Anti Analysis Operations
Disabling / Re-enabling ETW (Event tracing for Windows) threat intelligence provider.
NTSTATUS AntiAnalysis::EnableDisableEtwTI(bool enable)
enable [bool] -- Whether to enable or disable ETWTI.# Disable ETWTI
NidhoggClient.exe etwti disable
# Enable ETWTI
NidhoggClient.exe etwti enableThe function begins by dynamically locating the KeInsertQueueApc system routine as a starting point to search for the ETWTI provider handle. If this routine cannot be found, the function returns STATUS_NOT_FOUND.
Next, the function attempts to find a specific pattern in memory (EtwThreatIntProvRegHandleSignature1 or EtwThreatIntProvRegHandleSignature2) within a certain distance from the KeInsertQueueApc address. If neither pattern is found, the function returns STATUS_NOT_FOUND.
The function then calculates the address of etwThreatIntProvRegHandle and gets the offset of the enableProviderInfo and etwThreatIntLock from this address. If either offset is unsuccessful, the function returns STATUS_UNSUCCESSFUL.
If the etwThreatIntLock was found, the function acquires an exclusive lock on it.
Depending on the enable parameter, the function either copies the value of this->PrevEtwTiValue to enableProviderInfo->IsEnabled and then sets this->PrevEtwTiValue to 0 (if enable is true), or reads the value of enableProviderInfo->IsEnabled into this->PrevEtwTiValue and then sets enableProviderInfo->IsEnabled to 0 (if enable is false).
Finally, if the etwThreatIntLock was acquired earlier, the function releases it and returns the status of the last operation.
Querying kernel callbacks of other drivers including object callbacks, process and thread creation routines, image loading routines, and registry callbacks.
NTSTATUS AntiAnalysis::ListRegistryCallbacks(CmCallbacksList* Callbacks, ULONG64 ReplacerFunction, ULONG64 ReplacedFunction)
Callbacks [CallbacksList*] -- A pointer to a CmCallbacksList structure that will hold the list of registry callbacks.
ReplacerFunction [ULONG64] -- If not null, the address of the function to replace.
ReplacedFunction [ULONG64] -- If not null, the address of the function to be replaced.# List object callbacks
NidhoggClient.exe callbacks query ObThreadType
NidhoggClient.exe callbacks query ObProcessType
# List process / image load routines
NidhoggClient.exe callbacks query PsProcessType
NidhoggClient.exe callbacks query PsImageLoadType
# List registry callbacks
NidhoggClient.exe callbacks query CmRegistryTypeThe function begins by locating the CmpRegisterCallbackInternal and CmpInsertCallbackInListByAltitude functions in memory using byte pattern matching. If either function cannot be found, the function returns STATUS_NOT_FOUND.
Next, the function locates the CallbackListHead and CmpCallBackCount in memory, again using byte pattern matching. If either cannot be found, the function returns STATUS_NOT_FOUND.
The function then acquires an exclusive lock on the CmpCallbackListLock.
If ReplacerFunction and ReplacedFunction are both non-zero, the function iterates over the list of callbacks. If it finds a callback whose function matches ReplacedFunction, it replaces that callback's function with ReplacerFunction.
If ReplacerFunction and ReplacedFunction are both zero, the function instead populates the Callbacks structure with the list of callbacks and their associated driver names.
Finally, the function releases the lock on CmpCallbackListLock and returns the status of the operation.
Removing by replacing the callback on the target driver with a dummy callback or restoring a callback to the original for the types mentioned above.
NTSTATUS AntiAnalysis::RestoreCallback(KernelCallback* Callback)
Callback [KernelCallback*] -- Callback to restore.NTSTATUS AntiAnalysis::RemoveCallback(KernelCallback* Callback)
Callback [KernelCallback*] -- Callback to remove.# Remove callback
NidhoggClient.exe callbacks remove <ADDR>
# Restore callback
NidhoggClient.exe callbacks restore <ADDR>The function begins by checking the type of the callback. Depending on the type of the callback, the function then removes the callback in the appropriate manner. If the callback is of type ObProcessType or ObThreadType, it is removed from the object callback list. If the callback is of type PsCreateProcessType, PsCreateProcessTypeEx, PsCreateThreadType, PsCreateThreadTypeNonSystemThread, or PsImageLoadType, it is removed from the process or thread creation routines list. If the callback is of type CmRegistryType, it is removed from the registry callbacks list.
If the callback is successfully removed, it is then added to the list of disabled callbacks.
Finally, the function returns the status of the operation.
The function begins by getting the disabled callback. If the callback is not found, the function returns the status of the operation.
Depending on the type of the callback, the function then restores the callback in the appropriate manner. If the callback is of type ObProcessType or ObThreadType, it is restored in the object callback list. If the callback is of type PsCreateProcessType, PsCreateProcessTypeEx, PsCreateThreadType, or PsCreateThreadTypeNonSystemThread, it is restored in the process or thread creation routines list. If the callback is of type CmRegistryType, it is restored in the registry callbacks list.