-
Notifications
You must be signed in to change notification settings - Fork 109
/
Cenega_anti_antidebugger.txt
48 lines (41 loc) · 1.31 KB
/
Cenega_anti_antidebugger.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
//////////////////////////////////////////////////
// FileName : Cenega_anti_antidebugger.txt
// Comment : Defeats Cenega anti-debugging checks
// Author : Luca91 (Luca1991) - Luca D'Amico
// Date : 2024-05-19
// How to use : Load target exe and run this script.
//////////////////////////////////////////////////
// start
msg "Cenega anti antidebugger"
run // run til the EntryPoint
// clear breakpoints
bc
bphwc
// defeats isDebuggerPresent and manual PEB checks
$peb = peb()
set $peb+0x2, #00#
// find and hook NtQueryInformationProcess
nqip_addr = ntdll.dll:NtQueryInformationProcess
bp nqip_addr
SetBreakpointCommand nqip_addr, "scriptcmd call check_nqip"
erun
ret
check_nqip:
cmp [esp+8], 7 // 0x7 == ProcessDebugPort
je patch_process_information_buffer
cmp [esp+8], 0x1E // 0x1E == ProcessDebugObjectHandle
je patch_process_debug_object_handle
erun
ret
patch_process_information_buffer:
log "/!\ DEBUG CHECK FOUND (ProcessDebugPort): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})"
rtr
set [esp+C], #00 00 00 00#
erun
ret
patch_process_debug_object_handle:
log "/!\ DEBUG CHECK FOUND (ProcessDebugObjectHandle): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})"
rtr
set [esp+C], #00 00 00 00#
erun
ret