{"id":6836,"date":"2019-10-11T23:20:26","date_gmt":"2019-10-11T23:20:26","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6836"},"modified":"2019-10-11T23:31:28","modified_gmt":"2019-10-11T23:31:28","slug":"beyond-good-ol-run-key-part-119","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/10\/11\/beyond-good-ol-run-key-part-119\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 119"},"content":{"rendered":"\n

Pretty much everyone knows about the AEDebug key.<\/a><\/p>\n\n\n\n

Turns out this key has a twin brother, called AeDebugProtected<\/em>.<\/p>\n\n\n\n

When the WerpGetDebugger <\/em>function is called, it calls NtQueryInformationProcess <\/em>to retrieve a basic information about the process. If the process’s basic info data at position 28 (32-bit!) returns a dword value that if masked with 1 is non-zero then AeDebugProtected<\/em> key is used…<\/p>\n\n\n\n

Okay, this is confusing… Let’s step back. <\/p>\n\n\n\n

The traditional way of calling NtQueryInformationProcess<\/a> <\/em>with ProcessBasicInformation <\/em>class is typically delivered using a ‘classic’ definition of _PROCESS_BASIC_INFORMATION structure being:<\/p>\n\n\n\n

typedef struct _PROCESS_BASIC_INFORMATION {\n    PVOID Reserved1;\n    PPEB PebBaseAddress;\n    PVOID Reserved2[2];\n    ULONG_PTR UniqueProcessId;\n    PVOID Reserved3;\n} PROCESS_BASIC_INFORMATION;<\/code><\/pre>\n\n\n\n
Of course, available source codes online can give us a more precise definition of this structure e.g. Process Hacker source code defines it as:<\/p>\n\n\n\n
typedef struct _PROCESS_BASIC_INFORMATION\n{\n    NTSTATUS ExitStatus;\n    PPEB PebBaseAddress;\n    ULONG_PTR AffinityMask;\n    KPRIORITY BasePriority;\n    HANDLE UniqueProcessId;\n    HANDLE InheritedFromUniqueProcessId;\n} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;<\/code><\/pre>\n\n\n\n
In both cases the size of a structure is 24 bytes (32-bit system!). When I looked at the code of  WerpGetDebugger <\/em> I was surprised to see that some calls to NtQueryInformationProcess <\/em> \/  ProcessBasicInformation <\/em>rely on a structure that is 32 bytes long!<\/p>\n\n\n\n
Okay, so now we know there is some extra information provided by  NtQueryInformationProcess <\/em>to WerpGetDebugger<\/em> function and that data determines which debug key is being used. Since this ntdll <\/em>function is simply passed to kernel, I went to look at the code of NtQueryInformationProcess <\/em>inside ntoskrnl.exe<\/em>. I quickly discovered that the function does indeed expect a structure that is either 24 or 32 bytes long. Cool.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Continuing my analysis I noticed that the the field at the position 28 is filled in with a result of a call to a function called PsIsProtectedProcess<\/em>. Protected processes [DOC warning]<\/a> is a technology described in the past, so not a biggie. And the fact this is what is being checked by the function is of course something we should have expected, given the name used by the Registry Key I mentioned earlier, however… at least we can confirm this with our code analysis…<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And here we are with a few conclusive bits:<\/p>\n\n\n\n