event pairs handle
TRANSCRIPT
-
7/27/2019 Event Pairs Handle
1/3
EventPairHandle as Anti-Dbg Trick
Author:Giuseppe 'Evilcry' Bonfa'E-Mail:evilcry {AT} gmail {DOT} com
Website:http://evilcrynetsonsorg ! http://evilco"ecave#or"presscom
EventPairHandle
An EventPair Objectis an Event constructe" $y t#o %KEE!Tstructures #hich areconventionally name" Highan" "o# Event&airs are use" for synchroniation in$uick "P%( they allo# the calle" threa" to continue the current )uantum(re"ucing sche"uling overhea" an" latency *o# $y loo+ing to the $asic operationsthat a "e$ugger nee" to accomplish( #e can see that these tas+s are conceptuallysimple( #hen the target is normally running( the "e$ugger is sleeping( $ut #hencertain events occur D$g ,a+es -p Became clear that there is a strict relation$et#een generic Event Objectsan" De$uggers cause they have to create a customEvent calle" DebugEventa$le to han"le e.ceptions Due to the presence of Eventso#ne" $y the De$ugger( every information relative to the Events of a normal
process "iffers from a "e$ugge" process
This is the struct that "escri$es an Event&air:
t&'ede( struct )KEE!T)PA*+ ,.HO+T T&'e/.HO+T .i0e/KEE!T Event1/KEE!T Event2/3 KEE!T)PA*+4 5PKEE!T)PA*+/
*othing more than a couple of)KEE!T.!t%reateEventPairis the responsi$le ofEvent&air creation( here the prototype:
!T.6.AP*!T.TAT.!TAP*!t%reateEventPair7
OT PHA!D"E EventPairHandle4 *! A%%E..)MA.K DesiredAccess4 *! PO89E%T)ATT+*8TE. ObjectAttributesOPT*O!A" /
PA+AMETE+.hEventPair: &ointer to the varia$le that receives han"le to the event!pairo$ect
AccessMask: Type of access re)ueste" to the event!pair o$ect This can $ea com$ination of any of the follo#ing flags:E0E*T%1-E23%4TATE( E0E*T%5OD673%4TATE( an"E0E*T%A88%A99E44
ObjectAttributes:&oints to the OBE9T4%ATT26B-TE4 structure containing theinformation a$out the event!pair o$ect to $e create"( such as name( parent"irectory( o$ectflags( an" so on
Event&airs are use" $y the ,in;< su$system to provi"e notification #hen theclient threa" has copie" a message to the ,in;< server( or vice versa 8&9messages are passe" in the section o$ect( an" synchroniation is performe" $y
the event!pair o$ect The event!pair o$ect eliminates the overhea" of usingthe port o$ect to pass messages containing pointers an" lengths
"P%#as use" into 7Kernel;ser-
-
7/27/2019 Event Pairs Handle
2/3
notifications The ne# De$ugging 4upport ma+es use of)DE8=)O89E%T This structis a #rapper aroun" the event use" $yWait>orDebugEvent( conse)uently #e nee" tosee ho#)DE8=)EE!Tis structure"( here the struct:
t&'ede( struct )DE8=)EE!T, "*.T)E!T+6 Event"ist/ KEE!T %ontinueEvent/ %"*E!T)*D %lient*d/ PEP+O%E.. Process/ PETH+EAD Thread/ !T.TAT. .tatus/ "O!= >lags/ PETH+EAD 8ackoutThread/ D8=KM)M.= A'iMsg/3 DE8=)EE!T4 5PDE8=)EE!T/
As you can see $et#een the mem$ers of this struct #e have the last one thatsoun"s really intersting D8=KM)M.= that $y the name #e can un"erstan" is
referre" to De$ug 5essaging >5essaging means implications #ith 8&9 mechanism?(so let's see D8=KM)M.= struct:
t&'ede( struct )D8=KM)M.=, PO+T)ME..A=E h/ D8=KM)AP*!M8E+ A'i!u
-
7/27/2019 Event Pairs Handle
3/3
de(ine W*!B2)"EA!)A!D)MEA!include Cstdiohinclude Cstdlibhinclude C#indo#shinclude Fde(shF
'rag>E+ bu((er/
bu((er G +tl%reate$uer&Debug8u((er74>A".E/
+tl$uer&ProcessHea'*n(or