7 | Qualys Vulnerabliity & Malware Research Labs (VMRL)
8 |
9 | Blackhat 2012 Presentation Samples
10 |
11 | TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
12 | anti-disassembly and anti-virtualization technologies
13 |
14 | Authors: Rodrigo Rubira Branco - rbranco *NOSPAM* qualys.com
15 | Gabriel Negreira Barbosa - gbarbosa *NOSPAM* qualys.com
16 | Pedro Drimel Neto - pdrimel *NOSPAM* qualys.com
17 |
18 | Those are the anti-debugging techniques implemented in ASM. To compile use
19 | flat assembly which is available at http://flatassembler.net/
20 |
21 |
22 |
23 |
24 |
--------------------------------------------------------------------------------
/ASMsrc/garbage_bytes.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | include 'win32ax.inc'
10 |
11 | .code
12 |
13 | start:
14 | nop
15 | nop
16 | nop
17 |
18 | ;jmp .destination
19 | ;db 0x6a ; garbage byte technique
20 | ;.destination:
21 | ; pop eax
22 |
23 | mov eax,eax
24 | jz .destination
25 | db 0x6a
26 | .destination:
27 | pop eax
28 |
29 | invoke ExitProcess,0
30 | .end start
31 |
--------------------------------------------------------------------------------
/ASMsrc/call_trick.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | include 'win32ax.inc'
10 |
11 | .code
12 |
13 | start:
14 | nop
15 | nop
16 | nop
17 | call .function
18 | db 0x6a
19 | .correct_return:
20 | pop eax
21 | invoke MessageBox,HWND_DESKTOP,"This is where should return",invoke GetCommandLine,MB_OK
22 | invoke ExitProcess,0
23 | .function:
24 | push DWORD .correct_return
25 | ret
26 | .end start
27 |
--------------------------------------------------------------------------------
/Csrc/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | README C source
4 |
5 |
6 |
7 | Qualys Vulnerabliity & Malware Research Labs (VMRL)
8 |
9 | Blackhat 2012 Presentation Samples
10 |
11 | TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
12 | anti-disassembly and anti-virtualization technologies
13 |
14 | Authors: Rodrigo Rubira Branco - rbranco *NOSPAM* qualys.com
15 | Gabriel Negreira Barbosa - gbarbosa *NOSPAM* qualys.com
16 | Pedro Drimel Neto - pdrimel *NOSPAM* qualys.com
17 |
18 | The files on this directory were compiled on Visual Studio 2010
19 |
20 | Directories:
21 | fcall_examples - Those are anti-debugging techinques that were implemented in C/C++
22 | VMDetection - anti-VM techniques
23 |
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------
/ASMsrc/nop_sequence.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created to test NOP sequence detection (4.2)
11 | ; reference: Mihai Christodorescu, Somesh Jha - Proceedings of the 12th USENIX Security
12 |
13 | include 'win32ax.inc'
14 |
15 | .code
16 |
17 | start:
18 | xor eax, eax
19 | nop
20 | nop
21 | nop
22 | nop
23 | nop
24 | nop
25 | nop
26 | nop
27 | mov eax,0x10101010
28 | nop
29 | nop
30 | nop
31 | invoke ExitProcess,0
32 |
33 | .end start
34 |
--------------------------------------------------------------------------------
/ASMsrc/instr_substitution.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | include 'win32ax.inc'
10 |
11 | .code
12 |
13 | start:
14 | nop
15 | nop
16 | nop
17 | ;push .destination
18 | ;ret
19 |
20 | ;mov dword[esp],.destination
21 | ;ret
22 |
23 | push .destination
24 | push ebp
25 | mov ebp,esp
26 | leave
27 | ret
28 |
29 | .destination:
30 | invoke MessageBox,HWND_DESKTOP,"Destination!",invoke GetCommandLine,MB_OK
31 |
32 |
33 | invoke ExitProcess,0
34 | .end start
35 |
--------------------------------------------------------------------------------
/ASMsrc/fakemath.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ; This program was created to test push followed by pop and xor/or (4.1)
10 | ; reference: Laspe Raber, Jason Raber - BlackHat 2008
11 | ; Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation
12 |
13 |
14 | include 'win32ax.inc'
15 |
16 | .code
17 |
18 | start:
19 | xor eax,eax
20 | xor ebx,ebx
21 | xor ecx,ecx
22 | xor edx,edx
23 | push 0x4040
24 | pop eax
25 | xor eax, 0x5050
26 |
27 | invoke ExitProcess,0
28 | .end start
29 |
--------------------------------------------------------------------------------
/Csrc/VMDetection/VMDetection.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "VMDetection", "VMDetection\VMDetection.vcxproj", "{DC7096E1-91C2-471F-8DED-1F70E4B09551}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {DC7096E1-91C2-471F-8DED-1F70E4B09551}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {DC7096E1-91C2-471F-8DED-1F70E4B09551}.Debug|Win32.Build.0 = Debug|Win32
14 | {DC7096E1-91C2-471F-8DED-1F70E4B09551}.Release|Win32.ActiveCfg = Release|Win32
15 | {DC7096E1-91C2-471F-8DED-1F70E4B09551}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/ASMsrc/fakejump.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | include 'win32ax.inc'
10 |
11 | .code
12 |
13 | start:
14 | nop
15 | nop
16 | nop
17 | ;xor eax,eax
18 | ;jz .destination
19 |
20 | ;stc
21 | ;jc .destination
22 |
23 | clc
24 | jnc .destination
25 |
26 | ;xor eax,eax
27 | ;jnz .destination2
28 |
29 | .destination:
30 | invoke MessageBox,HWND_DESKTOP,"Destination",invoke GetCommandLine,MB_OK
31 | invoke ExitProcess,0
32 | ;.destination2:
33 | ; invoke ExitProcess,0
34 |
35 | invoke ExitProcess,0
36 | .end start
37 |
--------------------------------------------------------------------------------
/Csrc/fcall_examples/fcall_examples.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "fcall_examples", "fcall_examples\fcall_examples.vcxproj", "{AFCCCF22-D519-40EE-8F43-E16A245F8E1B}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {AFCCCF22-D519-40EE-8F43-E16A245F8E1B}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {AFCCCF22-D519-40EE-8F43-E16A245F8E1B}.Debug|Win32.Build.0 = Debug|Win32
14 | {AFCCCF22-D519-40EE-8F43-E16A245F8E1B}.Release|Win32.ActiveCfg = Release|Win32
