git a/al-khaser/AntiDebug/LowFragmentationHeap.h b/al-khaser/AntiDebug/LowFragmentationHeap.h
@@ -0,0 +1,6 @@
+#pragma once
+
+BOOL
+LowFragmentationHeap(
+	VOID
+);
diff --git a/al-khaser/Shared/Utils.cpp b/al-khaser/Shared/Utils.cpp
@@ -447,6 +447,82 @@ BOOL GetOSDisplayString(LPTSTR pszOS)
 	}
 }
 
+BOOL IsWindowsVista() {
+	OSVERSIONINFOEX osvi;
+	DWORDLONG dwlConditionMask = 0;
+	int op = VER_EQUAL;
+
+	// Initialize the OSVERSIONINFOEX structure.
+
+	ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
+	osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	osvi.dwMajorVersion = 6;
+	osvi.dwMinorVersion = 0;
+
+	// Initialize the condition mask.
+
+	VER_SET_CONDITION(dwlConditionMask, VER_MAJORVERSION, op);
+	VER_SET_CONDITION(dwlConditionMask, VER_MINORVERSION, op);
+
+	// Perform the test.
+
+	return VerifyVersionInfo(
+		&osvi,
+		VER_MAJORVERSION | VER_MINORVERSION,
+		dwlConditionMask);
+}
+
+BOOL IsWindows7() {
+	OSVERSIONINFOEX osvi;
+	DWORDLONG dwlConditionMask = 0;
+	int op = VER_EQUAL;
+
+	// Initialize the OSVERSIONINFOEX structure.
+
+	ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
+	osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	osvi.dwMajorVersion = 6;
+	osvi.dwMinorVersion = 1;
+
+	// Initialize the condition mask.
+
+	VER_SET_CONDITION(dwlConditionMask, VER_MAJORVERSION, op);
+	VER_SET_CONDITION(dwlConditionMask, VER_MINORVERSION, op);
+
+	// Perform the test.
+
+	return VerifyVersionInfo(
+		&osvi,
+		VER_MAJORVERSION | VER_MINORVERSION,
+		dwlConditionMask);
+}
+
+BOOL IsWindows8or8PointOne() {
+	OSVERSIONINFOEX osvi;
+	DWORDLONG dwlConditionMask = 0;
+	int MajorOp = VER_EQUAL;
+	int MinorOp = VER_GREATER_EQUAL;
+
+	// Initialize the OSVERSIONINFOEX structure.
+
+	ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
+	osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+	osvi.dwMajorVersion = 6;
+	osvi.dwMinorVersion = 2;
+
+	// Initialize the condition mask.
+
+	VER_SET_CONDITION(dwlConditionMask, VER_MAJORVERSION, MajorOp);
+	VER_SET_CONDITION(dwlConditionMask, VER_MINORVERSION, MinorOp);
+
+	// Perform the test.
+
+	return VerifyVersionInfo(
+		&osvi,
+		VER_MAJORVERSION | VER_MINORVERSION,
+		dwlConditionMask);
+}
+
 DWORD GetProccessIDByName(TCHAR* szProcessNameTarget)
 {
 	DWORD processIds[1024];

diff --git a/al-khaser/Shared/Utils.h b/al-khaser/Shared/Utils.h
@@ -9,6 +9,9 @@ BOOL is_DirectoryExists(TCHAR* szPath);
 BOOL check_mac_addr(const TCHAR* szMac);
 BOOL check_adapter_name(const TCHAR* szName);
 BOOL GetOSDisplayString(LPTSTR pszOS);
+BOOL IsWindowsVista();
+BOOL IsWindows7();
+BOOL IsWindows8or8PointOne();
 DWORD GetProccessIDByName(TCHAR* szProcessNameTarget);
 DWORD GetProcessIdFromName(LPCTSTR ProcessName);
 BOOL SetPrivilege(HANDLE, LPCTSTR, BOOL);

diff --git a/al-khaser/al-khaser.vcxproj b/al-khaser/al-khaser.vcxproj
@@ -175,6 +175,7 @@
     <ClInclude Include="AntiDebug\Interrupt_0x2d.h" />
     <ClInclude Include="AntiDebug\Interrupt_3.h" />
     <ClInclude Include="AntiDebug\IsDebuggerPresent.h" />
+    <ClInclude Include="AntiDebug\LowFragmentationHeap.h" />
     <ClInclude Include="AntiDebug\MemoryBreakpoints_PageGuard.h" />
     <ClInclude Include="AntiDebug\ModuleBoundsHookCheck.h" />
     <ClInclude Include="AntiDebug\NtGlobalFlag.h" />
@@ -247,6 +248,7 @@
     <ClCompile Include="AntiDebug\Interrupt_0x2d.cpp" />
     <ClCompile Include="AntiDebug\Interrupt_3.cpp" />
     <ClCompile Include="AntiDebug\IsDebuggerPresent.cpp" />
+    <ClCompile Include="AntiDebug\LowFragmentationHeap.cpp" />
     <ClCompile Include="AntiDebug\MemoryBreakpoints_PageGuard.cpp" />
     <ClCompile Include="AntiDebug\ModuleBoundsHookCheck.cpp" />
     <ClCompile Include="AntiDebug\NtGlobalFlag.cpp" />

diff --git a/al-khaser/al-khaser.vcxproj.filters b/al-khaser/al-khaser.vcxproj.filters
@@ -283,6 +283,9 @@
     <ClInclude Include="AntiDebug\TrapFlag.h">
       <Filter>AntiDebug\Header</Filter>
     </ClInclude>
+    <ClInclude Include="AntiDebug\LowFragmentationHeap.h">
+      <Filter>AntiDebug\Header</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="al-khaser.cpp" />
@@ -464,6 +467,9 @@
     <ClCompile Include="AntiDebug\TrapFlag.cpp">
       <Filter>AntiDebug\Source</Filter>
     </ClCompile>
+    <ClCompile Include="AntiDebug\LowFragmentationHeap.cpp">
+      <Filter>AntiDebug\Source</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <MASM Include="AntiDebug\int2d_x86.asm">

diff --git a/al-khaser/pch.h b/al-khaser/pch.h
@@ -99,6 +99,7 @@
 #include "AntiDebug/ModuleBoundsHookCheck.h"
 #include "AntiDebug/ScanForModules.h"
 #include "AntiDebug/WUDF_IsDebuggerPresent.h"
+#include "AntiDebug/LowFragmentationHeap.h"
 
 
 /* Anti dumping headers */