본문 바로가기
리버싱/기타

Anti Debugging using NtSetInformationThread

by 즉흥 2016. 7. 23.
728x90
반응형

악성코드 분석하다 나옴.


https://msdn.microsoft.com/en-us/library/windows/hardware/ff557675(v=vs.85).aspx

https://github.com/AdaCore/gsh/blob/master/os/src/ddk/ntddk.h


NtSetInformationThread에 두 번째 인자로 들어가는게 아래의 THREADINFOCLASS인데, 여기서 0x11번 째 멤버인 ThreadHideFromDebbger가 인자로 들어가면 디버거가 디버기에서 강제로 분리된다.


두 번째 인자로 값을 0x11이 아닌, 0x0을 주면 우회가 가능하다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
typedef enum _THREADINFOCLASS {
  ThreadBasicInformation,
  ThreadTimes,
  ThreadPriority,
  ThreadBasePriority,
  ThreadAffinityMask,
  ThreadImpersonationToken,
  ThreadDescriptorTableEntry,
  ThreadEnableAlignmentFaultFixup,
  ThreadEventPair_Reusable,
  ThreadQuerySetWin32StartAddress,
  ThreadZeroTlsCell,
  ThreadPerformanceCount,
  ThreadAmILastThread,
  ThreadIdealProcessor,
  ThreadPriorityBoost,
  ThreadSetTlsArrayAddress,
  ThreadIsIoPending,
  ThreadHideFromDebugger,
  ThreadBreakOnTermination,
  ThreadSwitchLegacyState,
  ThreadIsTerminated,
  ThreadLastSystemCall,
  ThreadIoPriority,
  ThreadCycleTime,
  ThreadPagePriority,
  ThreadActualBasePriority,
  ThreadTebInformation,
  ThreadCSwitchMon,
  ThreadCSwitchPmu,
  ThreadWow64Context,
  ThreadGroupInformation,
  ThreadUmsInformation,
  ThreadCounterProfiling,
  ThreadIdealProcessorEx,
  MaxThreadInfoClass
} THREADINFOCLASS;
cs


728x90
반응형

댓글