| 1 | + | #include "syscalls.h" |
| 2 | + | |
| 3 | + | // Code below is adapted from @modexpblog. Read linked article for more details. |
| 4 | + | // https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams |
| 5 | + | |
| 6 | + | SW2_SYSCALL_LIST SW2_SyscallList __attribute__ ((section(".data"))); |
| 7 | + | PVOID SyscallAddress __attribute__ ((section(".data"))) = NULL; |
| 8 | + | |
| 9 | + | /* |
| 10 | + | * If no 'syscall' instruction is found in NTDLL, |
| 11 | + | * this function will be called. |
| 12 | + | * By default just returns STATUS_NOT_FOUND. |
| 13 | + | * The idea is to avoid having a 'syscall' instruction |
| 14 | + | * on this program's .text section to evade static analysis |
| 15 | + | */ |
| 16 | + | |
| 17 | + | __declspec(naked) void SyscallNotFound(void) |
| 18 | + | { |
| 19 | + | asm( |
| 20 | + | "mov eax, 0xC0DEDEAD \n" |
| 21 | + | "ret \n" |
| 22 | + | ); |
| 23 | + | } |
| 24 | + | |
| 25 | + | /* |
| 26 | + | * the idea here is to find a 'syscall' instruction in 'ntdll.dll' |
| 27 | + | * so that we can call it from our code and try to hide the fact |
| 28 | + | * that we use direct syscalls |
| 29 | + | */ |
| 30 | + | PVOID GetSyscallAddress( |
| 31 | + | IN PVOID nt_api_address, |
| 32 | + | IN ULONG32 size_of_ntapi) |
| 33 | + | { |
| 34 | + | PVOID SyscallAddress; |
| 35 | + | #ifdef _WIN64 |
| 36 | + | BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 }; |
| 37 | + | #else |
| 38 | + | BYTE syscall_code[] = { 0x0f, 0x34, 0xc3 }; |
| 39 | + | #endif |
| 40 | + | |
| 41 | + | // we will loook for a syscall;ret up to the end of the api |
| 42 | + | ULONG max_look_range = size_of_ntapi - sizeof(syscall_code) + 1; |
| 43 | + | |
| 44 | + | #ifdef _M_IX86 |
| 45 | + | if (local_is_wow64()) |
| 46 | + | { |
| 47 | + | // if we are a WoW64 process, jump to WOW32Reserved |
| 48 | + | SyscallAddress = (PVOID)READ_MEMLOC(0xc0); |
| 49 | + | return SyscallAddress; |
| 50 | + | } |
| 51 | + | #endif |
| 52 | + | |
| 53 | + | for (ULONG32 offset = 0; offset < max_look_range; offset++) |
| 54 | + | { |
| 55 | + | // we don't really care if there is a 'jmp' between |
| 56 | + | // nt_api_address and the 'syscall; ret' instructions |
| 57 | + | SyscallAddress = SW2_RVA2VA(PVOID, nt_api_address, offset); |
| 58 | + | |
| 59 | + | if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code))) |
| 60 | + | { |
| 61 | + | // we can use the original code for this system call :) |
| 62 | + | return SyscallAddress; |
| 63 | + | } |
| 64 | + | } |
| 65 | + | |
| 66 | + | // the 'syscall; ret' intructions have not been found, |
| 67 | + | // we will try to use one near it, similarly to HalosGate |
| 68 | + | |
| 69 | + | for (ULONG32 num_jumps = 1; num_jumps < SW2_MAX_ENTRIES; num_jumps++) |
| 70 | + | { |
| 71 | + | // let's try with an Nt* API below our syscall |
| 72 | + | for (ULONG32 offset = 0; offset < max_look_range; offset++) |
| 73 | + | { |
| 74 | + | SyscallAddress = SW2_RVA2VA( |
| 75 | + | PVOID, |
| 76 | + | nt_api_address, |