15 | {AFCCCF22-D519-40EE-8F43-E16A245F8E1B}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/ASMsrc/pushret.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created to test push-ret anti-disassembly technique (5.1)
11 |
12 | include 'win32ax.inc'
13 |
14 | .code
15 |
16 | start:
17 | pop eax
18 | pop ebx
19 | pop ecx
20 | push .continue
21 | ret
22 | db 0xab
23 | db 0xbc
24 | db 0xcd
25 | db 0xff
26 | db 0xaa
27 | db 0x1
28 | db 0x2
29 | db 0xff
30 | db 0xef
31 | db 0xe9
32 | db 0xab
33 | db 0xe8
34 | db 0xa9
35 |
36 | .continue:
37 | xor eax,eax
38 | mov ecx,1
39 | nop
40 | xchg eax,ecx
41 | push edx
42 | pop edx
43 | invoke ExitProcess,0
44 | .end start
45 |
--------------------------------------------------------------------------------
/ASMsrc/heapflags.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ; This program was created to test heap flags access (3.4)
10 | ; reference: "Anti-Unpacker Tricks" by Peter Ferrie
11 |
12 | include 'win32ax.inc' ;
13 |
14 | .code
15 |
16 | start:
17 | mov eax,[fs:0x30]
18 | mov eax,[eax+0x18]
19 | mov eax,[eax+0xc]
20 | dec eax
21 | dec eax
22 | jne .being_debugged
23 | jmp .exit
24 |
25 | .being_debugged:
26 | invoke MessageBox,HWND_DESKTOP,"Debugger Found!",invoke GetCommandLine,MB_OK
27 | invoke ExitProcess, 0
28 | .exit:
29 | invoke MessageBox,HWND_DESKTOP,"Debugger Not Found!",invoke GetCommandLine,MB_OK
30 |
31 | invoke ExitProcess,0
32 | .end start
33 |
--------------------------------------------------------------------------------
/ASMsrc/peb.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created to test PEB Being Debuged access (3.2)
11 | ; reference: "Anti-Unpacker Tricks" by Peter Ferrie
12 |
13 | include 'win32ax.inc'
14 |
15 | .code
16 |
17 | start:
18 | push dword [fs:0x30]
19 | pop eax
20 | push dword [eax+0x2]
21 | pop ebx
22 | cmp bl, 0
23 | jne .being_debugged
24 | jmp .exit
25 |
26 | .being_debugged:
27 | invoke MessageBox,HWND_DESKTOP,"Debugger Found!",invoke GetCommandLine,MB_OK
28 | invoke ExitProcess, 0
29 | .exit:
30 | invoke MessageBox,HWND_DESKTOP,"Debugger Not Found!",invoke GetCommandLine,MB_OK
31 | invoke ExitProcess,0
32 | .end start
33 |
--------------------------------------------------------------------------------
/ASMsrc/ntglobal.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created to test ntglobal access (3.1)
11 | ; reference: "Anti-Unpacker Tricks" by Peter Ferrie
12 | ;
13 |
14 | include 'win32ax.inc'
15 |
16 | .code
17 |
18 | start:
19 | xor eax,eax
20 | xor ebx,ebx
21 |
22 | mov eax,[fs:0x30]
23 | mov bl,[eax+68h]
24 | cmp bl,70h
25 | je .being_debugged
26 | jmp .exit
27 |
28 | .being_debugged:
29 | invoke MessageBox,HWND_DESKTOP,"Debugger Found!",invoke GetCommandLine,MB_OK
30 | invoke ExitProcess, 0
31 | .exit:
32 | invoke MessageBox,HWND_DESKTOP,"Debugger Not Found!",invoke GetCommandLine,MB_OK
33 |
34 | invoke ExitProcess,0
35 | .end start
36 |
--------------------------------------------------------------------------------
/Csrc/VMDetection/VMDetection/VMDetection.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Source Files
23 |
24 |
25 |
--------------------------------------------------------------------------------
/ASMsrc/softice.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ; This program was created to test softice anti-debugging detection (3.21)
10 | ; reference: "Anti-Unpacker Tricks" by Peter Ferrie
11 |
12 |
13 | include 'win32ax.inc'
14 |
15 | .code
16 |
17 | start:
18 | xor eax, eax
19 | push dword [fs:0]
20 | mov [fs:0],esp
21 | int1
22 | .exception:
23 | mov eax,[esp+0x4]
24 | cmp dword[eax], 0x80000004
25 | je .being_debugged
26 | jmp .exit
27 | .being_debugged:
28 | invoke MessageBox,HWND_DESKTOP,"Debugger Found!",invoke GetCommandLine,MB_OK
29 | invoke ExitProcess, 0
30 | .exit:
31 | invoke MessageBox,HWND_DESKTOP,"Debugger Not Found!",invoke GetCommandLine,MB_OK
32 | invoke ExitProcess,0
33 |
34 | .end start
35 |
--------------------------------------------------------------------------------
/ASMsrc/code_transposition.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | include 'win32ax.inc'
10 |
11 | .code
12 |
13 | start:
14 | nop
15 | nop
16 | nop
17 |
18 | ; before obfuscation
19 | ; xor eax,eax
20 | ; inc eax
21 | ; push ebx
22 | ; jmp .continuation
23 | ; .continuation:
24 | ; invoke MessageBox,HWND_DESKTOP,"Destination!",invoke GetCommandLine,MB_OK
25 |
26 |
27 | ; after obfuscation
28 | jmp .first
29 |
30 | .second:
31 | push ebx
32 | jmp .continuation
33 |
34 | .first:
35 | xor eax,eax
36 | inc eax
37 | jmp .second
38 |
39 | .continuation:
40 | invoke MessageBox,HWND_DESKTOP,"Destination!",invoke GetCommandLine,MB_OK
41 |
42 |
43 | invoke ExitProcess,0
44 | .end start
45 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | README
4 |
5 |
6 |
7 | Qualys Vulnerabliity & Malware Research Labs (VMRL)
8 |
9 | Blackhat 2012 Presentation Samples
10 |
11 | TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
12 | anti-disassembly and anti-virtualization technologies
13 |
14 | Authors: Rodrigo Rubira Branco - rbranco *NOSPAM* qualys.com
15 | Gabriel Negreira Barbosa - gbarbosa *NOSPAM* qualys.com
16 | Pedro Drimel Neto - pdrimel *NOSPAM* qualys.com
17 |
18 | The samples are divided in four categories:
19 | Anti-Debugging
20 | Anti-Disassembly
21 | Obfuscation
22 | Anti-VM
23 |
24 | Anti-Debugging POCs were developed in C/C++ using Visual Studio 2010 and Assembly
25 | with Flat Assembler, they are in the folder Csrc and ASMsrc, respectively.
26 |
27 | Anti-Disassembly and Obfuscation POCs were developed in Assembly with Flat Assembler and
28 | are available in the folder ASMsrc.
29 |
30 | Anti-VM POCs were developed in C/C++ using Visual Studio 2010 and is available in the
31 | Csrc folder.
