Protect program before Debuggers

Details

Protecting the program from running in debuggers.
 

In this article we will describe the principle of strong enough protection for our malware program from opening in debuggers. The point is to prevent the debugging of our malware and thus make it difficult to detect functionality.

We'll talk about this practice before posting the codes.

Starting the application as such consists of starting the entry point process entry point. This point is contained in the linkers of the method void/int main(void)/(argc, argv). This access point is called up in the classic startup.
When opened in debuggers, the debugger starts by reading and setting the breakpoint to this entry point.


The question arises as to how to bypass the debugger, respectively, how to find out that the file was run under the debugger. The answer lies in the so-called TLS callback.

TLS (Thread Local Storage) is a kind of callback that is triggered when a jump to the entry point is initiated, that is, it is triggered before the entry point starts. The breakpoint debuggers only download after this call. Based on these calls it is possible to detect the environment of the debugger.
By checking this call, we can make a jump to the method by which we can check the progress of the startup, from shutting down the debugger to destroying the computer. We can password protect the system, practically perform any functionality.


To get started with the code, first of all it is necessary to create a line TLS and load section CRT$XLB:

  
#pragma comment(linker,"/include:__tls_used")
#pragma section(".CRT$XLB",read)



Next, we declare the method from ntdll.lib:

  
extern "C" 
{
   NTSTATUS _stdcall NtQueryInformationProcess(::HANDLE,::ULONG,::PVOID,::ULONG,::PULONG);
}



Loading offset memory from GS segment:

  
__readfsdword(0x30)+2



To create a TLS authentication method:

  
void _stdcall TLSCallBackHook(::PVOID Module,::DWORD Reason,::PVOID Context)
{
   ::PBOOLEAN StartDebugged = (::PBOOLEAN) ThreadInformationBlock; //Nacitanie GS
   ::HANDLE DebugPort = nullptr;
   bool isdebugged = false;

   if(*StartDebugged) //Zistenie hodnoty StartDebugged
   {
      isdebugged = true;
   }
   else
   {
      isdebugged = false;
   }

   if(!::NtQueryInformationProcess(_Diall_CurrentProcess(),7,&DebugPort,sizeof(::HANDLE),NULL))
   {
      if(DebugPort)
      {   
         isdebugged = true;
      } else
      {
         isdebugged = false;
      }
   }
}



Loading a jump before starting the process entry point, introducing TLS callback for CRT $ XLB:

  
__declspec(allocate(".CRT$XLB")) PIMAGE_TLS_CALLBACK PIMAGETLSCALLBACK[]={TLSCallBackHook, nullptr};

 

 

 

-----------------------------------------------------------------

The whole function is built into header WinAPI.h WinAPI.h



To start debugger process protection:

  
#define _ProtectDebugger_ //define macro for "winapi.h"//

#include <stdio.h>
#include "convert.h"
#include "winapi.h" //https://www.netbot.sk/en/14-blog-headers/44-winapi-en

void DProtectDebuggerNoDetected(void)
{
   MessageBoxA(NULL,"No debugger enviroment","TLS",MB_ICONINFORMATION);
}

void DProtectDebuggerDetected(void)
{
   MessageBoxA(NULL,"Debugger enviroment","TLS",MB_ICONINFORMATION);
   //SetPassword();
}

int _cdecl main(void)
{
   ::Diall_WinApi::WinApi::GetInstance()->SystemIntegrity(::Diall_WinApi::Privilege::ENABLE); 

   cout << " https://www.diallix.net ";
   system("pause");

   return 0;
}