Пример #1
0
def stealth(vdb, line):
    """
    Enable basic debugger stealth.  This has the following effects:

    Change PEB to show BeingDebugged == 0
    Special breakpoint on CheckRemoteDebuggerPresent

    WARNING:
    break/sendBreak() behave VERY strange with this because the
    kernel aparently doesn't think he needs to post the exception
    to the debugger?
    """
    if vdb.trace.getMeta("Win32Stealth") != None:
        win32_stealth.unstealthify(vdb.trace)
        vdb.vprint("Stealth disabled")
    else:
        win32_stealth.stealthify(vdb.trace)
        vdb.vprint("Stealth enabled")
Пример #2
0
def stealth(vdb, line):
    """
    Enable basic debugger stealth.  This has the following effects:

    Change PEB to show BeingDebugged == 0
    Special breakpoint on CheckRemoteDebuggerPresent

    WARNING:
    break/sendBreak() behave VERY strange with this because the
    kernel aparently doesn't think he needs to post the exception
    to the debugger?
    """
    if vdb.trace.getMeta("Win32Stealth") != None:
        win32_stealth.unstealthify(vdb.trace)
        vdb.vprint("Stealth disabled")
    else:
        win32_stealth.stealthify(vdb.trace)
        vdb.vprint("Stealth enabled")
Пример #3
0
def stealth(vdb, line):
    """
    Enable debugger stealth. See options -l.

    stealth <on/off> <options>

    Options:
    peb - enable/disable static peb + heap offset patching
    ZwQueryInformationProcess - patch ZwQueryInformationProcess parameter
    CheckRemoteDebuggerPresent - patch CheckRemoteDebuggerPresent
    GetTickCount - patch GetTickCount timer checks
    OutputDebugString - patch check that returns if debugger is attached
    ZwSetInformationThread - patch the hide debugger trick
    ZwClose - patch invalid handle check
    all - enable or disable all patches

    WARNING:
    break/sendBreak() behave VERY strange with this because the
    kernel aparently doesn't think he needs to post the exception
    to the debugger?
    """
    args = e_cli.splitargs(line)
    arglist = ('peb','zwqueryinformationprocess','checkremotedebuggerpresent',
               'gettickcount','outputdebugstring','all',
               'zwsetinformationthread','zwclose')

    if len(args) < 2  or ('on' not in args and 'off' not in args):
        vdb.do_help('stealth')
        enabledPatches = win32_stealth.getStatus(vdb.trace)

        vdb.vprint('Stealth Status')
        vdb.vprint('='*40)
        for name, isPatched in enabledPatches:
            status = 'disabled'
            if isPatched:
                status = 'enabled'
            vdb.vprint('{0:30} {1:16}'.format(name, status))

        return

    oper = args[0].lower()
    commands = [i.lower() for i in args[1:]]

    if args[1] == 'all' and oper == 'on':
        if win32_stealth.enableAllStealth(vdb.trace):
            vdb.vprint('all enabled!')
            return

    if args[1] == 'all' and oper == 'off':
        if win32_stealth.disableAllStealth(vdb.trace):
            vdb.vprint('all disabled!')
            return

    if oper == 'on':
        for i in commands:
            if i in arglist:
                if win32_stealth.stealthify(vdb.trace, i):
                    vdb.vprint('%s enabled!'%i)

    if oper == 'off':
        for i in commands:
            if i in arglist:
                if win32_stealth.unstealthify(vdb.trace, i):
                    vdb.vprint('%s disabled!'%i)
Пример #4
0
def stealth(vdb, line):
    """
    Enable debugger stealth. See options -l.

    stealth <on/off> <options>

    Options:
    peb - enable/disable static peb + heap offset patching
    ZwQueryInformationProcess - patch ZwQueryInformationProcess parameter
    CheckRemoteDebuggerPresent - patch CheckRemoteDebuggerPresent
    GetTickCount - patch GetTickCount timer checks
    OutputDebugString - patch check that returns if debugger is attached
    ZwSetInformationThread - patch the hide debugger trick
    ZwClose - patch invalid handle check
    all - enable or disable all patches

    WARNING:
    break/sendBreak() behave VERY strange with this because the
    kernel aparently doesn't think he needs to post the exception
    to the debugger?
    """
    args = e_cli.splitargs(line)
    arglist = ('peb', 'zwqueryinformationprocess',
               'checkremotedebuggerpresent', 'gettickcount',
               'outputdebugstring', 'all', 'zwsetinformationthread', 'zwclose')

    if len(args) < 2 or ('on' not in args and 'off' not in args):
        vdb.do_help('stealth')
        enabledPatches = win32_stealth.getStatus(vdb.trace)

        vdb.vprint('Stealth Status')
        vdb.vprint('=' * 40)
        for name, isPatched in enabledPatches:
            status = 'disabled'
            if isPatched:
                status = 'enabled'
            vdb.vprint('{0:30} {1:16}'.format(name, status))

        return

    oper = args[0].lower()
    commands = [i.lower() for i in args[1:]]

    if args[1] == 'all' and oper == 'on':
        if win32_stealth.enableAllStealth(vdb.trace):
            vdb.vprint('all enabled!')
            return

    if args[1] == 'all' and oper == 'off':
        if win32_stealth.disableAllStealth(vdb.trace):
            vdb.vprint('all disabled!')
            return

    if oper == 'on':
        for i in commands:
            if i in arglist:
                if win32_stealth.stealthify(vdb.trace, i):
                    vdb.vprint('%s enabled!' % i)

    if oper == 'off':
        for i in commands:
            if i in arglist:
                if win32_stealth.unstealthify(vdb.trace, i):
                    vdb.vprint('%s disabled!' % i)