Rim/t7x
Rim/t7x
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Include some experiments

Browse Source
This commit is contained in:
momo5502 2022-09-11 11:02:48 +02:00
parent 33a485c694
commit e1f57f7aa2
2 changed files with 61 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
src/client/component/arxan.cpp
View File

@ -6,6 +6,7 @@
#include <utils/hook.hpp> #include <utils/hook.hpp>
#include "utils/string.hpp" #include "utils/string.hpp"
#include "utils/hardware_breakpoint.hpp"
#define ProcessDebugPort 7 #define ProcessDebugPort 7
#define ProcessDebugObjectHandle 30 // WinXP source says 31? #define ProcessDebugObjectHandle 30 // WinXP source says 31?
@ -26,6 +27,8 @@ namespace arxan
utils::hook::detour open_process_hook; utils::hook::detour open_process_hook;
utils::hook::detour create_thread_hook; utils::hook::detour create_thread_hook;
utils::hook::detour get_thread_context_hook; utils::hook::detour get_thread_context_hook;
utils::hook::detour zw_terminate_process_hook;
utils::hook::detour get_proc_address_hook;
void* original_first_tls_callback = nullptr; void* original_first_tls_callback = nullptr;
@ -431,18 +434,37 @@ namespace arxan
LONG WINAPI exception_filter(const LPEXCEPTION_POINTERS info) LONG WINAPI exception_filter(const LPEXCEPTION_POINTERS info)
{ {
static thread_local struct /*static thread_local struct
{ {
bool needs_protect_change = false; bool needs_protect_change = false;
bool had_single_step = false; bool had_single_step = false;
} analysis_context; } analysis_context;*/
if (info->ExceptionRecord->ExceptionCode == STATUS_INVALID_HANDLE) if (info->ExceptionRecord->ExceptionCode == STATUS_INVALID_HANDLE)
{ {
return EXCEPTION_CONTINUE_EXECUTION; return EXCEPTION_CONTINUE_EXECUTION;
} }
if (info->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP) /*if (info->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
{
//utils::thread::suspend_other_threads();
//restore_debug_functions();
//MessageBoxA(0, "SS", 0, 0);
OutputDebugStringA("SINGLESTEP!\n");
return EXCEPTION_CONTINUE_EXECUTION;
}*/
/*if (info->ExceptionRecord->ExceptionCode == STATUS_ACCESS_VIOLATION)
{
utils::thread::suspend_other_threads();
restore_debug_functions();
MessageBoxA(nullptr, utils::string::va("AV at: %llX %llX",
info->ContextRecord->Rip, reverse_g(info->ContextRecord->Rip)),
nullptr, 0);
return EXCEPTION_CONTINUE_EXECUTION;
}*/
/*if (info->ExceptionRecord->ExceptionCode == EXCEPTION_SINGLE_STEP)
{ {
if (!analysis_context.needs_protect_change) if (!analysis_context.needs_protect_change)
{ {
@ -484,7 +506,7 @@ namespace arxan
unprotect_text(); unprotect_text();
return EXCEPTION_CONTINUE_EXECUTION; return EXCEPTION_CONTINUE_EXECUTION;
//restore_debug_functions(); //restore_debug_functions();
} }*/
return EXCEPTION_CONTINUE_SEARCH; return EXCEPTION_CONTINUE_SEARCH;
} }
@ -823,6 +845,26 @@ namespace arxan
} }
} }
NTSTATUS NTAPI get_proc_address_stub(const HMODULE module_handle, const PANSI_STRING function_name,
const WORD oridinal,
PVOID* function_address, const BOOL b_value,
PVOID* callback_address)
{
OutputDebugStringA(utils::string::va("Proc: %s %X\n",
(function_name && function_name->Buffer)
? function_name->Buffer
: "(null)", static_cast<DWORD>(oridinal)));
return get_proc_address_hook.invoke<NTSTATUS>(module_handle, function_name, oridinal, function_address, b_value,
callback_address);
}
NTSTATUS zw_terminate_process_stub(const HANDLE process_handle, const NTSTATUS exit_status)
{
MessageBoxA(nullptr, "TERMINATING", nullptr, 0);
return zw_terminate_process_hook.invoke<NTSTATUS>(process_handle, exit_status);
}
class component final : public component_interface class component final : public component_interface
{ {
public: public:
@ -837,6 +879,7 @@ namespace arxan
void pre_start() override void pre_start() override
{ {
disable_tls_callbacks(); disable_tls_callbacks();
restore_debug_functions();
hide_being_debugged(); hide_being_debugged();
scheduler::loop(hide_being_debugged, scheduler::pipeline::async); scheduler::loop(hide_being_debugged, scheduler::pipeline::async);
@ -874,6 +917,12 @@ namespace arxan
// TODO: Remove as soon as real hooking works // TODO: Remove as soon as real hooking works
auto* get_cmd_import = utils::nt::library{}.get_iat_entry("kernel32.dll", "GetCommandLineA"); auto* get_cmd_import = utils::nt::library{}.get_iat_entry("kernel32.dll", "GetCommandLineA");
if (get_cmd_import) utils::hook::set(get_cmd_import, get_command_line_a_stub); if (get_cmd_import) utils::hook::set(get_cmd_import, get_command_line_a_stub);
//zw_terminate_process_hook.create(ntdll.get_proc<void*>("ZwTerminateProcess"), zw_terminate_process_stub);
//zw_terminate_process_hook.move();
//auto* gpafc = ntdll.get_proc<void*>("LdrGetProcedureAddressForCaller");
//get_proc_address_hook.create(gpafc, get_proc_address_stub);
//get_proc_address_hook.move();
} }
void post_unpack() override void post_unpack() override
@ -903,6 +952,8 @@ namespace arxan
create_thread_hook.clear(); create_thread_hook.clear();
open_process_hook.clear(); open_process_hook.clear();
get_thread_context_hook.clear(); get_thread_context_hook.clear();
zw_terminate_process_hook.clear();
get_proc_address_hook.clear();
} }
int priority() override int priority() override

6
src/common/utils/hardware_breakpoint.cpp
View File

@ -54,6 +54,12 @@ namespace utils::hardware_breakpoint
SetThreadContext(this->handle_, &this->context_); SetThreadContext(this->handle_, &this->context_);
} }
debug_context(const debug_context&) = delete;
debug_context& operator=(const debug_context&) = delete;
debug_context(debug_context&& obj) noexcept = delete;
debug_context& operator=(debug_context&& obj) noexcept = delete;
CONTEXT* operator->() CONTEXT* operator->()
{ {
return &this->context_; return &this->context_;