Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#include <windows.h>
2
#include <stdlib.h>
3
#include <stdio.h>
4

5
#include "byakugan.h"
6
#include "mushishi.h"
7
#include "stdwindbg.h"
8

9
#define CRUSH_DR_CONTEXT "e esp+0x34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00; g"
10
#define REWRITE_IMAGE_SIZE "t; ed 0x%08x 0x%08x; g;"
11

12
ULONG originalImageSize;
13

14
BOOL maskHardwareBreaks(void) {
15
	ULONG64				funcAddr64;
16
	PDEBUG_BREAKPOINT	bp;
17

18
	if ((funcAddr64 = resolveFunctionByName("RtlDispatchException")) == NULL)
19
		return (FALSE);
20
	g_ExtControl->AddBreakpoint(DEBUG_BREAKPOINT_CODE, DEBUG_ANY_ID, &bp);
21
	bp->SetCommand(CRUSH_DR_CONTEXT);
22
	bp->SetOffset(funcAddr64);
23
	bp->SetFlags(DEBUG_BREAKPOINT_ENABLED);
24

25
	return (TRUE);
26
}
27

28
// FIXME
29
BOOL DetectHardwareBreakCheck(void) {
30
    ULONG64             funcAddr64;
31
    PDEBUG_BREAKPOINT   bp;
32

33
    if ((funcAddr64 = resolveFunctionByName("RtlDispatchException")) == NULL)
34
        return (FALSE);
35
    g_ExtControl->AddBreakpoint(DEBUG_BREAKPOINT_CODE, DEBUG_ANY_ID, &bp);
36
    bp->SetCommand(CRUSH_DR_CONTEXT);
37
    bp->SetOffset(funcAddr64);
38
    bp->SetFlags(DEBUG_BREAKPOINT_ENABLED);
39

40
    return (TRUE);
41
}
42

43
ULONG64	getPointerToImageSize() {
44
	ULONG64	ptr;
45

46
	ptr = GetExpression("poi(poi(poi(fs:[0x30]) + 0xC) + 0xC)");
47
	ptr += 0x20;
48

49
	return (ptr);
50
}
51

52
BOOL protectImageSize() {
53
	ULONG64				imageSizePtr;
54
	PDEBUG_BREAKPOINT	bp;
55
	char				rewriteCommand[64];
56

57
	imageSizePtr = getPointerToImageSize();
58
	
59
	memset(rewriteCommand, 0, 64);
60
	_snprintf_s(rewriteCommand, 64 - 1, "poi(0x%08x)", imageSizePtr);
61
	originalImageSize = GetExpression(rewriteCommand);
62
	dprintf("[Mushishi] Original Image Size: 0x%08x\n", originalImageSize);
63
	
64
	bp = detectWriteByAddr(imageSizePtr, "overwrite of PEB image size");
65
	memset(rewriteCommand, 0, 64);
66
	_snprintf_s(rewriteCommand, 64 - 1, REWRITE_IMAGE_SIZE, imageSizePtr, originalImageSize);
67
	bp->SetCommand(rewriteCommand);
68

69
	return (TRUE);
70
}
71

72
BOOL detectImageSizeOverwrite() {
73
    ULONG64				imageSizePtr;
74
	PDEBUG_BREAKPOINT	bp;
75

76
	imageSizePtr = getPointerToImageSize();
77
	dprintf("[Mushishi] ImageSize found at 0x%08x\n", imageSizePtr);
78
	bp = detectWriteByAddr(imageSizePtr, "overwrite of PEB image size");
79
	
80
	return (TRUE);
81
}
82

83
void mushishiDetect(void) {
84

85
	// 1)  Check for a call to CheckRemoteDebuggerPresent
86
	detectCallByName("CheckRemoteDebuggerPresent", "CheckRemoteDebuggerPresent");
87
	
88
	// 2)  Check for reading of the dr0-dr3 section of CONTEXT structs
89
	//DetectHardwareBreakCheck();
90

91
	// 3)  Check for a call to OutputDebugString which is sensitive to an attached debugger
92
	detectCallByName("OutputDebugString", "OutputDebugString");
93

94
	// 4)  Check for an overwrite of the image size
95
	detectImageSizeOverwrite();
96

97
	// 5) Check for setLastError
98
	detectCallByName("SetLastError", "SetLastError");
99
}
100

101
void mushishiDefeat(void) {
102
    // 1) Call CheckRemoteDebuggerPresent to detect attached debugger
103
	// Disable the check for remote debugger
104
    if (disableFunctionFalse("CheckRemoteDebuggerPresent") == FALSE)
105
        dprintf("[Mushishi] Unable to disable \"CheckRemoteDebuggerPresent\" function!\n");
106

107
	// 2) Force a hardware exception, then check the SEH CONTEXT to see if dr0-dr3 are set
108
    // Clear hardware breakpoints from SEH CONTEXT
109
	if (maskHardwareBreaks() == FALSE)
110
        dprintf("[Mushishi] Unable to disable Hardware Breakpoint checks from CONTEXT!\n");
111

112
	// 3) 
113
	if (protectImageSize() == FALSE)
114
		dprintf("[Mushishi] Unable to protect the image size!\n");
115
}
116

117