32 |
33 |
34 |
35 |
36 |
--------------------------------------------------------------------------------
/ASMsrc/anti-vm_in_instruction.ASM:
--------------------------------------------------------------------------------
1 | ; Created for Hackers 2 Hackers Conference (H2HC) 2012 - 9th Edition
2 | ; Training: Windows Malware Reverse Engineering
3 | ;
4 | ; Authors:
5 | ; Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ;
8 | ; VMWare IN Anti-VM Technique
9 | ;
10 | ; Based on:
11 | ; Tom Liston, and Ed Skoudis - On the Cutting Edge: Thwarting Virtual Machine Detection - http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
12 |
13 | include 'win32ax.inc'
14 |
15 | .code
16 |
17 | start:
18 | push .vmware_not_detected
19 | push dword [fs:0x0]
20 | mov [fs:0x0],esp
21 |
22 | mov eax,0x564D5868 ; 'VMXh'
23 | mov ebx,0x0
24 | mov ecx,0xA
25 | mov edx,0x5658 ; 'VX'
26 |
27 | in eax,dx
28 |
29 | cmp ebx,0x564D5868 ; 'VMXh'
30 | je .vmware_detected
31 | jmp .vmware_not_detected
32 |
33 |
34 |
35 | .vmware_detected:
36 | invoke MessageBox,HWND_DESKTOP,"VMWare Detected!",invoke GetCommandLine,MB_OK
37 | invoke ExitProcess, 0
38 |
39 | .vmware_not_detected:
40 | invoke MessageBox,HWND_DESKTOP,"VMWare NOT Detected!",invoke GetCommandLine,MB_OK
41 | invoke ExitProcess, 0
42 |
43 | .end start
44 |
--------------------------------------------------------------------------------
/ASMsrc/middle_instruction.ASM:
--------------------------------------------------------------------------------
1 | ; Created for Hackers 2 Hackers Conference (H2HC) 2012 - 9th Edition
2 | ; Training: Windows Malware Reverse Engineering
3 | ;
4 | ; Authors:
5 | ; Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ;
8 | ; Jump to the middle of an instruction
9 | ;
10 | ; Based on:
11 | ; Nick Harbour - Advanced Software Armoring and Polymorphic Kung-Fu
12 |
13 | include 'win32ax.inc'
14 |
15 | .code
16 |
17 | start:
18 | ; Useles pushes. They are here only to pop later.
19 | ; The idea of such pops is to make it clear, in the debugger, the destination of the "jmp 5" inside the mov instruction
20 | push 0x1
21 | push 0x2
22 | push 0x3
23 |
24 | mov ax,0x05eb
25 | xor eax,eax
26 |
27 | ; jump to "jmp 5" (0xeb 0xe5)
28 | ; last bytes of mov instruction is 0xeb 0xe5
29 | ; such "jmp 5" redirects the flow to the "; rest of the code"
30 | jz $-4
31 |
32 | db 0xe8 ; garbage byte
33 |
34 | ; rest of the code
35 |
36 | ; pops described in the pushes comment
37 | pop eax
38 | pop eax
39 | pop eax
40 |
41 | invoke MessageBox,HWND_DESKTOP,"Hooray!",invoke GetCommandLine,MB_OK
42 | invoke ExitProcess, 0
43 | .end start
44 |
--------------------------------------------------------------------------------
/ASMsrc/software_bp.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created to test detection of software breakpoint (3.26)
11 | ; reference: "The Art Of Unpacking" by Mark Vincent Yason
12 |
13 | include 'win32ax.inc'
14 |
15 | .code
16 |
17 | start:
18 | nop
19 | xor eax,eax
20 | xor ebx,ebx
21 | xor ecx,ecx
22 | xor edx,edx
23 |
24 | .protectedcode:
25 | nop
26 | nop
27 | nop
28 | xor eax,eax
29 | nop
30 | nop
31 | nop
32 | nop
33 | cld
34 | mov edi,.protectedcode
35 | mov ecx,0x09
36 | mov al,0xCC
37 | repne scasb
38 | jz .being_debugged
39 | jmp .exit
40 |
41 | .being_debugged:
42 | invoke MessageBox,HWND_DESKTOP,"Software Breakpoint Found!",invoke GetCommandLine,MB_OK
43 | invoke ExitProcess,0
44 | .exit:
45 | invoke MessageBox,HWND_DESKTOP,"Software Breakpoint NOT Found!",invoke GetCommandLine,MB_OK
46 | invoke ExitProcess,0
47 |
48 | .end start
49 |
--------------------------------------------------------------------------------
/ASMsrc/ss_register.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created to test SS register use to detect debugger (single-step) (3.22)
11 | ; references:
12 | ; "Anti-Unpacker Tricks" by Peter Ferrie
13 | ; "The Ultimate Anti-Debugging Reference" by Peter Ferrie
14 | ; "Windows Anti-Debug Reference" by Nicolas Falliere:
15 | ; http://www.symantec.com/connect/articles/windows-anti-debug-reference
16 |
17 | include 'win32ax.inc'
18 |
19 | .code
20 |
21 | start:
22 | nop
23 | nop
24 | nop
25 | nop
26 | nop
27 | nop
28 | nop
29 | push ss
30 | pop ss
31 | pushfd
32 | test byte [esp+1], 1
33 | jnz .being_debugged
34 | jmp .exit
35 |
36 | .being_debugged:
37 | invoke MessageBox,HWND_DESKTOP,"Debugger Found - Single step detected!",invoke GetCommandLine,MB_OK
38 | invoke ExitProcess, 0
39 | .exit:
40 | invoke MessageBox,HWND_DESKTOP,"Debugger Not Found!",invoke GetCommandLine,MB_OK
41 | invoke ExitProcess,0
42 |
43 | .end start
44 |
--------------------------------------------------------------------------------
/ASMsrc/api_hash.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created only to test PEB-> Ldr Address Resolving detection (4.3)
11 | ; it is by no means a fully functional program to be used in order to import windows APIs
12 | ; reference: Harmony Security - Blog - Retrieving Kernel32's Base Address
13 | ; http://blog.harmonysecurity.com/2009/06/retrieving-kernel32s-base-address.html
14 |
15 | include 'win32ax.inc'
16 |
17 | .code
18 |
19 | start:
20 | pusha
21 | mov eax,[fs:0x30] ; PEB
22 | mov eax,[eax+0xc] ; Ldr
23 | mov eax,[eax+0xc] ; InLoadOrderModuleList.Flink
24 | mov eax,[eax] ; InLoadOrderModuleList.Flink
25 | mov eax,[eax] ; InLoadOrderModuleList.Flink
26 | mov eax,[eax+0x18] ; BaseAddress
27 |
28 | mov ebx,eax
29 |
30 | add eax,[eax+0x3c] ; DOS_HEADER.e_lfanew
31 | mov eax,[eax+0x78] ; OptionalHeader.ExportDir.VirtualAddress
