def stealth(vdb, line): """ Enable debugger stealth. See options -l. stealth <on/off> <options> Options: peb - enable/disable static peb + heap offset patching ZwQueryInformationProcess - patch ZwQueryInformationProcess parameter CheckRemoteDebuggerPresent - patch CheckRemoteDebuggerPresent GetTickCount - patch GetTickCount timer checks OutputDebugString - patch check that returns if debugger is attached ZwSetInformationThread - patch the hide debugger trick ZwClose - patch invalid handle check all - enable or disable all patches WARNING: break/sendBreak() behave VERY strange with this because the kernel aparently doesn't think he needs to post the exception to the debugger? """ args = e_cli.splitargs(line) arglist = ('peb','zwqueryinformationprocess','checkremotedebuggerpresent', 'gettickcount','outputdebugstring','all', 'zwsetinformationthread','zwclose') if len(args) < 2 or ('on' not in args and 'off' not in args): vdb.do_help('stealth') enabledPatches = win32_stealth.getStatus(vdb.trace) vdb.vprint('Stealth Status') vdb.vprint('='*40) for name, isPatched in enabledPatches: status = 'disabled' if isPatched: status = 'enabled' vdb.vprint('{0:30} {1:16}'.format(name, status)) return oper = args[0].lower() commands = [i.lower() for i in args[1:]] if args[1] == 'all' and oper == 'on': if win32_stealth.enableAllStealth(vdb.trace): vdb.vprint('all enabled!') return if args[1] == 'all' and oper == 'off': if win32_stealth.disableAllStealth(vdb.trace): vdb.vprint('all disabled!') return if oper == 'on': for i in commands: if i in arglist: if win32_stealth.stealthify(vdb.trace, i): vdb.vprint('%s enabled!'%i) if oper == 'off': for i in commands: if i in arglist: if win32_stealth.unstealthify(vdb.trace, i): vdb.vprint('%s disabled!'%i)
def stealth(vdb, line): """ Enable debugger stealth. See options -l. stealth <on/off> <options> Options: peb - enable/disable static peb + heap offset patching ZwQueryInformationProcess - patch ZwQueryInformationProcess parameter CheckRemoteDebuggerPresent - patch CheckRemoteDebuggerPresent GetTickCount - patch GetTickCount timer checks OutputDebugString - patch check that returns if debugger is attached ZwSetInformationThread - patch the hide debugger trick ZwClose - patch invalid handle check all - enable or disable all patches WARNING: break/sendBreak() behave VERY strange with this because the kernel aparently doesn't think he needs to post the exception to the debugger? """ args = e_cli.splitargs(line) arglist = ('peb', 'zwqueryinformationprocess', 'checkremotedebuggerpresent', 'gettickcount', 'outputdebugstring', 'all', 'zwsetinformationthread', 'zwclose') if len(args) < 2 or ('on' not in args and 'off' not in args): vdb.do_help('stealth') enabledPatches = win32_stealth.getStatus(vdb.trace) vdb.vprint('Stealth Status') vdb.vprint('=' * 40) for name, isPatched in enabledPatches: status = 'disabled' if isPatched: status = 'enabled' vdb.vprint('{0:30} {1:16}'.format(name, status)) return oper = args[0].lower() commands = [i.lower() for i in args[1:]] if args[1] == 'all' and oper == 'on': if win32_stealth.enableAllStealth(vdb.trace): vdb.vprint('all enabled!') return if args[1] == 'all' and oper == 'off': if win32_stealth.disableAllStealth(vdb.trace): vdb.vprint('all disabled!') return if oper == 'on': for i in commands: if i in arglist: if win32_stealth.stealthify(vdb.trace, i): vdb.vprint('%s enabled!' % i) if oper == 'off': for i in commands: if i in arglist: if win32_stealth.unstealthify(vdb.trace, i): vdb.vprint('%s disabled!' % i)