Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
#include <stdio.h>
2
#include <string.h>
3

4
#include "byakugan.h"
5
#include "stdwindbg.h"
6

7
char bypassFalse[] =    "\x33\xc0"          // xor eax, eax
8
                        "\xc2\x08\x00";     // ret 8
9

10
struct debugClientNode	*headDebugClient = NULL;
11

12

13
detectionCallBack::detectionCallBack() : type(NULL), count(0) {}
14

15
HRESULT __stdcall detectionCallBack::QueryInterface(const IID & iid, PVOID * ref) {
16
	*ref = NULL;
17
		
18
	if (iid == __uuidof(IDebugEventCallbacks))
19
		*ref = this;
20
	else if (iid == __uuidof(IUnknown))
21
		*ref = static_cast<IUnknown *>(this);
22
	else
23
		return E_NOINTERFACE;
24
	
25
	return S_OK;
26
}
27
	
28
ULONG __stdcall detectionCallBack::AddRef(void) {
29
	return InterlockedIncrement(&count);
30
}
31

32
ULONG __stdcall detectionCallBack::Release(void) {
33
	ULONG c = InterlockedDecrement(&count);
34
	if (c == 0)
35
		delete this;
36
	return c;
37
}
38

39
HRESULT __stdcall detectionCallBack::Breakpoint(PDEBUG_BREAKPOINT bp) {
40
	typeNode	*detected = type;
41
	ULONG		bpid;
42
	dprintf("CAUGHT A BP\n");
43
	bp->GetId(&bpid);
44
	while (detected != NULL && detected->bpid != bpid)
45
		detected = detected->next;
46
	if (detected == NULL) // Not one of ours.
47
		return (DEBUG_STATUS_BREAK);
48

49
	dprintf("[Mushishi] Detected %s anti-debugging technique.\n", detected->name);		
50
	return (DEBUG_STATUS_BREAK);
51
	//return (DEBUG_STATUS_BREAK);
52
}
53

54
HRESULT __stdcall detectionCallBack::GetInterestMask(PULONG mask) {
55
   	if (mask != NULL)
56
		*mask = DEBUG_EVENT_BREAKPOINT;
57
   	return (S_OK);
58
}
59

60
HRESULT __stdcall detectionCallBack::Exception(PEXCEPTION_RECORD64 exception, ULONG firstChance) {
61
   	return E_NOTIMPL;
62
}
63
    
64
HRESULT __stdcall detectionCallBack::CreateThread(ULONG64 handle, ULONG64 dataOffset, ULONG64 startOffset) {
65
   	return E_NOTIMPL;
66
}
67

68
HRESULT __stdcall detectionCallBack::ExitThread(ULONG exitCode) {
69
	return E_NOTIMPL;
70
}
71
	
72
HRESULT __stdcall detectionCallBack::CreateProcess(
73
	ULONG64 imageFileHandle,
74
	ULONG64 handle,
75
	ULONG64 baseOffset,
76
	ULONG moduleSize,
77
	PCSTR moduleName,
78
	PCSTR imageName,
79
	ULONG checkSum,
80
	ULONG timeDateStamp,
81
	ULONG64 initialThreadHandle,
82
	ULONG64 threadDataOffset,
83
	ULONG64 startOffset) {
84
		return E_NOTIMPL;
85
}
86

87
HRESULT __stdcall detectionCallBack::ExitProcess(ULONG exitCode) {
88
	return E_NOTIMPL;
89
}
90

91
HRESULT __stdcall detectionCallBack::LoadModule(
92
	ULONG64 imageFileHandle,
93
	ULONG64 baseOffset,
94
	ULONG moduleSize,
95
	PCSTR moduleName,
96
	PCSTR imageName,
97
	ULONG checkSum,
98
	ULONG timeDateStamp) {
99
		return E_NOTIMPL;
100
}
101

102
HRESULT __stdcall detectionCallBack::UnloadModule(PCSTR imageBaseName, ULONG64 baseOffset) {
103
	return E_NOTIMPL;
104
}
105

106
HRESULT __stdcall detectionCallBack::SystemError(ULONG error, ULONG level) {
107
	return E_NOTIMPL;
108
}
109

110
HRESULT __stdcall detectionCallBack::SessionStatus(ULONG status) {
111
	return E_NOTIMPL;
112
}
113

114
HRESULT __stdcall detectionCallBack::ChangeDebuggeeState(ULONG flags, ULONG64 argument) {
115
	return E_NOTIMPL;
116
}
117

