Anti-anti debug and small VS fix #102
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @cccs-mog, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
I've implemented a suite of anti-anti-debug techniques to bolster the resilience of the monitoring system against detection by debuggers and malware. Additionally, I've included a minor fix for Visual Studio project configurations to ensure correct MASM assembly file compilation.
Highlights
- Anti-Anti-Debug Stealth: I've introduced multiple techniques to counteract debugger detection, including spoofing debug flags, preventing handle enumeration, and manipulating API call returns to mislead debuggers.
- Visual Studio Build Fix: I've corrected the build exclusion conditions for MASM assembly files in capemon.vcxproj to ensure proper compilation across different configurations.
- New API Hooking: I've added hooks for NtDebugActiveProcess, DbgUiDebugActiveProcess, GenerateConsoleCtrlEvent, and BlockInput to intercept and modify their behavior for anti-anti-debug purposes.
- Debug Register Obfuscation: I've implemented logic within RtlWow64GetThreadContext to clear debug registers (Dr0-Dr3), making it harder for debuggers to set hardware breakpoints.
- Critical Process Protection: I've modified NtClose to handle object closing exceptions gracefully and NtOpenProcess to prevent opening critical system processes like csrss.exe.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces several anti-anti-debugging techniques and a fix for the Visual Studio project file. While the intent is to improve stealth capabilities, the implementation has introduced a number of critical issues, including memory corruption, memory leaks, and incorrect logic that could lead to crashes or unpredictable behavior. The Visual Studio project file changes also appear to be incorrect and may break the build for certain configurations. These issues should be addressed before merging.
|
Wow thank you this looks great! Could maybe just use existing |
|
Made the change, still making some tests, let me know if there is issue with any of it and if things are fine. Happy to make it ready for merging. |
|
Thanks for that - looks much better. I've had a closer look at the PR and I do have a reservation in that many of the anti-debug techniques that are quoted and remediated do not apply to capemon as it is not a debugger in the classic sense, at least not as far as Windows is concerned. I am reluctant to add code to capemon that is not relevant in its normal configuration, and the following techniques would only become relevant if a 'proper' debugger like windbg or x64dbg was attached to a process also monitored by capemon:
None of these techniques is capable of detecting the debugger in capemon (which was designed for precisely this reason), nor hooks, so they are ultimately ineffective. |
|
That is understandable, if capemon debugger is not affected by this then they probably should not be included. I could remove those specifics techniques and keep the others if you see value in them. It would leave NtClose object handles, RtlWow64GetThreadContext with the zeroing of drs and NtYieldExecution. |
|
I definitely see value in the RtlWow64GetThreadContext hook improvement. I guess for the other two the question is: can they detect capemon? From reading the descriptions of the techniques it's not clear to me if they can, but the proof may be in the pudding. Can the example snippets be compiled and tested? |
|
Alright I will look into testing/compiling those and comment back. As well as removing the unecessary ones. |
|
Thank you! |
No description provided.