SystemKernelDebuggerInformationEx is not hided

Question

SystemKernelDebuggerInformationEx is not hided

boris768 opened this issue 3 years ago · 1 comments

HookNtQuerySystemInformation have SystemKernelDebuggerInformation hidding, but lacks of hidding SystemKernelDebuggerInformationEx, what is detection vector too

concept:

enum _SYSTEM_INFORMATION_CLASS
{
   SystemKernelDebuggerInformationEx= 149
}

typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
{
   BOOLEAN DebuggerAllowed;
   BOOLEAN DebuggerEnabled;
   BOOLEAN DebuggerPresent;
} SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, * PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;

//======================================

case SystemKernelDebuggerInformationEx:
    {
        if (Hider::IsHidden(pid, HideSystemDebuggerInformation))
        {
            Log("[TITANHIDE] SystemKernelDebuggerInformationEx by %d\r\n", pid);
            typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
            {
                BOOLEAN DebuggerAllowed;
                BOOLEAN DebuggerEnabled;
                BOOLEAN DebuggerPresent;
            } SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX, * PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX;
            PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX DebuggerInfo = (PSYSTEM_KERNEL_DEBUGGER_INFORMATION_EX)SystemInformation;
            __try
            {
                BACKUP_RETURNLENGTH();

                DebuggerInfo->DebuggerAllowed = false;
                DebuggerInfo->DebuggerEnabled = false;
                DebuggerInfo->DebuggerPresent = false;

                RESTORE_RETURNLENGTH();
            }
            __except (EXCEPTION_EXECUTE_HANDLER)
            {
                ret = GetExceptionCode();
            }
        }
        break;
    }

Answer 1 · 2022-05-12T14:04:07.000Z

Thanks for the report! I’ll try to integrate it in the codebase if I find some time but I don’t really have a TitanHide VM anymore so a PR would be very welcome!