First of all
There are various flags in the PEB associated with a specific process such as the CrossProcessFlags, the BitField (4th member of the PEB), AppCompatFlags, and so forth. I’d always tried looking for differences in the flags when operating in a standard runtime environment vs. a debugged runtime environment and after many failed attempts to find any sort of variance in the flags, I moved on to a different part of the PEB – the ProcessParameters.
The structure of ProcessParameters is _RTL_USER_PROCESS_PARAMETERS
When the debugger starts the process, the system will set RTL_USER_PROCESS_PARAMETERS-> Flags;
So I started using WINDBG to find out who set this flag
But I failed. When the debugger calls CreateProcess, this flag is set. I did n’t go into the kernel.
If you’re familiar with the ProcessParameters member of the PEB you’ll know that it has 4 different flag members associated with the RTL_USER_PROCESS_PARAMETERS structure. The Flags member is the MOI (member of interest.) I noticed when running in a standard runtime environment the 0th bit of the Flags member is 1, the 13th is 1, and the 14th bit is set as well. Nothing unusual until I debugged the application in WinDbg x64 and noticed that the 14th bit of the Flags becomes 0. I had some skepticism as to if this was just a coincidence, so I placed the application in my VM (Windows 10 Enterprise x64) and tested it and the 14th bit was set to 1. When a debugger was attached, the 14th bit was 0.
The values of the Flags member as an integer when a debugger is not attached is equivalent to 24577, and 8193 when a debugger is attached – just to make things easier.
I looked everywhere wondering if I had found some undocumented method of debugger detection and it seems only one other blog had information about.
That information can be found here. After reading his post it is clear that the creation flags affect this bit. See the link to get a few other details.
The application of this is simple, check the 14th bit of the ProcessParameters->Flags member to see if it is 0, if so – RtlSetProcessIsCritical and ExitProcess ;p
Use this information wisely, I’m sure many beginner reverse engineers wouldn’t think much of flag queries.
By Daax Rynd Independent Security Researcher
Present win10 19041 annihilation trial progress flag flags 0x4001 On PEB32 FLAGS like 0x6001
This ollydbg movement 0x1
[+0x008] Flags : 0x4001 [Type: unsigned long]
[+0x008] Flags : 0x1 [Type: unsigned long]
typedef struct _RTL_USER_PROCESS_PARAMETERS
{
/* 0x0000 */ unsigned long MaximumLength;
/* 0x0004 */ unsigned long Length;
/* 0x0008 */ unsigned long Flags;
/* 0x000c */ unsigned long DebugFlags;
/* 0x0010 */ void* ConsoleHandle;
/* 0x0018 */ unsigned long ConsoleFlags;
/* 0x001c */ long Padding_85;
/* 0x0020 */ void* StandardInput;
/* 0x0028 */ void* StandardOutput;
/* 0x0030 */ void* StandardError;
/* 0x0038 */ struct _CURDIR CurrentDirectory;
/* 0x0050 */ struct _UNICODE_STRING DllPath;
/* 0x0060 */ struct _UNICODE_STRING ImagePathName;
/* 0x0070 */ struct _UNICODE_STRING CommandLine;
/* 0x0080 */ void* Environment;
/* 0x0088 */ unsigned long StartingX;
/* 0x008c */ unsigned long StartingY;
/* 0x0090 */ unsigned long CountX;
/* 0x0094 */ unsigned long CountY;
/* 0x0098 */ unsigned long CountCharsX;
/* 0x009c */ unsigned long CountCharsY;
/* 0x00a0 */ unsigned long FillAttribute;
/* 0x00a4 */ unsigned long WindowFlags;
/* 0x00a8 */ unsigned long ShowWindowFlags;
/* 0x00ac */ long Padding_86;
/* 0x00b0 */ struct _UNICODE_STRING WindowTitle;
