update

sleep_duck/sleep_duck.cpp

@@ -69,29 +69,42 @@ auto DoCFTrackX64(HANDLE hProcess,
     for (size_t i = stackArrays.size() - 1; i > 0; i--) {
         auto ripAddr = stackArrays[i].first;
         auto retAddr = stackArrays[i].second;
-        //printf("stack walk: %p\n", ripAddr);
 
         if (retAddr == 0) {
             continue;
         }
-        auto rawAddress = ripAddr - 0x16;
-        StackTracker stackTrack(hProcess, rawAddress, 0x30, false);
-        if (stackTrack.TryFindValidDisasm(rawAddress, 0x30) == false) {
-            printf("\nSleepMask Encryption Memory Detected: %p\n\t", rawAddress);
+        auto rawAddress = ripAddr - 0x20;
+        StackTracker stackTrack(hProcess, rawAddress, 0x28, false);
+        if (stackTrack.TryFindValidDisasm(rawAddress, 0x28) == false) {
+            printf("\nSleepMask Encryption Memory Detected: %p\n\t",
+                   rawAddress);
             PrintProcessInfoFromHandle(hProcess);
+            stackTrack.PrintAsm();
             continue;
         }
         auto [successTrack, nextJmpAddress] = stackTrack.CalcNextJmpAddress();
 
-        if (successTrack == false && 
-            stackTrack.feature != _features::kCallRip && 
-            stackTrack.feature != _features::kCallReg &&
-            stackTrack.feature != _features::kSyscall) {
-            printf("\nNon-integrity Stack Detect: %p\n\t", rawAddress);
-            PrintProcessInfoFromHandle(hProcess);
+        if (successTrack == false) {
+            // very perfer lazy method
+            static const std::string WaitonAddressGate = "52 10 47 AE";
+            if (Tools::FindPatternInMemory(
+                    (uint64_t)stackTrack.SuccessReadedBuffer.data(),
+                    stackTrack.SuccessReadedBuffer.size(),
+                    WaitonAddressGate) != 0) {
+                printf("skip waitonaddress, golang detect\n");
+                continue;
+            }
+            if (stackTrack.feature != _features::kCallRip &&
+                stackTrack.feature != _features::kCallReg &&
+                stackTrack.feature != _features::kSyscall) {
+                printf("\nNon-integrity Stack Detect: %p ripAddr: %p \n\t",
+                       rawAddress, ripAddr);
+                PrintProcessInfoFromHandle(hProcess);
+                stackTrack.PrintAsm();
+            }
+
             break;
         }
-
     }
     return;
 }
@@ -101,7 +114,7 @@ auto DoX64StackDetect(HANDLE hProcess, HANDLE hThread) -> void {
     context.ContextFlags = CONTEXT_ALL;
     std::vector<std::pair<uint64_t, uint64_t>> stackArrays;
     SymInitialize(hProcess, nullptr, TRUE);
-    //printf("scan tid: %d \n", GetThreadId(hThread));
+    printf("scan tid: %d \n", GetThreadId(hThread));
     do {
         if (GetThreadContext(hThread, &context) == false) {
             break;
@@ -126,26 +139,30 @@ auto DoX64StackDetect(HANDLE hProcess, HANDLE hThread) -> void {
             }
             if (SimpleCheckIn2020(hProcess, StackFarmeEx.AddrPC.Offset)) {
                 detect = true;
-                //break;
+                // break;
             }
+
             stackArrays.push_back(
                 {StackFarmeEx.AddrPC.Offset, StackFarmeEx.AddrReturn.Offset});
         }
-        //if (detect) {
-        //    break;
-        //}
+        // if (detect) {
+        //     break;
+        // }
         DoCFTrackX64(hProcess, stackArrays);
     } while (false);
     SymCleanup(hProcess);
 }
 
 // 主扫描函数
-auto DoLittleHackerMemeDetect(DWORD pidFilter = 0, bool scanAll = false) -> void {
-    HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); // 所有线程
+auto DoLittleHackerMemeDetect(DWORD pidFilter = 0, bool scanAll = false)
+    -> void {
+    HANDLE hThreadSnap =
+        CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);  // 所有线程
     THREADENTRY32 te32 = {};
     te32.dwSize = sizeof(THREADENTRY32);
 
-    if (hThreadSnap == INVALID_HANDLE_VALUE || !Thread32First(hThreadSnap, &te32))
+    if (hThreadSnap == INVALID_HANDLE_VALUE ||
+        !Thread32First(hThreadSnap, &te32))
         return;
 
     do {
@@ -158,7 +175,8 @@ auto DoLittleHackerMemeDetect(DWORD pidFilter = 0, bool scanAll = false) -> void
         if (!scanAll && pidFilter != 0 && te32.th32OwnerProcessID != pidFilter)
             continue;
 
-        if (!scanAll && pidFilter == 0 && te32.th32OwnerProcessID != GetCurrentProcessId())
+        if (!scanAll && pidFilter == 0 &&
+            te32.th32OwnerProcessID != GetCurrentProcessId())
             continue;
 
         auto handleDeleter = [](HANDLE h) {
@@ -172,12 +190,11 @@ auto DoLittleHackerMemeDetect(DWORD pidFilter = 0, bool scanAll = false) -> void
             OpenProcess(PROCESS_ALL_ACCESS, FALSE, te32.th32OwnerProcessID),
             handleDeleter);
 
-        if (!hProcess || hProcess.get() == INVALID_HANDLE_VALUE ||
-            !hThread || hThread.get() == INVALID_HANDLE_VALUE)
+        if (!hProcess || hProcess.get() == INVALID_HANDLE_VALUE || !hThread ||
+            hThread.get() == INVALID_HANDLE_VALUE)
             continue;
 
-        if (!Tools::Is64BitPorcess(hProcess.get()))
-            continue;
+        if (!Tools::Is64BitPorcess(hProcess.get())) continue;
         DoX64StackDetect(hProcess.get(), hThread.get());
 
     } while (Thread32Next(hThreadSnap, &te32));
@@ -194,12 +211,10 @@ int main(int argc, char* argv[]) {
 
         if (arg == "-all") {
             scanAll = true;
-        }
-        else if (arg == "-pid" && i + 1 < argc) {
+        } else if (arg == "-pid" && i + 1 < argc) {
             scanAll = false;
             targetPid = static_cast<DWORD>(std::stoul(argv[++i]));
-        }
-        else {
+        } else {
             std::cerr << "[!] Unknown argument ,go scan all: " << arg << "\n";
             scanAll = true;
         }