| 77 | + | offset + num_jumps * size_of_ntapi); |
| 78 | + | if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code))) |
| 79 | + | return SyscallAddress; |
| 80 | + | } |
| 81 | + | |
| 82 | + | // let's try with an Nt* API above our syscall |
| 83 | + | for (ULONG32 offset = 0; offset < max_look_range; offset++) |
| 84 | + | { |
| 85 | + | SyscallAddress = SW2_RVA2VA( |
| 86 | + | PVOID, |
| 87 | + | nt_api_address, |
| 88 | + | offset - num_jumps * size_of_ntapi); |
| 89 | + | if (!memcmp((PVOID)syscall_code, SyscallAddress, sizeof(syscall_code))) |
| 90 | + | return SyscallAddress; |
| 91 | + | } |
| 92 | + | } |
| 93 | + | |
| 94 | + | return SyscallNotFound; |
| 95 | + | } |
| 96 | + | |
| 97 | + | DWORD SW2_HashSyscall( |
| 98 | + | IN PCSTR FunctionName) |
| 99 | + | { |
| 100 | + | DWORD i = 0; |
| 101 | + | DWORD Hash = SW2_SEED; |
| 102 | + | |
| 103 | + | while (FunctionName[i]) |
| 104 | + | { |
| 105 | + | WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++); |
| 106 | + | Hash ^= PartialName + SW2_ROR8(Hash); |
| 107 | + | } |
| 108 | + | |
| 109 | + | return Hash; |
| 110 | + | } |
| 111 | + | |
| 112 | + | BOOL SW2_PopulateSyscallList(VOID) |
| 113 | + | { |
| 114 | + | // Return early if the list is already populated. |
| 115 | + | if (SW2_SyscallList.Count) return TRUE; |
| 116 | + | |
| 117 | + | PSW2_PEB Peb = (PSW2_PEB)READ_MEMLOC(PEB_OFFSET); |
| 118 | + | PSW2_PEB_LDR_DATA Ldr = Peb->Ldr; |
| 119 | + | PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL; |
| 120 | + | PVOID DllBase = NULL; |
| 121 | + | |
| 122 | + | // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second |
| 123 | + | // in the list, so it's safer to loop through the full list and find it. |
| 124 | + | PSW2_LDR_DATA_TABLE_ENTRY LdrEntry; |
| 125 | + | for (LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0]) |
| 126 | + | { |
| 127 | + | DllBase = LdrEntry->DllBase; |
| 128 | + | PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase; |
| 129 | + | PIMAGE_NT_HEADERS NtHeaders = SW2_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew); |
| 130 | + | PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory; |
| 131 | + | DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; |
| 132 | + | if (VirtualAddress == 0) continue; |
| 133 | + | |
| 134 | + | ExportDirectory = SW2_RVA2VA(PIMAGE_EXPORT_DIRECTORY, DllBase, VirtualAddress); |
| 135 | + | |
| 136 | + | // If this is NTDLL.dll, exit loop. |
| 137 | + | PCHAR DllName = SW2_RVA2VA(PCHAR, DllBase, ExportDirectory->Name); |
| 138 | + | if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue; |
| 139 | + | if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break; |
| 140 | + | } |
| 141 | + | |
| 142 | + | if (!ExportDirectory) return FALSE; |
| 143 | + | |
| 144 | + | DWORD NumberOfNames = ExportDirectory->NumberOfNames; |
| 145 | + | PDWORD Functions = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions); |
| 146 | + | PDWORD Names = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames); |