118
HRESULT __stdcall detectionCallBack::ChangeEngineState(ULONG flags, ULONG64 argument) {
119
	return E_NOTIMPL;
120
}
121

122
HRESULT __stdcall detectionCallBack::ChangeSymbolState(ULONG flags, ULONG64 argument) {
123
	return E_NOTIMPL;
124
}
125
	
126

127
void detectionCallBack::addType(ULONG bpid, char *name) {
128
	typeNode *curr, *newType;
129

130
	newType = (typeNode *) malloc(sizeof (typeNode));
131
	if (newType == NULL)
132
		return;
133
	
134
	newType->bpid = bpid;
135
	newType->name = (char *) malloc(strlen(name) + 2);
136
	if (newType->name == NULL) {
137
		free(newType);
138
		return;
139
	}
140
	strncpy(newType->name, name, strlen(name));
141

142
	newType->next = type;
143
	type = newType;
144
}
145

146
void detectionCallBack::recTypeNuke(typeNode *type) {
147
	if (type == NULL)
148
		return;
149
	recTypeNuke(type->next);
150
	free(type->name);
151
	free(type);
152
}
153
	
154
detectionCallBack::~detectionCallBack() {
155
	recTypeNuke(type);
156
}
157

158
struct debugClientNode *addDebugClient(void) {
159

160
#if 0
161
	struct debugClientNode	*newNode, *cur;
162
	
163
	newNode = (struct debugClientNode *) malloc(sizeof(struct debugClientNode));
164
	if (newNode == NULL)
165
		return (newNode);
166

167
	g_ExtClient->CreateClient(&(newNode->debugClient));
168
	newNode->dcb = new detectionCallBack;
169

170
	if (headDebugClient == NULL)
171
		headDebugClient = newNode;
172
	else {
173
		cur = headDebugClient;
174
		while (cur->next != NULL)
175
			cur = cur->next;
176
		cur->next = newNode;
177
	}
178
#endif
179

180
	if (headDebugClient == NULL) {
181
		headDebugClient = (struct debugClientNode *) malloc(sizeof(struct debugClientNode));
182
		g_ExtClient->CreateClient(&(headDebugClient->debugClient));
183
		headDebugClient->dcb = new detectionCallBack;
184
	}
185
	return (headDebugClient);
186
}
187

188
// Take a function name, resolve it, and replace the first 5 bytes with
189
// a bypass that returns false.
190
BOOL disableFunctionFalse(char *funcName) {
191
    ULONG64         funcAddr64;
192

193
    if ((funcAddr64 = resolveFunctionByName(funcName)) == NULL)
194
        return (FALSE);
195
    g_ExtData->WriteVirtual(funcAddr64, (PVOID) bypassFalse, 5, NULL);
196
    return (TRUE);
197
}
198

199

200
ULONG64 resolveFunctionByName(char *funcName) {
201
    ULONG64         funcAddr64;
202

203
    g_ExtSymbols->Reload("/f kernel32.dll");
204
    if (g_ExtSymbols->GetOffsetByName(funcName, &funcAddr64) == E_FAIL)
205
        funcAddr64 = NULL;
206
    if (funcAddr64 != NULL)
207
        dprintf("[Byakugan] Resolved function '%s' @ 0x%16x.\n", funcName, funcAddr64);
208
    else {
209
        dprintf("[Byakugan] Unable to resolve function '%s' :(\n", funcName);
210
        return (NULL);
211
    }
212
	return (funcAddr64);
213
}
214

215
BOOL detectCallByName(char *funcName, char *detectionName) {
216
	if (detectExecByAddr(resolveFunctionByName(funcName), detectionName) == NULL)
217
		return (FALSE);
218
	return (TRUE);
219
}
220

221
PDEBUG_BREAKPOINT detectExecByAddr(ULONG64 funcAddr64, char *detectionName) {
222
	HRESULT						retCode;
223
	IDebugBreakpoint			*bp;
224
	ULONG						id;
225
	struct debugClientNode		*newDebugClient;
226
	
