Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix + new anti-disassembly technique #245

Merged
merged 5 commits into from
Oct 20, 2021
Merged

Bugfix + new anti-disassembly technique #245

merged 5 commits into from
Oct 20, 2021

Conversation

Yp3rion
Copy link
Contributor

@Yp3rion Yp3rion commented Oct 1, 2021

The pull request deals with the following:

  • After building and executing al-khaser on a Win 10 VM with VS 2017 Community version I encountered a bug which consisted in the GetProcAddress() function, invoked as part of the Wine detection checks, crashing with an illegal access error (0xC0000005) in the x86 version. As revealed by a run-time check when testing the Debug version of the software, this seemed to be caused indirectly by an error in the VectoredHandler defined for the TrapFlag anti-debug trick; more precisely, increasing the EIP value stored in the exception context by 1 was apparently what was causing the error, since after returning from the exception execution would proceed from an erroneous instruction.
  • Included the "Structured Exception Handler misuse" anti-disassembly technique for the x86 architecture, which consists in adding a custom exception handler pointing to an arbitrary function on top of the SEH stack at runtime and then triggering an exception in order to perform a covert function invocation; a more in-depth explanation of the technique can be found here.

@Yp3rion Yp3rion changed the title Bugfix + SEH anti-disassembly technique Bugfix + new anti-disassembly technique Oct 1, 2021
@ayoubfaouzi
Copy link
Owner

Hey @Yp3rion

Thanks for your first contribution :)

I will review this one today.

@ayoubfaouzi
Copy link
Owner

That was a good catch ! I was wondering how did you track the problem back to the trap flag issue and I started debugging from there and I figured out that in the VEH handler, when we increase the instruction pointer, we end up returning right after the RemoveVectoredExceptionHandler, so the VEH never get deleted, and it keps catching exceptions and somehow failed in the the wine check.

As a matter of fact, I also checked the x64 version and it does not need to advance RIP as well, you should get rid of it as it as well.

I will look into the anti disassm tomorrow.

Thank you.

@ayoubfaouzi ayoubfaouzi self-assigned this Oct 18, 2021
@Yp3rion
Copy link
Contributor Author

Yp3rion commented Oct 18, 2021

Perfect! I am happy to help and I was curious about the underlying issue since I have to admit I did not go much into detail after finding the bug, so thank you for explaining; I will make sure to fix the x64 version too then, should I do it after this pull request is approved or is it possible to edit a pull request on the fly? (I am a bit of a noob, I know)

@ayoubfaouzi
Copy link
Owner

No worries, just modify the code, make a commit and push, it should appear here.

@ayoubfaouzi
Copy link
Owner

Looks awesome ! Thank you again.

@ayoubfaouzi ayoubfaouzi merged commit bed03d2 into ayoubfaouzi:master Oct 20, 2021
fengjixuchui added a commit to fengjixuchui/al-khaser that referenced this pull request Dec 3, 2021
@fengjixuchui
Merge pull request #18 from LordNoteworthy/master
b2c19cd 
Bugfix + new anti-disassembly technique (ayoubfaouzi#245)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ayoubfaouzi ayoubfaouzi

Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Yp3rion @ayoubfaouzi