/* 0x00c0 */ struct _UNICODE_STRING DesktopInfo;
/* 0x00d0 */ struct _UNICODE_STRING ShellInfo;
/* 0x00e0 */ struct _UNICODE_STRING RuntimeData;
/* 0x00f0 */ struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
/* 0x03f0 */ unsigned __int64 EnvironmentSize;
/* 0x03f8 */ unsigned __int64 EnvironmentVersion;
/* 0x0400 */ void* PackageDependencyData;
/* 0x0408 */ unsigned long ProcessGroupId;
/* 0x040c */ unsigned long LoaderThreads;
/* 0x0410 */ struct _UNICODE_STRING RedirectionDllName;
/* 0x0420 */ struct _UNICODE_STRING HeapPartitionName;
/* 0x0430 */ unsigned __int64* DefaultThreadpoolCpuSetMasks;
/* 0x0438 */ unsigned long DefaultThreadpoolCpuSetMaskCount;
/* 0x043c */ long __PADDING__[1];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; /* size: 0x0440 */typedef struct _PEB
{
/* 0x0000 */ unsigned char InheritedAddressSpace;
/* 0x0001 */ unsigned char ReadImageFileExecOptions;
/* 0x0002 */ unsigned char BeingDebugged;
union
{
/* 0x0003 */ unsigned char BitField;
struct /* bitfield */
{
/* 0x0003 */ unsigned char ImageUsesLargePages : 1; /* bit position: 0 */
/* 0x0003 */ unsigned char IsProtectedProcess : 1; /* bit position: 1 */
/* 0x0003 */ unsigned char IsImageDynamicallyRelocated : 1; /* bit position: 2 */
/* 0x0003 */ unsigned char SkipPatchingUser32Forwarders : 1; /* bit position: 3 */
/* 0x0003 */ unsigned char IsPackagedProcess : 1; /* bit position: 4 */
/* 0x0003 */ unsigned char IsAppContainer : 1; /* bit position: 5 */
/* 0x0003 */ unsigned char IsProtectedProcessLight : 1; /* bit position: 6 */
/* 0x0003 */ unsigned char IsLongPathAwareProcess : 1; /* bit position: 7 */
}; /* bitfield */
}; /* size: 0x0001 */
/* 0x0004 */ unsigned char Padding0[4];
/* 0x0008 */ void* Mutant;
/* 0x0010 */ void* ImageBaseAddress;
/* 0x0018 */ struct _PEB_LDR_DATA* Ldr;
/* 0x0020 */ struct _RTL_USER_PROCESS_PARAMETERS* ProcessParameters;
/* 0x0028 */ void* SubSystemData;
/* 0x0030 */ void* ProcessHeap;
/* 0x0038 */ struct _RTL_CRITICAL_SECTION* FastPebLock;
/* 0x0040 */ union _SLIST_HEADER* volatile AtlThunkSListPtr;
/* 0x0048 */ void* IFEOKey;
union
{
/* 0x0050 */ unsigned long CrossProcessFlags;
struct /* bitfield */
{
/* 0x0050 */ unsigned long ProcessInJob : 1; /* bit position: 0 */
/* 0x0050 */ unsigned long ProcessInitializing : 1; /* bit position: 1 */
/* 0x0050 */ unsigned long ProcessUsingVEH : 1; /* bit position: 2 */
/* 0x0050 */ unsigned long ProcessUsingVCH : 1; /* bit position: 3 */
/* 0x0050 */ unsigned long ProcessUsingFTH : 1; /* bit position: 4 */
/* 0x0050 */ unsigned long ProcessPreviouslyThrottled : 1; /* bit position: 5 */
/* 0x0050 */ unsigned long ProcessCurrentlyThrottled : 1; /* bit position: 6 */
/* 0x0050 */ unsigned long ProcessImagesHotPatched : 1; /* bit position: 7 */
/* 0x0050 */ unsigned long ReservedBits0 : 24; /* bit position: 8 */
}; /* bitfield */
}; /* size: 0x0004 */
/* 0x0054 */ unsigned char Padding1[4];
union
{
/* 0x0058 */ void* KernelCallbackTable;
/* 0x0058 */ void* UserSharedInfoPtr;
}; /* size: 0x0008 */
/* 0x0060 */ unsigned long SystemReserved;
/* 0x0064 */ unsigned long AtlThunkSListPtr32;
/* 0x0068 */ void* ApiSetMap;
/* 0x0070 */ unsigned long TlsExpansionCounter;
/* 0x0074 */ unsigned char Padding2[4];
/* 0x0078 */ void* TlsBitmap;
/* 0x0080 */ unsigned long TlsBitmapBits[2];
/* 0x0088 */ void* ReadOnlySharedMemoryBase;
/* 0x0090 */ void* SharedData;
/* 0x0098 */ void** ReadOnlyStaticServerData;
/* 0x00a0 */ void* AnsiCodePageData;
/* 0x00a8 */ void* OemCodePageData;
/* 0x00b0 */ void* UnicodeCaseTableData;
/* 0x00b8 */ unsigned long NumberOfProcessors;