227
	if (funcAddr64 == NULL)
228
		return (NULL);
229

230
	newDebugClient = addDebugClient();
231

232
    g_ExtControl->AddBreakpoint(DEBUG_BREAKPOINT_CODE, DEBUG_ANY_ID, &bp);
233
    bp->SetOffset(funcAddr64);
234
    bp->SetFlags(DEBUG_BREAKPOINT_ENABLED|DEBUG_BREAKPOINT_ONE_SHOT);	
235
	bp->GetId(&id);
236
	newDebugClient->dcb->addType(id, detectionName);
237
	retCode = newDebugClient->debugClient->SetEventCallbacks(newDebugClient->dcb);
238
	//dprintf("[Mushishi] SetEventCallbacks: 0x%08x\n", retCode);
239
	return (bp);
240
}
241

242
PDEBUG_BREAKPOINT detectWriteByAddr(ULONG64 funcAddr64, char *detectionName) {
243
    HRESULT                     retCode;
244
    IDebugBreakpoint            *bp;
245
    ULONG                       id;
246
    struct debugClientNode      *newDebugClient;
247

248
    if (funcAddr64 == NULL)
249
        return (NULL);
250

251
    newDebugClient = addDebugClient();
252

253
    g_ExtControl->AddBreakpoint(DEBUG_BREAKPOINT_DATA, DEBUG_ANY_ID, &bp);
254
    bp->SetOffset(funcAddr64);
255
	bp->SetDataParameters(4, DEBUG_BREAK_WRITE);
256
    bp->SetFlags(DEBUG_BREAKPOINT_ENABLED);
257
    bp->GetId(&id);
258
    
259
	newDebugClient->dcb->addType(id, detectionName);
260
    retCode = newDebugClient->debugClient->SetEventCallbacks(newDebugClient->dcb);
261
    //dprintf("[Mushishi] SetEventCallbacks: 0x%08x\n", retCode);
262
    return (bp);
263
}
264

265
PDEBUG_BREAKPOINT detectReadByAddr(ULONG64 funcAddr64, char *detectionName) {
266
    HRESULT                     retCode;
267
    IDebugBreakpoint            *bp;
268
    ULONG                       id;
269
    struct debugClientNode      *newDebugClient;
270

271
    if (funcAddr64 == NULL)
272
        return (NULL);
273

274
    newDebugClient = addDebugClient();
275

276
    g_ExtControl->AddBreakpoint(DEBUG_BREAKPOINT_DATA, DEBUG_ANY_ID, &bp);
277
    bp->SetOffset(funcAddr64);
278
	bp->SetDataParameters(4, DEBUG_BREAK_READ);
279
    bp->SetFlags(DEBUG_BREAKPOINT_ENABLED);
280
    bp->GetId(&id);
281
    newDebugClient->dcb->addType(id, detectionName);
282
    retCode = newDebugClient->debugClient->SetEventCallbacks(newDebugClient->dcb);
283
    //dprintf("[Mushishi] SetEventCallbacks: 0x%08x\n", retCode);
284
    return (bp);
285
}
286

287
DWORD parseHexInput(char *hexInput, DWORD size, char *output) {
288
	return (0);
289
}
290

291
DWORD readFileIntoBuf(char *path, DWORD size, char **output, DWORD offset) {
292
    HANDLE      inputFile;
293
    DWORD       readOut = 1, i = 0;
294
    char        out;
295
    BYTE        state = 0;
296

297
    if((inputFile = CreateFile(path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
298
                            FILE_ATTRIBUTE_NORMAL, NULL)) == INVALID_HANDLE_VALUE) {
299
        dprintf("[S] Unable to open file: %s\n", path);
300
        return (0);
301
    }
302
    if (size == 0)
303
        size = GetFileSize(inputFile, NULL) - 1;
304

305
    *output = (char *) malloc(size + 1);
306
    if (!*output) {
307
        dprintf("[S] Unable to allocate memory for %s\n", path);
308
        return (0);
309
    }
310
     if(offset == 0) {
311
         while (readOut > 0 && i < size) {
312
             ReadFile(inputFile, &out, 1, &readOut, NULL);
313
             (*output)[i++] = out;
314
          }
315
    }
316
    else {
317
        if(SetFilePointer(inputFile,offset, NULL,FILE_BEGIN) == INVALID_SET_FILE_POINTER ){
318
            dprintf("[S] Unable to read at offset %d for %s\n", offset, path);
319
            return (0);
320
            }
321
         while (readOut > 0 && i < size) {
322

323
             ReadFile(inputFile, &out, 1, &readOut, NULL);
324
             (*output)[i++] = out;
325
          }
326
    }
327
    return (i);
328
}
329

330