32 | add eax,ebx
33 |
34 | lea esi,[eax+0x1c] ; AddressOfFunctions
35 |
36 | invoke ExitProcess,0
37 |
38 | .end start
--------------------------------------------------------------------------------
/ASMsrc/anti_disassembly_yason.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created to test branch to garbage byte (5.2)
11 | ; reference: "The Art of Unpacking" by Mark Vincent Yason
12 | ;
13 |
14 | include 'win32ax.inc'
15 |
16 | .code
17 | start:
18 | push .jmp_real_01
19 | stc
20 | jnc .jmp_fake_01
21 | retn
22 |
23 | .jmp_fake_01:
24 | db 0xff
25 |
26 | .jmp_real_01:
27 | mov eax, [fs:0x18]
28 | push .jmp_real_02
29 | clc
30 | jc .jmp_fake_02
31 | retn
32 |
33 | .jmp_fake_02:
34 | db 0xff
35 |
36 | .jmp_real_02:
37 | mov eax, [eax+0x30]
38 | movzx eax, byte [eax+0x02]
39 | test eax, eax
40 | jnz .debugger_found
41 | jmp .exit
42 |
43 | .debugger_found:
44 | invoke MessageBox,HWND_DESKTOP,"Debugger Found!",invoke GetCommandLine,MB_OK
45 | invoke ExitProcess, 0
46 | .exit:
47 | invoke MessageBox,HWND_DESKTOP,"Debugger Not Found!",invoke GetCommandLine,MB_OK
48 | invoke ExitProcess,0
49 |
50 | .end start
--------------------------------------------------------------------------------
/ASMsrc/rdtsc.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ; This program was created to test RDTSC instruction timing (3.25)
10 | ; references:
11 | ; "Anti-Unpacker Tricks" by Peter Ferrie
12 | ; "The Ultimate Anti-Debugging Reference" by Peter Ferrie
13 | ; "Windows Anti-Debug Reference" by Nicolas Falliere:
14 | ; http://www.symantec.com/connect/articles/windows-anti-debug-reference
15 |
16 | include 'win32ax.inc'
17 |
18 | .code
19 |
20 | start:
21 | nop
22 | nop
23 | nop
24 | nop
25 | nop
26 | nop
27 | nop
28 | nop
29 | rdtsc ; rdpmc or rdmsr (64 bits)
30 | xor ecx,ecx
31 | add ecx,eax
32 | rdtsc ; rdpmc or rdmsr (64 bits)
33 | sub eax,ecx
34 | cmp eax,0xFFF
35 | jnb .being_debugged
36 | jmp .exit
37 |
38 | .being_debugged:
39 | invoke MessageBox,HWND_DESKTOP,"Debugger Found!",invoke GetCommandLine,MB_OK
40 | invoke ExitProcess, 0
41 | .exit:
42 | invoke MessageBox,HWND_DESKTOP,"Debugger Not Found!",invoke GetCommandLine,MB_OK
43 | invoke ExitProcess,0
44 |
45 | .end start
46 |
--------------------------------------------------------------------------------
/ASMsrc/hardware_bp.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ; This program was created to test hardware breakpoint detection (3.13)
10 | ; reference: "Anti-Unpacker Tricks" by Peter Ferrie
11 |
12 |
13 | include 'win32ax.inc'
14 |
15 | .code
16 |
17 | start:
18 | push .exception_handler
19 | push dword [fs:0]
20 | mov [fs:0],esp
21 |
22 | xor eax,eax
23 | mov dword [eax], 0
24 | pop dword [fs:0]
25 | add esp,4
26 | test eax,eax
27 | jnz .being_debugged
28 | jmp .exit
29 |
30 |
31 | .exception_handler:
32 | mov eax,[esp+0xc]
33 | cmp dword [eax+0x04],0
34 | jne .being_debugged
35 | cmp dword [eax+0x08],0
36 | jne .being_debugged
37 | cmp dword [eax+0x0C],0
38 | jne .being_debugged
39 | cmp dword [eax+0x10],0
40 | jne .being_debugged
41 | jmp .exit
42 |
43 | .being_debugged:
44 | invoke MessageBox,HWND_DESKTOP,"Hardwae BP Found!",invoke GetCommandLine,MB_OK
45 | invoke ExitProcess, 0
46 | .exit:
47 | invoke MessageBox,HWND_DESKTOP,"Hardware BP Not Found!",invoke GetCommandLine,MB_OK
48 | invoke ExitProcess,0
49 |
50 | .end start
51 |
--------------------------------------------------------------------------------
/Csrc/fcall_examples/fcall_examples/fcall_examples.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/ASMsrc/fakecode.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | include 'win32ax.inc'
10 |
11 | .code
12 |
13 | start:
14 | nop
15 | nop
16 | nop
17 |
18 | ;jmp .destination
19 | ;push 0x12345678
20 | ;inc eax
21 | ;mov esp,eax
22 | ;invoke MessageBox,HWND_DESKTOP,"This does not execute!",invoke GetCommandLine,MB_OK
23 | ;.destination:
24 | ; invoke MessageBox,HWND_DESKTOP,"This gets executed!",invoke GetCommandLine,MB_OK
25 |
26 | ;xor eax,eax
27 | ;jnz .fake_code
28 | ;jmp .destination
29 | ;.fake_code:
30 | ; push 0x12345678
31 | ; inc eax
32 | ; mov esp,eax
33 | ; invoke MessageBox,HWND_DESKTOP,"This does not execute!",invoke GetCommandLine,MB_OK
34 | ;.destination:
35 | ; invoke MessageBox,HWND_DESKTOP,"This gets executed!",invoke GetCommandLine,MB_OK
36 |
37 | push .destination
38 | ret
39 | push 0x12345678
40 | inc eax
41 | mov esp,eax
42 | invoke MessageBox,HWND_DESKTOP,"This does not execute!",invoke GetCommandLine,MB_OK
43 | .destination:
44 | invoke MessageBox,HWND_DESKTOP,"This gets executed!",invoke GetCommandLine,MB_OK
45 |
46 |
47 |
48 |
49 | invoke ExitProcess,0
50 | .end start
51 |
--------------------------------------------------------------------------------
/Csrc/VMDetection/VMDetection/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : VMDetection Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this VMDetection application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your VMDetection application.
9 |
10 |
11 | VMDetection.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | VMDetection.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | VMDetection.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named VMDetection.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Csrc/fcall_examples/fcall_examples/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : fcall_examples Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this fcall_examples application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your fcall_examples application.
