Merge pull request ayoubfaouzi#197 from Mattiwatti/debugobjecthandle

DebugObjectHandle improvements

al-khaser/AntiDebug/NtQueryInformationProcess_ProcessDebugObject.cpp

@@ -10,14 +10,14 @@ the process isn't being debugged
 
 BOOL NtQueryInformationProcess_ProcessDebugObject()
 {
-	// ProcessDebugFlags
+	// ProcessDebugObjectHandle
 	const int ProcessDebugObjectHandle =  0x1e;
 
 	auto NtQueryInfoProcess = static_cast<pNtQueryInformationProcess>(API::GetAPI(API_IDENTIFIER::API_NtQueryInformationProcess));
 
 	// Other Vars
 	NTSTATUS Status;
-	HANDLE hDebugObject = NULL; 
+	HANDLE hDebugObject = NULL;
 
 #if defined (ENV64BIT)
 	DWORD dProcessInformationLength = sizeof(ULONG) * 2;
@@ -28,10 +28,22 @@ BOOL NtQueryInformationProcess_ProcessDebugObject()
 	DWORD32 IsRemotePresent = 0;
 #endif
 
+	// Regular check
 	Status = NtQueryInfoProcess(GetCurrentProcess(), ProcessDebugObjectHandle, &hDebugObject, dProcessInformationLength, NULL);
-
-	if (Status == 0x00000000 && hDebugObject)
-        return TRUE;
-    else
-        return FALSE;
+
+	if (Status != STATUS_PORT_NOT_SET)
+		return TRUE;
+	if (hDebugObject != NULL)
+		return TRUE;
+
+	// Check with overlapping return length and debug object handle buffers to find anti-anti-debuggers
+	Status = NtQueryInfoProcess(GetCurrentProcess(), ProcessDebugObjectHandle, &hDebugObject, dProcessInformationLength, (PULONG)&hDebugObject);
+	if (Status != STATUS_PORT_NOT_SET)
+		return TRUE;
+	if (hDebugObject == NULL)
+		return TRUE; // Handle incorrectly zeroed
+	if ((ULONG)(ULONG_PTR)hDebugObject != dProcessInformationLength)
+		return TRUE; // Return length incorrectly overwritten
+
+	return FALSE;
 }

al-khaser/AntiDebug/NtQueryInformationProcess_ProcessDebugObject.h

@@ -1,3 +1,5 @@
 #pragma once
 
-BOOL NtQueryInformationProcess_ProcessDebugObject();
+BOOL NtQueryInformationProcess_ProcessDebugObject();
+
+#define STATUS_PORT_NOT_SET ((NTSTATUS)0xC0000353L)