search

x64dbg / ScyllaHide

Advanced usermode anti-anti-debugger. Forked from https://bitbucket.org/NtQuery/scyllahide
GNU General Public License v3.0
3.48k stars 434 forks source link

NtQuerySystemInformation hooked #122

Closed vmtest888 closed 3 years ago

vmtest888 commented 3 years ago

The application runs in a sandbox, sandboxie hooked NtQuerySystemInformation

https://github.com/sandboxie-plus/Sandboxie/blob/357be6fb2f191f2739e318a5647028d083b9bd7c/Sandboxie/core/dll/sysinfo.c#L171

_FX NTSTATUS SysInfo_NtQuerySystemInformation(
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    void *Buffer,
    ULONG BufferLength,
    ULONG *ReturnLength)
{
    NTSTATUS status;

    status = __sys_NtQuerySystemInformation(
        SystemInformationClass, Buffer, BufferLength, ReturnLength);

    if (NT_SUCCESS(status) &&
            (SystemInformationClass == SystemProcessInformation
            || SystemInformationClass == SystemExtendedProcessInformation
            || SystemInformationClass == SystemFullProcessInformation)) {

        SysInfo_DiscardProcesses(Buffer);
    }

    return status;
}

CheckRemoteDebuggerPresent calls NtQueryInformationProcess

https://github.com/x64dbg/ScyllaHide/blob/75fde06ac933913c293dd60dc5205ea7578085a1/InjectorCLI/RemoteHook.cpp#L648

image

The program in the sandbox fails to debug

Mattiwatti commented 3 years ago

I think this check was originally added as sanity test, to check that ScyllaHide is not reapplying hooks without properly restoring them first. In other words, the assumption is that ScyllaHide is the only one that's hooking the process. Obviously that's not the case here since Sandboxie is also applying hooks.

I am a bit wary of simply removing this check, as it also serves a useful purpose in the case of protectors hooking system calls (although the scope is limited to only checking those syscalls that overlap with ones also hooked by ScyllaHide). An option might be to turn this message into a warning instead. This does mean that the rest of the hooking code needs to be able to deal with nested hooks, though I don't see why this should be a problem (untested).

In the long run it may be preferable to get rid of ScyllaHide's home-grown hooking and replace it with something like MinHook which is probably more robust. However there are some caveats here: WOW64 hooking would still need to be done by ScyllaHide for various reasons, and MinHook would have to be modified to support some things such as prepending NOPs before a jump instruction.