9 |
10 |
11 | fcall_examples.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | fcall_examples.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | fcall_examples.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named fcall_examples.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/ASMsrc/api_hash_stealth.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ;
10 | ; This program was created only to test stealth import of windows API (4.4)
11 | ; it is by no means a fully functional program to be used in order to import windows APIs
12 | ; This program was created to test ntglobal access (3.1)
13 | ; reference: Alexey Lyashko - Stealth Import of Windows API
14 | ; http://syprog.blogspot.com.br/2011/10/stealth-import-of-windows-api.html
15 |
16 | include 'win32ax.inc'
17 |
18 | .data
19 | mz db "MZ"
20 | pe db "PE"
21 |
22 | .code
23 |
24 | start:
25 | nop
26 | nop
27 | nop
28 | nop
29 | nop
30 | nop
31 | nop
32 | nop
33 |
34 | mov eax,[fs:0]
35 | ;mov ebx,0FFFFFFFFh
36 |
37 | .search_default_handler:
38 | cmp dword [eax], 0xFFFFFFFF
39 | jz .found_default_handler
40 | mov eax, [eax]
41 | jmp .search_default_handler
42 |
43 | .found_default_handler:
44 | mov eax, [eax+4]
45 | and eax, 0xFFFF0000
46 |
47 | .look_for_mz:
48 | cmp word [eax], 'MZ'
49 | jz .got_mz
50 | sub eax, 0x10000
51 | jmp .look_for_mz
52 |
53 | .got_mz:
54 | mov bx, [eax+0x3C]
55 | movzx ebx,bx
56 | add eax,ebx
57 | mov bx, 'PE'
58 | movzx ebx, bx
59 | cmp [eax], ebx
60 | jz .found_pe
61 | jmp .not_found_pe
62 |
63 | .found_pe:
64 | add eax, 0x78
65 | invoke MessageBox,HWND_DESKTOP,"PE signature found!",invoke GetCommandLine,MB_OK
66 | pop esi
67 | pop edi
68 | pop edx
69 | pop ecx
70 | pop ebx
71 | pop eax
72 | invoke ExitProcess,NULL
73 |
74 | .not_found_pe:
75 | invoke MessageBox,HWND_DESKTOP,"PE signature not found!",invoke GetCommandLine,MB_OK
76 | invoke ExitProcess,0
77 |
78 | .end start
--------------------------------------------------------------------------------
/ASMsrc/instruction_counting.ASM:
--------------------------------------------------------------------------------
1 | ; Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | ; Blackhat 2012 Presentation Samples
3 | ; TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | ; anti-disassembly and anti-virtualization technologies
5 | ; Authors: Rodrigo Rubira Branco
6 | ; Gabriel Negreira Barbosa
7 | ; Pedro Drimel Neto
8 | ;
9 | ; This program was created to test detection of instruction counting implemented by tElock (3.29)
10 | ; references:
11 | ; "Anti-Unpacker Tricks" by Peter Ferrie
12 | ; "The Ultimate Anti-Debugging Reference" by Peter Ferrie
13 |
14 | include 'win32ax.inc'
15 |
16 | .code
17 |
18 | start:
19 | xor eax,eax
20 | push .exception
21 | push dword [fs:eax]
22 | mov [fs:eax], esp
23 | int3 ; force an exception
24 | .labelone:
25 | nop
26 | nop
27 | nop
28 | nop
29 | cmp al, 4 ; when no hardware breakpoint is set 0x4 is returned in EAX
30 | jne .being_debugged
31 | jmp .exit
32 |
33 | .exception:
34 | push edi
35 | mov eax, [esp+8] ; ExceptionRecord
36 | mov edi, [esp+0x10] ; ContextRecord
37 |
38 | push 0x55; local-enable DR0, DR1, DR2, DR3 - how does it actually happen? didnt understand this 0x55
39 | pop ecx
40 | inc dword [ecx*2+edi+0x0e]; EIP (which is defined in ContextRecord) - why does not use AA instead of 55*2
41 | ; Debugging I did not see EIP being incremented... bug?
42 | ; that's EIP in CONTEXT, skip one NOP at each time
43 |
44 | mov eax, [eax]; ExceptionCode
45 | sub eax, 0x80000003
46 | jne .test_singlestep ; if code is not EXCEPTION_BREAKPOINT (usual) jumps to .test_singlestep
47 | mov eax, .labelone ; EAX has offset of .labelone
48 | scasd
49 | stosd ; dr0
50 | inc eax
51 | stosd ; dr1
52 | inc eax
53 | stosd ; dr2
54 | inc eax
55 | stosd ; dr3
56 | mov ch,1
57 | xchg ecx, eax
58 | scasd
59 | stosd ; dr7 ?
60 | xor eax,eax
61 | pop edi
62 | ret
63 |
64 | .test_singlestep:
65 | dec eax;
66 | jne .being_debugged ; if ExceptionCode is equal SINGLE_STEP 0x80000002 then debugger detected
67 | ; otherwise return
68 | inc dword [ecx*2+edi+6]; EAX increment EAX in the CONTEXT, used to hold the count of single-step instructions!
69 | pop edi
70 | ret
71 |
72 | .being_debugged:
73 | invoke MessageBox,HWND_DESKTOP,"Debugger Found!",invoke GetCommandLine,MB_OK
74 | invoke ExitProcess,0
75 | .exit:
76 | invoke MessageBox,HWND_DESKTOP,"Debugger NOT Found!",invoke GetCommandLine,MB_OK
77 | invoke ExitProcess,0
78 |
79 | .end start
80 |
--------------------------------------------------------------------------------
/Csrc/VMDetection/VMDetection/VMDetection.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {DC7096E1-91C2-471F-8DED-1F70E4B09551}
15 | Win32Proj
16 | VMDetection
17 |
18 |
19 |
20 | Application
21 | true
22 | Unicode
23 |
24 |
25 | Application
26 | false
27 | true
28 | Unicode
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 | true
42 |
43 |
44 | false
45 |
46 |
47 |
48 | NotUsing
49 | Level3
50 | Disabled
51 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
52 | MultiThreaded
53 |
54 |
55 | Console
56 | true
57 |
58 |
59 |
60 |
61 | Level3
62 | NotUsing
63 | MaxSpeed
64 | true
65 | true
66 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
67 | MultiThreaded
68 |
69 |
70 | Console
71 | true
72 | true
73 | true
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
--------------------------------------------------------------------------------
/Csrc/fcall_examples/fcall_examples/fcall_examples.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 |
14 | {AFCCCF22-D519-40EE-8F43-E16A245F8E1B}
15 | Win32Proj
16 | fcall_examples
17 |
18 |
19 |
20 | Application
21 | true
22 | Unicode
23 |
24 |
25 | Application
26 | false
27 | true
28 | Unicode
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 | true