| 147 | + | PWORD Ordinals = SW2_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals); |
| 148 | + | |
| 149 | + | // Populate SW2_SyscallList with unsorted Zw* entries. |
| 150 | + | DWORD i = 0; |
| 151 | + | PSW2_SYSCALL_ENTRY Entries = SW2_SyscallList.Entries; |
| 152 | + | do |
| 153 | + | { |
| 154 | + | PCHAR FunctionName = SW2_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]); |
| 155 | + | |
| 156 | + | // Is this a system call? |
| 157 | + | if (*(USHORT*)FunctionName == 0x775a) |
| 158 | + | { |
| 159 | + | Entries[i].Hash = SW2_HashSyscall(FunctionName); |
| 160 | + | Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]]; |
| 161 | + | |
| 162 | + | i++; |
| 163 | + | if (i == SW2_MAX_ENTRIES) break; |
| 164 | + | } |
| 165 | + | } while (--NumberOfNames); |
| 166 | + | |
| 167 | + | // Save total number of system calls found. |
| 168 | + | SW2_SyscallList.Count = i; |
| 169 | + | |
| 170 | + | // Sort the list by address in ascending order. |
| 171 | + | for (DWORD i = 0; i < SW2_SyscallList.Count - 1; i++) |
| 172 | + | { |
| 173 | + | for (DWORD j = 0; j < SW2_SyscallList.Count - i - 1; j++) |
| 174 | + | { |
| 175 | + | if (Entries[j].Address > Entries[j + 1].Address) |
| 176 | + | { |
| 177 | + | // Swap entries. |
| 178 | + | SW2_SYSCALL_ENTRY TempEntry; |
| 179 | + | |
| 180 | + | TempEntry.Hash = Entries[j].Hash; |
| 181 | + | TempEntry.Address = Entries[j].Address; |
| 182 | + | |
| 183 | + | Entries[j].Hash = Entries[j + 1].Hash; |
| 184 | + | Entries[j].Address = Entries[j + 1].Address; |
| 185 | + | |
| 186 | + | Entries[j + 1].Hash = TempEntry.Hash; |
| 187 | + | Entries[j + 1].Address = TempEntry.Address; |
| 188 | + | } |
| 189 | + | } |
| 190 | + | } |
| 191 | + | |
| 192 | + | // we need to know this in order to better search for syscall ids |
| 193 | + | ULONG size_of_ntapi = Entries[1].Address - Entries[0].Address; |
| 194 | + | |
| 195 | + | // finally calculate the address of each syscall |
| 196 | + | for (DWORD i = 0; i < SW2_SyscallList.Count - 1; i++) |
| 197 | + | { |
| 198 | + | PVOID nt_api_address = SW2_RVA2VA(PVOID, DllBase, Entries[i].Address); |
| 199 | + | Entries[i].SyscallAddress = GetSyscallAddress(nt_api_address, size_of_ntapi); |
| 200 | + | } |
| 201 | + | |
| 202 | + | return TRUE; |
| 203 | + | } |
| 204 | + | |
| 205 | + | EXTERN_C DWORD SW2_GetSyscallNumber( |
| 206 | + | IN DWORD FunctionHash) |
| 207 | + | { |
| 208 | + | if (!SW2_PopulateSyscallList()) |
| 209 | + | { |
| 210 | + | DPRINT_ERR("SW2_PopulateSyscallList failed"); |
| 211 | + | return -1; |
| 212 | + | } |
| 213 | + | |
| 214 | + | for (DWORD i = 0; i < SW2_SyscallList.Count; i++) |
| 215 | + | { |
| 216 | + | if (FunctionHash == SW2_SyscallList.Entries[i].Hash) |
| 217 | + | { |
| 218 | + | return i; |
| 219 | + | } |
| 220 | + | } |
| 221 | + | DPRINT_ERR("syscall with hash 0x%lx not found", FunctionHash); |
| 222 | + | return -1; |
| 223 | + | } |
| 224 | + | |
| 225 | + | EXTERN_C PVOID SW3_GetSyscallAddress( |
| 226 | + | IN DWORD FunctionHash) |
