BOOL NtQueryObject_ObjectTypeInformation()
{
typedef NTSTATUS (WINAPI *pNtQueryObject)(IN HANDLE, IN UINT, OUT PVOID, IN ULONG, OUT PULONG);
typedef NTSTATUS(WINAPI *pNtCreateDebugObject)(OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG);
pNtQueryObject NtQueryObject = NULL;
pNtCreateDebugObject NtCreateDebugObject = NULL;
HANDLE DebugObjectHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, 0, 0, 0, 0);
BYTE memory[0x1000] = { 0 };
POBJECT_TYPE_INFORMATION ObjectInformation = (POBJECT_TYPE_INFORMATION)memory;
NTSTATUS Status;
HMODULE hNtdll = LoadLibrary(_xor_(_T("ntdll.dll")).c_str());
if (hNtdll == NULL)
{
}
NtCreateDebugObject = (pNtCreateDebugObject)GetProcAddress(hNtdll, _xor_("NtCreateDebugObject").c_str());
if (NtCreateDebugObject == NULL)
{
}
NtCreateDebugObject(&DebugObjectHandle, DEBUG_ALL_ACCESS, &ObjectAttributes, FALSE);
if (NtCreateDebugObject) {
HMODULE hNtdll = LoadLibrary(_xor_(_T("ntdll.dll")).c_str());
if (hNtdll == NULL)
{
}
NtQueryObject = (pNtQueryObject)GetProcAddress(hNtdll, _xor_("NtQueryObject").c_str());
if (NtCreateDebugObject == NULL)
{
}
Status = NtQueryObject(DebugObjectHandle, ObjectTypeInformation, ObjectInformation, sizeof(memory), 0);
CloseHandle(DebugObjectHandle);
if (Status >= 0)
{
if (ObjectInformation->TotalNumberOfObjects == 0)
return TRUE;
else
return FALSE;
}
else
{
return FALSE;
}
}
else
return FALSE;
}
static NTSTATUS NTAPI TerminatorTD1(
_In_ HANDLE ProcessId
)
{
NTSTATUS status;
HANDLE processHandle;
if (NT_SUCCESS(status = PhOpenProcess(
&processHandle,
PROCESS_SUSPEND_RESUME,
ProcessId
)))
{
HANDLE debugObjectHandle;
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(
&objectAttributes,
NULL,
0,
NULL,
NULL
);
if (NT_SUCCESS(NtCreateDebugObject(
&debugObjectHandle,
DEBUG_PROCESS_ASSIGN,
&objectAttributes,
DEBUG_KILL_ON_CLOSE
)))
{
NtDebugActiveProcess(processHandle, debugObjectHandle);
NtClose(debugObjectHandle);
}
NtClose(processHandle);
}
return status;
}
BOOL NtQueryObject_ObjectTypeInformation()
{
//NOTE this check now only detects if NtQueryObject is hooked to set ObjectInformation->TotalNumberOfObjects = 0
// Function Pointer Typedef for NtQueryObject
typedef NTSTATUS (WINAPI *pNtQueryObject)(IN HANDLE, IN UINT, OUT PVOID, IN ULONG, OUT PULONG);
// Function pointer Typedef for NtCreateDebugObject
typedef NTSTATUS(WINAPI *pNtCreateDebugObject)(OUT PHANDLE, IN ACCESS_MASK, IN POBJECT_ATTRIBUTES, IN ULONG);
// We have to import the function
pNtQueryObject NtQueryObject = NULL;
pNtCreateDebugObject NtCreateDebugObject = NULL;
// Some vars
HANDLE DebugObjectHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, 0, 0, 0, 0);
BYTE memory[0x1000] = { 0 };
POBJECT_TYPE_INFORMATION ObjectInformation = (POBJECT_TYPE_INFORMATION)memory;
NTSTATUS Status;
HMODULE hNtdll = LoadLibrary(_T("ntdll.dll"));
if (hNtdll == NULL)
{
// Handle however.. chances of this failing
// is essentially 0 however since
// ntdll.dll is a vital system resource
}
NtCreateDebugObject = (pNtCreateDebugObject)GetProcAddress(hNtdll, "NtCreateDebugObject");
if (NtCreateDebugObject == NULL)
{
// Handle however it fits your needs but as before,
// if this is missing there are some SERIOUS issues with the OS
}
NtCreateDebugObject(&DebugObjectHandle, DEBUG_ALL_ACCESS, &ObjectAttributes, FALSE);
if (NtCreateDebugObject) {
HMODULE hNtdll = LoadLibrary(_T("ntdll.dll"));
if (hNtdll == NULL)
{
// Handle however.. chances of this failing
// is essentially 0 however since
// ntdll.dll is a vital system resource
}
NtQueryObject = (pNtQueryObject)GetProcAddress(hNtdll, "NtQueryObject");
if (NtCreateDebugObject == NULL)
{
// Handle however it fits your needs but as before,
// if this is missing there are some SERIOUS issues with the OS
}
Status = NtQueryObject(DebugObjectHandle, ObjectTypeInformation, ObjectInformation, sizeof(memory), 0);
// Make sure to not screw up later checks
CloseHandle(DebugObjectHandle);
if (Status >= 0)
{
if (ObjectInformation->TotalNumberOfObjects == 0)
return TRUE; //There should be at least one object (we just created it).
else
return FALSE;
}
else
{
//NOTE: this should actually never happen on a valid handle (so this check can be bypassed by failing NtQueryObject)
return FALSE;
}
}
else
return FALSE;
}