42 |
43 |
44 | false
45 |
46 |
47 |
48 | NotUsing
49 | Level3
50 | Disabled
51 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
52 | MultiThreaded
53 |
54 |
55 | Console
56 | true
57 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;winmm.lib;uuid.lib;odbc32.lib;winmm.lib;odbccp32.lib;%(AdditionalDependencies)
58 |
59 |
60 |
61 |
62 | Level3
63 | NotUsing
64 | MaxSpeed
65 | true
66 | true
67 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
68 | MultiThreaded
69 |
70 |
71 | Console
72 | true
73 | true
74 | true
75 | kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;winmm.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
--------------------------------------------------------------------------------
/Csrc/VMDetection/VMDetection/VMDetection.cpp:
--------------------------------------------------------------------------------
1 | /* Qualys Vulnerabliity & Malware Research Labs (VMRL)
2 | Blackhat 2012 Presentation Samples
3 | TiTle: A Scientific (but non academic) study of how malware employs anti-debugging,
4 | anti-disassembly and anti-virtualization technologies
5 | Authors: Rodrigo Rubira Branco
6 | Gabriel Negreira Barbosa
7 | Pedro Drimel Neto
8 |
9 | This program basically implements virtual machine detection techniques described
10 | on sections 5.1, 5.2 and 5.3. The code is based on the following sources:
11 |
12 | http://www.trapkit.de/research/vmm/scoopyng/
13 | http://www.offensivecomputing.net/dc14/vmdetect.cpp
14 | http://www.codeproject.com/Articles/9823/Detect-if-your-program-is-running-inside-a-Virtual
15 | */
16 |
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 | // 5.1
24 | // Reference:
25 | // ScoopyNG - The VMware detection tool - Version v1.0 - Tobias Klein, 2008 - www.trapkit.de
26 | void sidt() {
27 | unsigned char idtr[6];
28 | unsigned long idt = 0;
29 |
30 | _asm sidt idtr
31 | idt = *((unsigned long *)&idtr[2]);
32 |
33 | if ((idt >> 24) == 0xff)
34 | printf("VM detected\n");
35 | else
36 | printf("VM not detected\n");
37 |
38 | }
39 |
40 | // 5.1
41 | // Reference:
42 | // ScoopyNG - The VMware detection tool - Version v1.0 - Tobias Klein, 2008 - www.trapkit.de
43 | void sldt() {
44 | unsigned char ldtr[5] = "\xef\xbe\xad\xde";
45 | unsigned long ldt = 0;
46 |
47 | _asm sldt ldtr
48 | ldt = *((unsigned long *)&ldtr[0]);
49 |
50 | if (ldt == 0xdead0000)
51 | printf("VM not detected\n");
52 | else
53 | printf("VM detected\n");
54 | }
55 |
56 | // 5.1
57 | // Reference:
58 | // ScoopyNG - The VMware detection tool - Version v1.0 - Tobias Klein, 2008 - www.trapkit.de
59 | void sgdt() {
60 | unsigned char gdtr[6];
61 | unsigned long gdt = 0;
62 |
63 | _asm sgdt gdtr
64 | gdt = *((unsigned long *)&gdtr[2]);
65 |
66 | if ((gdt >> 24) == 0xff)
67 | printf("VM detected\n");
68 | else
69 | printf("VM not detected\n");
70 | }
71 |
72 | // 5.1
73 | // Reference:
74 | // ScoopyNG - The VMware detection tool - Version v1.0 - Tobias Klein, 2008 - www.trapkit.de
75 | void str() {
76 | unsigned char mem[4] = {0, 0, 0, 0};
77 |
78 | __asm str mem;
79 |
80 | if ((mem[0] == 0x00) && (mem[1] == 0x40))
81 | printf ("VM detected\n");
82 | else
83 | printf ("VM not detected\n");
84 | }
85 |
86 | // 5.1
87 | // Reference
88 | // http://www.offensivecomputing.net/ Written by Danny Quist, Offensive Computing
89 | void smsw() {
90 | unsigned int reax = 0;
91 |
92 | __asm
93 | {
94 | mov eax, 0xCCCCCCCC;
95 | smsw eax;
96 | mov DWORD PTR [reax], eax;
97 | }
98 |
99 | if ( (( (reax >> 24) & 0xFF ) == 0xcc) && (( (reax >> 16) & 0xFF ) == 0xcc))
100 | printf("VM detected\n");
101 | else
102 | printf("VM not detected\n");
103 | }
104 |
105 | // 5.2
106 | // Reference: ScoopyNG - The VMware detection tool - Version v1.0 - Tobias Klein, 2008 - www.trapkit.de
107 | void vmware_get_memory() {
108 | unsigned int a = 0;
109 |
110 | __try {
111 | __asm {
112 | push eax
113 | push ebx
114 | push ecx
115 | push edx
116 |
117 | mov eax, 'VMXh'
118 | mov ecx, 14h
119 | mov dx, 'VX'
120 | in eax, dx
121 | mov a, eax
122 |
123 | pop edx
124 | pop ecx
125 | pop ebx
126 | pop eax
127 | }
128 | } __except (EXCEPTION_EXECUTE_HANDLER) {}
129 |
130 | if (a > 0)
131 | printf("VMWare detected\n");
132 | else
133 | printf("VMWare not detected\n");
134 | }
135 |
136 | // 5.2
137 | // Reference: ScoopyNG - The VMware detection tool - Version v1.0 - Tobias Klein, 2008 - www.trapkit.de
138 | void vmware_get_version() {
139 | unsigned int a, b;
140 |
141 | __try {
142 | __asm {
143 | push eax
144 | push ebx
145 | push ecx
146 | push edx
147 |
148 | mov eax, 'VMXh'
149 | mov ecx, 0Ah
150 | mov dx, 'VX'
151 | in eax, dx
152 | mov a, ebx
153 | mov b, ecx
154 |
155 | pop edx
156 | pop ecx
157 | pop ebx
158 | pop eax
159 | }
160 | } __except (EXCEPTION_EXECUTE_HANDLER) {}
161 |
162 | if (a == 'VMXh')
163 | printf("VM detected\n");
164 | else
165 | printf("VM not detected\n");
166 | }
167 |
168 | // 5.3
169 | // Reference:
170 | // http://www.codeproject.com/system/VmDetect.asp
171 | DWORD __forceinline IsInsideVPC_exceptionFilter(_EXCEPTION_POINTERS *ep)
172 | {
173 | PCONTEXT ctx = ep->ContextRecord;
174 |
175 | ctx->Ebx = -1; // Not running VPC
176 | ctx->Eip += 4; // skip past the "call VPC" opcodes
177 | return EXCEPTION_CONTINUE_EXECUTION;
178 | // we can safely resume execution since we skipped faulty instruction
179 | }
180 |
181 | // From Elias Bachaalany's Codeproject.com post:
182 | // http://www.codeproject.com/system/VmDetect.asp
183 | BOOL virtualpc_detect()
184 | {
185 | bool rc = false;
186 |
187 | __try {
188 | __asm {
189 | push eax
190 | push ebx
191 | push ecx
192 | push edx
193 |
194 | mov ebx,0h
195 | mov eax, 01h
196 |
197 | __emit 0Fh
198 | __emit 3Fh
199 | __emit 07h
200 | __emit 0Bh
201 |
202 | test ebx, ebx
203 | setz [rc]
204 |
205 | pop edx