| 227 | + | { |
| 228 | + | if (!SW2_PopulateSyscallList()) |
| 229 | + | { |
| 230 | + | DPRINT_ERR("SW2_PopulateSyscallList failed"); |
| 231 | + | return NULL; |
| 232 | + | } |
| 233 | + | |
| 234 | + | for (DWORD i = 0; i < SW2_SyscallList.Count; i++) |
| 235 | + | { |
| 236 | + | if (FunctionHash == SW2_SyscallList.Entries[i].Hash) |
| 237 | + | { |
| 238 | + | return SW2_SyscallList.Entries[i].SyscallAddress; |
| 239 | + | } |
| 240 | + | } |
| 241 | + | DPRINT_ERR("syscall with hash 0x%lx not found", FunctionHash); |
| 242 | + | return NULL; |
| 243 | + | } |
| 244 | + | |
| 245 | + | __declspec(naked) BOOL local_is_wow64(void) |
| 246 | + | { |
| 247 | + | #if defined(_WIN64) |
| 248 | + | asm( |
| 249 | + | "mov rax, 0 \n" |
| 250 | + | "ret \n" |
| 251 | + | ); |
| 252 | + | #else |
| 253 | + | asm( |
| 254 | + | "mov eax, fs:[0xc0] \n" |
| 255 | + | "test eax, eax \n" |
| 256 | + | "jne wow64 \n" |
| 257 | + | "mov eax, 0 \n" |
| 258 | + | "ret \n" |
| 259 | + | "wow64: \n" |
| 260 | + | "mov eax, 1 \n" |
| 261 | + | "ret \n" |
| 262 | + | ); |
| 263 | + | #endif |
| 264 | + | } |
| 265 | + | |
| 266 | + | __declspec(naked) PVOID getIP(void) |
| 267 | + | { |
| 268 | + | #ifdef _WIN64 |
| 269 | + | __asm__( |
| 270 | + | "mov rax, [rsp] \n" |
| 271 | + | "ret \n" |
| 272 | + | ); |
| 273 | + | #else |
| 274 | + | __asm__( |
| 275 | + | "mov eax, [esp] \n" |
| 276 | + | "ret \n" |
| 277 | + | ); |
| 278 | + | #endif |
| 279 | + | } |
| 280 | + | |
| 281 | + | __declspec(naked) NTSTATUS NtQueryVirtualMemory( |
| 282 | + | IN HANDLE ProcessHandle, |
| 283 | + | IN PVOID BaseAddress, |
| 284 | + | IN MEMORY_INFORMATION_CLASS MemoryInformationClass, |
| 285 | + | OUT PVOID MemoryInformation, |
| 286 | + | IN SIZE_T MemoryInformationLength, |
| 287 | + | OUT PSIZE_T ReturnLength OPTIONAL) |
| 288 | + | { |
| 289 | + | #if defined(_WIN64) |
| 290 | + | asm( |
| 291 | + | "mov [rsp +8], rcx \n" |
| 292 | + | "mov [rsp+16], rdx \n" |
| 293 | + | "mov [rsp+24], r8 \n" |
| 294 | + | "mov [rsp+32], r9 \n" |
| 295 | + | "mov rcx, 0x0393E980 \n" |
| 296 | + | "push rcx \n" |
| 297 | + | "sub rsp, 0x28 \n" |
| 298 | + | "call SW3_GetSyscallAddress \n" |
| 299 | + | "add rsp, 0x28 \n" |
| 300 | + | "pop rcx \n" |
| 301 | + | "push rax \n" |
| 302 | + | "sub rsp, 0x28 \n" |
| 303 | + | "call SW2_GetSyscallNumber \n" |
| 304 | + | "add rsp, 0x28 \n" |
| 305 | + | "pop r11 \n" |
| 306 | + | "mov rcx, [rsp+8] \n" |
| 307 | + | "mov rdx, [rsp+16] \n" |
| 308 | + | "mov r8, [rsp+24] \n" |
| 309 | + | "mov r9, [rsp+32] \n" |
| 310 | + | "mov r10, rcx \n" |
| 311 | + | "jmp r11 \n" |
| 312 | + | ); |
| 313 | + | #else |
| 314 | + | asm( |
| 315 | + | "push 0x0393E980 \n" |
| 316 | + | "call SW3_GetSyscallAddress \n" |
| 317 | + | "pop ebx \n" |
| 318 | + | "push eax \n" |
| 319 | + | "push ebx \n" |
| 320 | + | "call SW2_GetSyscallNumber \n" |
| 321 | + | "add esp, 4 \n" |
| 322 | + | "pop ebx \n" |
| 323 | + | "mov edx, esp \n" |
| 324 | + | "sub edx, 4 \n" |
| 325 | + | "call ebx \n" |
