BOOL NtQueryObject_ObjectTypeInformation() { typedef NTSTATUS (WINAPI *pNtQueryObject)(IN HANDLE, IN UINT, OUT PVOID, IN ULONG, OUT PULONG); typedef NTSTATUS(WINAPI *pNtCreateDebugObject)(OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG); pNtQueryObject NtQueryObject = NULL; pNtCreateDebugObject NtCreateDebugObject = NULL; HANDLE DebugObjectHandle; OBJECT_ATTRIBUTES ObjectAttributes; InitializeObjectAttributes(&ObjectAttributes, 0, 0, 0, 0); BYTE memory[0x1000] = { 0 }; POBJECT_TYPE_INFORMATION ObjectInformation = (POBJECT_TYPE_INFORMATION)memory; NTSTATUS Status; HMODULE hNtdll = LoadLibrary(_xor_(_T("ntdll.dll")).c_str()); if (hNtdll == NULL) { } NtCreateDebugObject = (pNtCreateDebugObject)GetProcAddress(hNtdll, _xor_("NtCreateDebugObject").c_str()); if (NtCreateDebugObject == NULL) { } NtCreateDebugObject(&DebugObjectHandle, DEBUG_ALL_ACCESS, &ObjectAttributes, FALSE); if (NtCreateDebugObject) { HMODULE hNtdll = LoadLibrary(_xor_(_T("ntdll.dll")).c_str()); if (hNtdll == NULL) { } NtQueryObject = (pNtQueryObject)GetProcAddress(hNtdll, _xor_("NtQueryObject").c_str()); if (NtCreateDebugObject == NULL) { } Status = NtQueryObject(DebugObjectHandle, ObjectTypeInformation, ObjectInformation, sizeof(memory), 0); CloseHandle(DebugObjectHandle); if (Status >= 0) { if (ObjectInformation->TotalNumberOfObjects == 0) return TRUE; else return FALSE; } else { return FALSE; } } else return FALSE; }
static NTSTATUS NTAPI TerminatorTD1( _In_ HANDLE ProcessId ) { NTSTATUS status; HANDLE processHandle; if (NT_SUCCESS(status = PhOpenProcess( &processHandle, PROCESS_SUSPEND_RESUME, ProcessId ))) { HANDLE debugObjectHandle; OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes( &objectAttributes, NULL, 0, NULL, NULL ); if (NT_SUCCESS(NtCreateDebugObject( &debugObjectHandle, DEBUG_PROCESS_ASSIGN, &objectAttributes, DEBUG_KILL_ON_CLOSE ))) { NtDebugActiveProcess(processHandle, debugObjectHandle); NtClose(debugObjectHandle); } NtClose(processHandle); } return status; }
BOOL NtQueryObject_ObjectTypeInformation() { //NOTE this check now only detects if NtQueryObject is hooked to set ObjectInformation->TotalNumberOfObjects = 0 // Function Pointer Typedef for NtQueryObject typedef NTSTATUS (WINAPI *pNtQueryObject)(IN HANDLE, IN UINT, OUT PVOID, IN ULONG, OUT PULONG); // Function pointer Typedef for NtCreateDebugObject typedef NTSTATUS(WINAPI *pNtCreateDebugObject)(OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG); // We have to import the function pNtQueryObject NtQueryObject = NULL; pNtCreateDebugObject NtCreateDebugObject = NULL; // Some vars HANDLE DebugObjectHandle; OBJECT_ATTRIBUTES ObjectAttributes; InitializeObjectAttributes(&ObjectAttributes, 0, 0, 0, 0); BYTE memory[0x1000] = { 0 }; POBJECT_TYPE_INFORMATION ObjectInformation = (POBJECT_TYPE_INFORMATION)memory; NTSTATUS Status; HMODULE hNtdll = LoadLibrary(_T("ntdll.dll")); if (hNtdll == NULL) { // Handle however.. chances of this failing // is essentially 0 however since // ntdll.dll is a vital system resource } NtCreateDebugObject = (pNtCreateDebugObject)GetProcAddress(hNtdll, "NtCreateDebugObject"); if (NtCreateDebugObject == NULL) { // Handle however it fits your needs but as before, // if this is missing there are some SERIOUS issues with the OS } NtCreateDebugObject(&DebugObjectHandle, DEBUG_ALL_ACCESS, &ObjectAttributes, FALSE); if (NtCreateDebugObject) { HMODULE hNtdll = LoadLibrary(_T("ntdll.dll")); if (hNtdll == NULL) { // Handle however.. chances of this failing // is essentially 0 however since // ntdll.dll is a vital system resource } NtQueryObject = (pNtQueryObject)GetProcAddress(hNtdll, "NtQueryObject"); if (NtCreateDebugObject == NULL) { // Handle however it fits your needs but as before, // if this is missing there are some SERIOUS issues with the OS } Status = NtQueryObject(DebugObjectHandle, ObjectTypeInformation, ObjectInformation, sizeof(memory), 0); // Make sure to not screw up later checks CloseHandle(DebugObjectHandle); if (Status >= 0) { if (ObjectInformation->TotalNumberOfObjects == 0) return TRUE; //There should be at least one object (we just created it). else return FALSE; } else { //NOTE: this should actually never happen on a valid handle (so this check can be bypassed by failing NtQueryObject) return FALSE; } } else return FALSE; }