Skip to content

Commit

Permalink
improve debug detection features (#721)
Browse files Browse the repository at this point in the history
  • Loading branch information
mr-tz authored Mar 14, 2023
1 parent 9521657 commit 977ad92
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ rule:
- al-khaser_x86.exe_:0x420000
features:
- or:
# We're not including kernel32.IsDebuggerPresent here because some exception handlers and other compiler-inserted
# code may add calls to it, especially in debug builds. So, likely even with pretty good library code detection
# this feature could result in many false positives.
- api: kernel32.CheckRemoteDebuggerPresent
- api: WUDFPlatform.WudfIsAnyDebuggerPresent
- api: WUDFPlatform.WudfIsKernelDebuggerPresent
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,8 @@ rule:
features:
- and:
- number: 0x5 = SYSTEM_PROCESS_INFORMATION
- api: NtQuerySystemInformation
- or:
- api: NtQuerySystemInformation
- api: NtQuerySystemInformationEx
- api: ZwQuerySystemInformation
- api: ZwQuerySystemInformationEx
8 changes: 6 additions & 2 deletions nursery/check-for-process-debug-object.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,12 @@ rule:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQueryInformationProcess_ProcessDebugObject.cpp
features:
- and:
- api: kernel32.GetCurrentProcess
- or:
- api: kernel32.GetCurrentProcess
- api: System.Diagnostics.Process::GetCurrentProcess
- basic block:
- and:
- api: NtQueryInformationProcess
- or:
- api: NtQueryInformationProcess
- api: ZwQueryInformationProcess
- number: 0x1E = ProcessDebugObjectHandle
8 changes: 6 additions & 2 deletions nursery/check-systemkerneldebuggerinformation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,14 @@ rule:
- [email protected]
scope: basic block
mbc:
- Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012]
- Anti-Behavioral Analysis::Debugger Detection [B0001]
references:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQuerySystemInformation_SystemKernelDebuggerInformation.cpp
features:
- and:
- api: NtQueryInformationProcess
- or:
- api: NtQuerySystemInformation
- api: NtQuerySystemInformationEx
- api: ZwQuerySystemInformation
- api: ZwQuerySystemInformationEx
- number: 0x23 = SystemKernelDebuggerInformation

0 comments on commit 977ad92

Please sign in to comment.