| 326 | + | "ret \n" |
| 327 | + | ); |
| 328 | + | #endif |
| 329 | + | } |
| 330 | + | |
| 331 | + | __declspec(naked) NTSTATUS NtFreeVirtualMemory( |
| 332 | + | IN HANDLE ProcessHandle, |
| 333 | + | IN OUT PVOID * BaseAddress, |
| 334 | + | IN OUT PSIZE_T RegionSize, |
| 335 | + | IN ULONG FreeType) |
| 336 | + | { |
| 337 | + | #if defined(_WIN64) |
| 338 | + | asm( |
| 339 | + | "mov [rsp +8], rcx \n" |
| 340 | + | "mov [rsp+16], rdx \n" |
| 341 | + | "mov [rsp+24], r8 \n" |
| 342 | + | "mov [rsp+32], r9 \n" |
| 343 | + | "mov rcx, 0x01932F05 \n" |
| 344 | + | "push rcx \n" |
| 345 | + | "sub rsp, 0x28 \n" |
| 346 | + | "call SW3_GetSyscallAddress \n" |
| 347 | + | "add rsp, 0x28 \n" |
| 348 | + | "pop rcx \n" |
| 349 | + | "push rax \n" |
| 350 | + | "sub rsp, 0x28 \n" |
| 351 | + | "call SW2_GetSyscallNumber \n" |
| 352 | + | "add rsp, 0x28 \n" |
| 353 | + | "pop r11 \n" |
| 354 | + | "mov rcx, [rsp+8] \n" |
| 355 | + | "mov rdx, [rsp+16] \n" |
| 356 | + | "mov r8, [rsp+24] \n" |
| 357 | + | "mov r9, [rsp+32] \n" |
| 358 | + | "mov r10, rcx \n" |
| 359 | + | "jmp r11 \n" |
| 360 | + | ); |
| 361 | + | #else |
| 362 | + | asm( |
| 363 | + | "push 0x01932F05 \n" |
| 364 | + | "call SW3_GetSyscallAddress \n" |
| 365 | + | "pop ebx \n" |
| 366 | + | "push eax \n" |
| 367 | + | "push ebx \n" |
| 368 | + | "call SW2_GetSyscallNumber \n" |
| 369 | + | "add esp, 4 \n" |
| 370 | + | "pop ebx \n" |
| 371 | + | "mov edx, esp \n" |
| 372 | + | "sub edx, 4 \n" |
| 373 | + | "call ebx \n" |
| 374 | + | "ret \n" |
| 375 | + | ); |
| 376 | + | #endif |
| 377 | + | } |
| 378 | + | |
| 379 | + | __declspec(naked) NTSTATUS NtUnmapViewOfSection( |
| 380 | + | HANDLE ProcessHandle, |
| 381 | + | PVOID BaseAddress) |
| 382 | + | { |
| 383 | + | #if defined(_WIN64) |
| 384 | + | asm( |
| 385 | + | "mov [rsp +8], rcx \n" |
| 386 | + | "mov [rsp+16], rdx \n" |
| 387 | + | "mov [rsp+24], r8 \n" |
| 388 | + | "mov [rsp+32], r9 \n" |
| 389 | + | "mov rcx, 0xCA1ACC8F \n" |
| 390 | + | "push rcx \n" |
| 391 | + | "sub rsp, 0x28 \n" |
| 392 | + | "call SW3_GetSyscallAddress \n" |
| 393 | + | "add rsp, 0x28 \n" |
| 394 | + | "pop rcx \n" |
| 395 | + | "push rax \n" |
| 396 | + | "sub rsp, 0x28 \n" |
| 397 | + | "call SW2_GetSyscallNumber \n" |
| 398 | + | "add rsp, 0x28 \n" |
| 399 | + | "pop r11 \n" |
| 400 | + | "mov rcx, [rsp+8] \n" |
| 401 | + | "mov rdx, [rsp+16] \n" |
| 402 | + | "mov r8, [rsp+24] \n" |
| 403 | + | "mov r9, [rsp+32] \n" |
| 404 | + | "mov r10, rcx \n" |
| 405 | + | "jmp r11 \n" |
| 406 | + | ); |
| 407 | + | #else |
| 408 | + | asm( |
| 409 | + | "push 0xCA1ACC8F \n" |
| 410 | + | "call SW3_GetSyscallAddress \n" |
| 411 | + | "pop ebx \n" |
| 412 | + | "push eax \n" |
| 413 | + | "push ebx \n" |
| 414 | + | "call SW2_GetSyscallNumber \n" |
| 415 | + | "add esp, 4 \n" |
| 416 | + | "pop ebx \n" |
| 417 | + | "mov edx, esp \n" |
| 418 | + | "sub edx, 4 \n" |
| 419 | + | "call ebx \n" |
| 420 | + | "ret \n" |
| 421 | + | ); |
| 422 | + | #endif |
| 423 | + | } |
| 424 | + | |
| 425 | + | |