kevoreilly · cccs-mog · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025
diff --git a/config.c b/config.c
@@ -1253,7 +1253,7 @@ void parse_config_line(char* line)
 			else if (g_config.unpacker == 2)
 				DebugOutput("Active unpacking of payloads enabled\n");
 		}
-		else if (!stricmp(key, "injection")) { //When set to 1 this will enable CAPE�s capture of injected payloads between processes
+		else if (!stricmp(key, "injection")) { //When set to 1 this will enable CAPE�s capture of injected payloads between processes
 			g_config.injection = value[0] == '1';
 			if (g_config.injection)
 				DebugOutput("Capture of injected payloads enabled.\n");

diff --git a/hook_misc.c b/hook_misc.c
@@ -37,6 +37,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 extern char *our_process_name;
 extern void ProcessMessage(DWORD ProcessId, DWORD ThreadId);
 extern const char* GetLanguageName(LANGID langID);
+//extern NTSTATUS pNtQueryObject(HANDLE Handle, OBJECT_INFORMATION_CLASS ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength);
 
 extern BOOL TraceRunning;
 
@@ -425,13 +426,37 @@ HOOKDEF(NTSTATUS, WINAPI, NtClose,
 		LOQ_ntstatus("system", "ps", "Handle", Handle, "Alert", "Tried to close Cuckoo's log handle");
 		return ret;
 	}
+	//https://anti-debug.checkpoint.com/techniques/object-handles.html
+	//ULONG Size = 0;
+	//ULONG Size2 = 0;
+	//NTSTATUS Status = pNtQueryObject(Handle, 0, &Size, sizeof(Size), &Size);
+	//void* Buff = (void*)calloc(1, Size);
+	//BOOLEAN valid_handle;
+	//if (!Buff) 
+	//	valid_handle = NT_SUCCESS(pNtQueryObject(Handle, 0, Buff, Size, &Size2));
+	//else
+	//	valid_handle = FALSE;
+	//if (!g_config.no_stealth && valid_handle)
+	//{
+	//	__try
+	//	{
+	//		Old_NtClose(Handle);
+	//		ret = STATUS_SUCCESS;
+	//	}
+	//	__except(EXCEPTION_EXECUTE_HANDLER)
+	//	{
+	//		ret = STATUS_SUCCESS;
+	//	}
+	//}
+	//else
 	ret = Old_NtClose(Handle);
 	LOQ_ntstatus("system", "p", "Handle", Handle);
 	if(NT_SUCCESS(ret)) {
 		remove_file_from_log_tracking(Handle);
 		DumpSectionViewsForHandle(Handle);
 		file_close(Handle);
 	}
+	//free(Buff);
 	return ret;
 }
 
@@ -833,7 +858,6 @@ HOOKDEF(NTSTATUS, WINAPI, NtQuerySystemInformation,
 			PLARGE_INTEGER perf_info = (PLARGE_INTEGER)SystemInformation;
 			perf_info->HighPart |= 2;
 		}
-
 		return ret;
 	}
 

diff --git a/hook_thread.c b/hook_thread.c
@@ -396,7 +396,11 @@ HOOKDEF(NTSTATUS, WINAPI, RtlWow64GetThreadContext,
 	DWORD pid = pid_from_thread_handle(ThreadHandle);
 
 	NTSTATUS ret = Old_RtlWow64GetThreadContext(ThreadHandle, Context);
-
+	//https://anti-debug.checkpoint.com/techniques/process-memory.html
+	if (!g_config.no_stealth) {
+		// This needs to be __declspec(noinline) to prevent inlining
+		GetThreadContextHandler(ThreadHandle, Context);
+	}
 	LOQ_ntstatus("threading", "pi", "ThreadHandle", ThreadHandle, "ProcessId", pid);
 
 	return ret;
@@ -835,6 +839,9 @@ HOOKDEF(NTSTATUS, WINAPI, NtYieldExecution,
 	NTSTATUS ret = 0;
 	LOQ_void("threading", "");
 	ret = Old_NtYieldExecution();
+	//https://anti-debug.checkpoint.com/techniques/misc.html
+	if (!g_config.no_stealth && rand() % 2 == 1)
+		ret =  -1;
 	return ret;
 }
 

diff --git a/hook_window.c b/hook_window.c
@@ -453,6 +453,11 @@ HOOKDEF(BOOL, WINAPI, EnumWindows,
 ) {
 
 	BOOL ret = Old_EnumWindows(lpEnumFunc, lParam);
+	if (sizeof(lpEnumFunc)>5*sizeof(void *))
+	{
+		LOQ_bool("windows","p", "lpEnumFunc", lpEnumFunc);
+	}
+	else
 	LOQ_bool("windows", "");
 	return ret;
 }

diff --git a/misc.c b/misc.c
@@ -37,7 +37,7 @@ static _NtQueryInformationProcess pNtQueryInformationProcess;
 static _NtQueryInformationThread pNtQueryInformationThread;
 static _RtlGenRandom pRtlGenRandom;
 static _NtQueryAttributesFile pNtQueryAttributesFile;
-static _NtQueryObject pNtQueryObject;
+_NtQueryObject pNtQueryObject;
 static _NtQueryKey pNtQueryKey;
 static _NtDelayExecution pNtDelayExecution;
 static _NtQuerySystemInformation pNtQuerySystemInformation;

diff --git a/tests/PR_test.c b/tests/PR_test.c
@@ -0,0 +1,62 @@
+#include <Windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+BOOL check_ntyieldexecution_switchtothread()
+{
+    BYTE ucCounter = 1;
+    for (int i = 0; i < 8; i++)
+    {
+        Sleep(0x0F);
+        ucCounter <<= (1 - SwitchToThread());
+    }
+
+    return !(ucCounter == 0);
+}
+
+BOOL check_hardwarebreakpoint()
+{
+    CONTEXT ctx;
+    ZeroMemory(&ctx, sizeof(CONTEXT)); 
+    ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS; 
+
+    if(!GetThreadContext(GetCurrentThread(), &ctx))
+        return TRUE;
+
+    return !(ctx.Dr0 || ctx.Dr1 || ctx.Dr2 || ctx.Dr3);
+}
+
+BOOL check_closehandle()
+{
+    __try
+    {
+        CloseHandle((HANDLE)0xDEADBEEF);
+        return TRUE;
+    }
+    __except (EXCEPTION_INVALID_HANDLE == GetExceptionCode()
+                ? EXCEPTION_EXECUTE_HANDLER 
+                : EXCEPTION_CONTINUE_SEARCH)
+    {
+        return FALSE;
+    }
+}
+
+int main(int argc, char **argv)
+{
+    BOOL close_handle_result;
+    BOOL hardware_breakpoint_result;
+    BOOL ntyieldexecution_result;
+    close_handle_result = check_closehandle();
+    hardware_breakpoint_result = check_hardwarebreakpoint();
+    ntyieldexecution_result = check_ntyieldexecution_switchtothread();
+    FILE *fptr;
+    fptr = fopen("test_result.txt","w");
+    if(fptr)
+    {
+        fprintf(fptr," Close handle test: %s\n Hardware breakpoint test: %s\n NTYieldExecution test: %s\n",
+        close_handle_result ? "true": "false",
+        hardware_breakpoint_result ? "true": "false",
+        ntyieldexecution_result ? "true": "false");
+    }
+    fclose(fptr);
+}