/* 0x00bc */ unsigned long NtGlobalFlag;
/* 0x00c0 */ union _LARGE_INTEGER CriticalSectionTimeout;
/* 0x00c8 */ unsigned __int64 HeapSegmentReserve;
/* 0x00d0 */ unsigned __int64 HeapSegmentCommit;
/* 0x00d8 */ unsigned __int64 HeapDeCommitTotalFreeThreshold;
/* 0x00e0 */ unsigned __int64 HeapDeCommitFreeBlockThreshold;
/* 0x00e8 */ unsigned long NumberOfHeaps;
/* 0x00ec */ unsigned long MaximumNumberOfHeaps;
/* 0x00f0 */ void** ProcessHeaps;
/* 0x00f8 */ void* GdiSharedHandleTable;
/* 0x0100 */ void* ProcessStarterHelper;
/* 0x0108 */ unsigned long GdiDCAttributeList;
/* 0x010c */ unsigned char Padding3[4];
/* 0x0110 */ struct _RTL_CRITICAL_SECTION* LoaderLock;
/* 0x0118 */ unsigned long OSMajorVersion;
/* 0x011c */ unsigned long OSMinorVersion;
/* 0x0120 */ unsigned short OSBuildNumber;
/* 0x0122 */ unsigned short OSCSDVersion;
/* 0x0124 */ unsigned long OSPlatformId;
/* 0x0128 */ unsigned long ImageSubsystem;
/* 0x012c */ unsigned long ImageSubsystemMajorVersion;
/* 0x0130 */ unsigned long ImageSubsystemMinorVersion;
/* 0x0134 */ unsigned char Padding4[4];
/* 0x0138 */ unsigned __int64 ActiveProcessAffinityMask;
/* 0x0140 */ unsigned long GdiHandleBuffer[60];
/* 0x0230 */ void* PostProcessInitRoutine /* function */;
/* 0x0238 */ void* TlsExpansionBitmap;
/* 0x0240 */ unsigned long TlsExpansionBitmapBits[32];
/* 0x02c0 */ unsigned long SessionId;
/* 0x02c4 */ unsigned char Padding5[4];
/* 0x02c8 */ union _ULARGE_INTEGER AppCompatFlags;
/* 0x02d0 */ union _ULARGE_INTEGER AppCompatFlagsUser;
/* 0x02d8 */ void* pShimData;
/* 0x02e0 */ void* AppCompatInfo;
/* 0x02e8 */ struct _UNICODE_STRING CSDVersion;
/* 0x02f8 */ const struct _ACTIVATION_CONTEXT_DATA* ActivationContextData;
/* 0x0300 */ struct _ASSEMBLY_STORAGE_MAP* ProcessAssemblyStorageMap;
/* 0x0308 */ const struct _ACTIVATION_CONTEXT_DATA* SystemDefaultActivationContextData;
/* 0x0310 */ struct _ASSEMBLY_STORAGE_MAP* SystemAssemblyStorageMap;
/* 0x0318 */ unsigned __int64 MinimumStackCommit;
/* 0x0320 */ void* SparePointers[4];
/* 0x0340 */ unsigned long SpareUlongs[5];
/* 0x0354 */ long Padding_128;
/* 0x0358 */ void* WerRegistrationData;
/* 0x0360 */ void* WerShipAssertPtr;
/* 0x0368 */ void* pUnused;
/* 0x0370 */ void* pImageHeaderHash;
union
{
/* 0x0378 */ unsigned long TracingFlags;
struct /* bitfield */
{
/* 0x0378 */ unsigned long HeapTracingEnabled : 1; /* bit position: 0 */
/* 0x0378 */ unsigned long CritSecTracingEnabled : 1; /* bit position: 1 */
/* 0x0378 */ unsigned long LibLoaderTracingEnabled : 1; /* bit position: 2 */
/* 0x0378 */ unsigned long SpareTracingBits : 29; /* bit position: 3 */
}; /* bitfield */
}; /* size: 0x0004 */
/* 0x037c */ unsigned char Padding6[4];
/* 0x0380 */ unsigned __int64 CsrServerReadOnlySharedMemoryBase;
/* 0x0388 */ unsigned __int64 TppWorkerpListLock;
/* 0x0390 */ struct _LIST_ENTRY TppWorkerpList;
/* 0x03a0 */ void* WaitOnAddressHashTable[128];
/* 0x07a0 */ void* TelemetryCoverageHeader;
/* 0x07a8 */ unsigned long CloudFileFlags;
/* 0x07ac */ unsigned long CloudFileDiagFlags;
/* 0x07b0 */ char PlaceholderCompatibilityMode;
/* 0x07b1 */ char PlaceholderCompatibilityModeReserved[7];
/* 0x07b8 */ struct _LEAP_SECOND_DATA* LeapSecondData;
union
{
/* 0x07c0 */ unsigned long LeapSecondFlags;
struct /* bitfield */
{
/* 0x07c0 */ unsigned long SixtySecondEnabled : 1; /* bit position: 0 */
/* 0x07c0 */ unsigned long Reserved : 31; /* bit position: 1 */
}; /* bitfield */
}; /* size: 0x0004 */
/* 0x07c4 */ unsigned long NtGlobalFlag2;
} PEB, *PPEB; /* size: 0x07c8 */