206 | pop ecx
207 | pop ebx
208 | pop eax
209 | }
210 | }
211 | __except(IsInsideVPC_exceptionFilter(GetExceptionInformation())) {
212 | rc = false;
213 | }
214 | return rc;
215 | }
216 |
217 | int _tmain(int argc, _TCHAR* argv[]) {
218 |
219 | int opt = 0;
220 | BOOL vpc = false;
221 |
222 | printf("Virtual Machine detection tool \n\n");
223 | printf("1 - SGDT \n");
224 | printf("2 - SLDT \n");
225 | printf("3 - STR \n");
226 | printf("4 - SMSW \n");
227 | printf("5 - VMWare get memory\n");
228 | printf("6 - VMWare get version\n");
229 | printf("7 - VirtualPC detection\n\n");
230 | scanf_s("%d", &opt);
231 | switch (opt) {
232 | case 1: sgdt();
233 | break;
234 | case 2: sldt();
235 | break;
236 | case 3: str();
237 | break;
238 | case 4: smsw();
239 | break;
240 | case 5: vmware_get_memory();
241 | break;
242 | case 6: vmware_get_version();
243 | break;
244 | case 7: vpc = virtualpc_detect();
245 | if (vpc)
246 | printf("VirtualPC detected\n");
247 | else
248 | printf("VirtualPC not detected\n");
249 | break;
250 | default: printf("Invalid option\n");
251 | break;
252 | }
253 |
254 | _getch();
255 | return 0;
256 | }
257 |
258 |
--------------------------------------------------------------------------------
/Csrc/fcall_examples/fcall_examples/defs2.h:
--------------------------------------------------------------------------------
1 | #include "windows.h"
2 | #include
3 |
4 | typedef LONG NTSTATUS;
5 | #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
6 | #define MAX_UNICODE_PATH 255
7 |
8 | /*
9 | typedef struct _SYSTEMTIME {
10 | WORD wYear;
11 | WORD wMonth;
12 | WORD wDayOfWeek;
13 | WORD wDay;
14 | WORD wHour;
15 | WORD wMinute;
16 | WORD wSecond;
17 | WORD wMilliseconds;
18 | } SYSTEMTIME, *PSYSTEMTIME;
19 |
20 | typedef struct _FILETIME {
21 | DWORD dwLowDateTime;
22 | DWORD dwHighDateTime;
23 | } FILETIME, *PFILETIME;*/
24 |
25 |
26 | typedef struct _LSA_UNICODE_STRING {
27 | USHORT Length;
28 | USHORT MaximumLength;
29 | PWSTR Buffer;
30 | } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
31 |
32 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
33 | BYTE Reserved1[16];
34 | PVOID Reserved2[10];
35 | UNICODE_STRING ImagePathName;
36 | UNICODE_STRING CommandLine;
37 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
38 |
39 | typedef struct _PEB_LDR_DATA {
40 | BYTE Reserved1[8];
41 | PVOID Reserved2[3];
42 | LIST_ENTRY InMemoryOrderModuleList;
43 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
44 |
45 | typedef struct _PEB {
46 | BYTE Reserved1[2];
47 | BYTE BeingDebugged;
48 | BYTE Reserved2[1];
49 | PVOID Reserved3[2];
50 | PPEB_LDR_DATA Ldr;
51 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
52 | BYTE Reserved4[104];
53 | PVOID Reserved5[52];
54 | ULONG PostProcessInitRoutine;
55 | BYTE Reserved6[128];
56 | PVOID Reserved7[1];
57 | ULONG SessionId;
58 | } PEB, *PPEB;
59 |
60 | /*
61 | typedef struct _PROCESS_BASIC_INFORMATION {
62 | PVOID Reserved1;
63 | PPEB PebBaseAddress;
64 | PVOID Reserved2[2];
65 | ULONG_PTR UniqueProcessId;
66 | PVOID Reserved3;
67 | } PROCESS_BASIC_INFORMATION;
68 | */
69 |
70 |
71 | typedef struct _PROCESS_BASIC_INFORMATION {
72 | int ExitStatus;
73 | int PebBaseAddress;
74 | int AffinityMask;
75 | int BasePriority;
76 | int UniqueProcessId;
77 | int InheritedFromUniqueProcessId;
78 | } PROCESS_BASIC_INFORMATION;
79 |
80 | /*
81 | typedef struct PROCESSINFOCLASS
82 | {
83 | DWORD dwPID;
84 | DWORD dwParentPID;
85 | DWORD dwSessionID;
86 | DWORD dwPEBBaseAddress;
87 | DWORD dwAffinityMask;
88 | LONG dwBasePriority;
89 | LONG dwExitStatus;
90 | BYTE cBeingDebugged;
91 | TCHAR szImgPath[MAX_UNICODE_PATH];
92 | TCHAR szCmdLine[MAX_UNICODE_PATH];
93 | } PROCESSINFOCLASS;
94 | */
95 |
96 | // http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PROCESS_INFORMATION_CLASS.html
97 | // http://blogs.norman.com/wp-content/uploads/2011/10/processinfo.png
98 | typedef enum _PROCESS_INFORMATION_CLASS {
99 | ProcessBasicInformation,
100 | ProcessQuotaLimits,
101 | ProcessIoCounters,
102 | ProcessVmCounters,
103 | ProcessTimes,
104 | ProcessBasePriority,
105 | ProcessRaisePriority,
106 | ProcessDebugPort,
107 | ProcessExceptionPort,
108 | ProcessAccessToken,
109 | ProcessLdtInformation,
110 | ProcessLdtSize,
111 | ProcessDefaultHardErrorMode,
112 | ProcessIoPortHandlers,
113 | ProcessPooledUsageAndLimits,
114 | ProcessWorkingSetWatch,
115 | ProcessUserModeIOPL,
116 | ProcessEnableAlignmentFaultFixup,
117 | ProcessPriorityClass,
118 | ProcessWx86Information,
119 | ProcessHandleCount,
120 | ProcessAffinityMask,
121 | ProcessPriorityBoost,
122 | ProcessDeviceMap,
123 | ProcessSessionInformation,
124 | ProcessForegroundInformation,
125 | ProcessWow64Information,
126 | ProcessImageFileName,
127 | ProcessLUIDDeviceMapsEnabled,
128 | ProcessBreakOnTermination,
129 | ProcessDebugObjectHandle,
130 | ProcessDebugFlags,
131 | ProcessHandleTracing,
132 | ProcessIoPriority,
133 | ProcessExecuteFlags,
134 | ProcessTlsInformation,
135 | ProcessCookie,
136 | ProcessImageInformation,
137 | ProcessCycleTime,
138 | ProcessPagePriority,
139 | ProcessInstrumentationCallback,
140 | ProcessThreadStackAllocation,
141 | ProcessWorkingSetWatchEx,
142 | ProcessImageFileNameWin32,
143 | ProcessImageFileMapping,
144 | ProcessAffinityUpdateMode,
145 | ProcessMemoryAllocationMode,
146 | ProcessGroupInformation,
147 | ProcessTokenVirtualizationEnabled,
148 | ProcessConsoleHostProcess,
149 | ProcessWindowInformation,
150 | MaxProcessInfoClass,
151 | } PROCESS_INFORMATION_CLASS, *PPROCESS_INFORMATION_CLASS;
152 |
153 | // http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/System%20Information/SYSTEM_INFORMATION_CLASS.html
154 | typedef enum _SYSTEM_INFORMATION_CLASS {
155 | SystemBasicInformation,
156 | SystemProcessorInformation,
157 | SystemPerformanceInformation,
158 | SystemTimeOfDayInformation,
159 | SystemPathInformation,
160 | SystemProcessInformation,
161 | SystemCallCountInformation,
162 | SystemDeviceInformation,
163 | SystemProcessorPerformanceInformation,
164 | SystemFlagsInformation,
165 | SystemCallTimeInformation,
166 | SystemModuleInformation,
167 | SystemLocksInformation,
168 | SystemStackTraceInformation,
169 | SystemPagedPoolInformation,
170 | SystemNonPagedPoolInformation,
171 | SystemHandleInformation,
172 | SystemObjectInformation,
173 | SystemPageFileInformation,
174 | SystemVdmInstemulInformation,
175 | SystemVdmBopInformation,
176 | SystemFileCacheInformation,
177 | SystemPoolTagInformation,
178 | SystemInterruptInformation,
179 | SystemDpcBehaviorInformation,
180 | SystemFullMemoryInformation,
181 | SystemLoadGdiDriverInformation,
182 | SystemUnloadGdiDriverInformation,
183 | SystemTimeAdjustmentInformation,
184 | SystemSummaryMemoryInformation,
185 | SystemNextEventIdInformation,
186 | SystemEventIdsInformation,
187 | SystemCrashDumpInformation,
188 | SystemExceptionInformation,
189 | SystemCrashDumpStateInformation,
190 | SystemKernelDebuggerInformation,
191 | SystemContextSwitchInformation,
192 | SystemRegistryQuotaInformation,
193 | SystemExtendServiceTableInformation,
194 | SystemPrioritySeperation,
195 | SystemPlugPlayBusInformation,
196 | SystemDockInformation,
197 | SystemPowerInformation2, // conflitou com winnt.h
198 | SystemProcessorSpeedInformation,
199 | SystemCurrentTimeZoneInformation,
200 | SystemLookasideInformation
201 | } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
202 |
203 | /*
204 | typedef struct _SYSTEM_PROCESS_INFORMATION {
205 | ULONG NextEntryOffset;
206 | BYTE Reserved1[52];
207 | PVOID Reserved2[3];
208 | HANDLE UniqueProcessId;
209 | PVOID Reserved3;
210 | ULONG HandleCount;
211 | BYTE Reserved4[4];
212 | PVOID Reserved5[11];
213 | SIZE_T PeakPagefileUsage;
214 | SIZE_T PrivatePageCount;
215 | LARGE_INTEGER Reserved6[6];
216 | } SYSTEM_PROCESS_INFORMATION;
217 | */
218 |
219 | typedef LONG KPRIORITY;
220 |
221 | typedef struct _VM_COUNTERS {
222 | #ifdef _WIN64
223 | // the following was inferred by painful reverse engineering
224 | SIZE_T PeakVirtualSize; // not actually
225 | SIZE_T PageFaultCount;
226 | SIZE_T PeakWorkingSetSize;
227 | SIZE_T WorkingSetSize;
228 | SIZE_T QuotaPeakPagedPoolUsage;
229 | SIZE_T QuotaPagedPoolUsage;
230 | SIZE_T QuotaPeakNonPagedPoolUsage;
231 | SIZE_T QuotaNonPagedPoolUsage;
232 | SIZE_T PagefileUsage;
233 | SIZE_T PeakPagefileUsage;
234 | SIZE_T VirtualSize; // not actually
235 | #else
236 | SIZE_T PeakVirtualSize;
237 | SIZE_T VirtualSize;
238 | ULONG PageFaultCount;
239 | SIZE_T PeakWorkingSetSize;
240 | SIZE_T WorkingSetSize;
241 | SIZE_T QuotaPeakPagedPoolUsage;
242 | SIZE_T QuotaPagedPoolUsage;
243 | SIZE_T QuotaPeakNonPagedPoolUsage;
244 | SIZE_T QuotaNonPagedPoolUsage;
245 | SIZE_T PagefileUsage;
246 | SIZE_T PeakPagefileUsage;
247 | #endif
248 | } VM_COUNTERS;
249 |
250 | typedef struct _CLIENT_ID
251 | {
252 | PVOID UniqueProcess;
253 | PVOID UniqueThread;
254 | } CLIENT_ID, *PCLIENT_ID;
255 |
256 | typedef struct _SYSTEM_THREADS {
257 | LARGE_INTEGER KernelTime;
258 | LARGE_INTEGER UserTime;
259 | LARGE_INTEGER CreateTime;
260 | ULONG WaitTime;
261 | PVOID StartAddress;
262 | CLIENT_ID ClientId;
263 | KPRIORITY Priority;
264 | KPRIORITY BasePriority;
265 | ULONG ContextSwitchCount;
266 | LONG State;
267 | LONG WaitReason;
268 | } SYSTEM_THREADS, * PSYSTEM_THREADS;
269 |
270 |
271 | typedef struct _SYSTEM_PROCESS_INFORMATION {
272 |
273 | ULONG NextEntryOffset;
274 | ULONG NumberOfThreads;
275 | LARGE_INTEGER Reserved[3];
276 | LARGE_INTEGER CreateTime;
277 | LARGE_INTEGER UserTime;
278 | LARGE_INTEGER KernelTime;
279 | UNICODE_STRING ImageName;
280 | KPRIORITY BasePriority;
281 | HANDLE ProcessId;
282 | HANDLE InheritedFromProcessId;
283 | ULONG HandleCount;
284 | ULONG Reserved2[2];
285 | ULONG PrivatePageCount;
286 | VM_COUNTERS VirtualMemoryCounters;
287 | IO_COUNTERS IoCounters;
288 | SYSTEM_THREADS Threads[0];
289 | } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
290 |
291 | typedef enum _THREAD_INFORMATION_CLASS {
292 | ThreadBasicInformation,
293 | ThreadTimes,
294 | ThreadPriority,
295 | ThreadBasePriority,
296 | ThreadAffinityMask,
297 | ThreadImpersonationToken,
298 | ThreadDescriptorTableEntry,
299 | ThreadEnableAlignmentFaultFixup,
300 | ThreadEventPair,
301 | ThreadQuerySetWin32StartAddress,
302 | ThreadZeroTlsCell,
303 | ThreadPerformanceCount,
304 | ThreadAmILastThread,
305 | ThreadIdealProcessor,
306 | ThreadPriorityBoost,
307 | ThreadSetTlsArrayAddress,
308 | ThreadIsIoPending,
309 | ThreadHideFromDebugger
310 | } THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS;
311 |
312 | #ifdef __cplusplus
313 | extern "C" {
314 | #endif
315 |
316 | extern "C" __declspec(dllimport) NTSTATUS __stdcall NtSetInformationThread(
317 | IN HANDLE ThreadHandle,
318 | IN THREAD_INFORMATION_CLASS ThreadInformationClass,
319 | IN PVOID ThreadInformation,
320 | IN ULONG ThreadInformationLength
321 | );
322 |
323 | extern "C" __declspec(dllimport) NTSTATUS __stdcall NtQueryInformationProcess(
324 | IN HANDLE ProcessHandle,
325 | IN PROCESS_INFORMATION_CLASS ProcessInformationClass,
326 | OUT PVOID ProcessInformation,
327 | IN ULONG ProcessInformationLength,
328 | IN PULONG ReturnLength
329 | );
330 |
331 | extern "C" __declspec(dllimport) NTSTATUS __stdcall NtQuerySystemInformation(
332 | __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
333 | __inout PVOID SystemInformation,
334 | __in ULONG SystemInformationLength,
335 | __out_opt PULONG ReturnLength
336 | );
337 |
338 | #ifdef __cplusplus
339 | }
340 | #endif
--------------------------------------------------------------------------------