[2022]syscall直接调用

所有的r3的api在X64上最终都是底层syscall的实现,所谓syscall是进内核的一个指令.除此之外还有int、异常等指令

直接进行syscall调用能绕过一些R3的hook.这不是什么魔法,这是从windows XP就开始流行的技术:

环境准备
新建一个VS工程,64位.增加一个.txt文件但是后缀名改成.asm,这边图都用老外的,因为技术太简单了我懒得重新开个项目了
![](https://key08.com/usr/uploads/2022/11/4037210576.png)
右键项目,点依赖项:
![](https://key08.com/usr/uploads/2022/11/2164864997.png)
启用masm

![](https://key08.com/usr/uploads/2022/11/3362938879.png)
然后右键那个文件,使用masm编译器

![](https://key08.com/usr/uploads/2022/11/159094728.png)
寻找syscall number
syscall的index每个系统都不一样,你自己定位.家庭作业是找个通用办法。

找个ntdll.dll 放到IDA里面打开它.然后看到导出表,找NT开头的函数,这里以NtCreateFile 为例:
```cpp
	NtCreateFile proc
			mov r10, rcx
			mov eax, 55h
			syscall
			ret
	NtCreateFile endp
```
注意看, mov eax, 55h 说明index是55.

syscall
从网上找到ntcreatefile的原型,命名为 SysNtCreateFile ,找个头文件放进去:
```cpp
EXTERN_C NTSTATUS SysNtCreateFile(
	PHANDLE FileHandle, 
	ACCESS_MASK DesiredAccess, 
	POBJECT_ATTRIBUTES ObjectAttributes, 
	PIO_STATUS_BLOCK IoStatusBlock, 
	PLARGE_INTEGER AllocationSize, 
	ULONG FileAttributes, 
	ULONG ShareAccess, 
	ULONG CreateDisposition, 
	ULONG CreateOptions, 
	PVOID EaBuffer, 
	ULONG EaLength
);
```
然后给你的asm文件里面编写如下内容(注意函数名字是跟你原型名字一样)

```cpp
.code
	SysNtCreateFile proc
			mov r10, rcx
			mov eax, 55h
			syscall
			ret
	SysNtCreateFile endp
end
```
为了成功调用NtCreateFile,我们需要知道他的全部参数,这里以打开文件为例,以下是打开test.txt文件的代码:

![](https://key08.com/usr/uploads/2022/11/2786080771.png)
执行syscall:

```cpp
SysNtCreateFile(
	&fileHandle, 
	FILE_GENERIC_WRITE, 
	&oa, 
	&osb, 
	0, 
	FILE_ATTRIBUTE_NORMAL, 
	FILE_SHARE_WRITE, 
	FILE_OVERWRITE_IF, 
	FILE_SYNCHRONOUS_IO_NONALERT, 
	NULL, 
	0
);
```
为了方便调试,下个断点.这样执行的时候久看得到断点内容了
![](https://key08.com/usr/uploads/2022/11/3525445600.png)
验证是否打开,用processhacker,查看是否有对应的test.txt文件的句柄

这样,R3的hook就无法检测到你了.但是内核的minifilter/msr hook依然可以检测到你

完整代码
syscall.cpp
```cpp
#include "pch.h"
#include <Windows.h>
#include "winternl.h"
#pragma comment(lib, "ntdll")

EXTERN_C NTSTATUS SysNtCreateFile(
	PHANDLE FileHandle, 
	ACCESS_MASK DesiredAccess, 
	POBJECT_ATTRIBUTES ObjectAttributes, 
	PIO_STATUS_BLOCK IoStatusBlock, 
	PLARGE_INTEGER AllocationSize, 
	ULONG FileAttributes, 
	ULONG ShareAccess, 
	ULONG CreateDisposition, 
	ULONG CreateOptions, 
	PVOID EaBuffer, 
	ULONG EaLength);

int main()
{
	FARPROC addr = GetProcAddress(LoadLibraryA("ntdll"), "NtCreateFile");
	
	OBJECT_ATTRIBUTES oa;
	HANDLE fileHandle = NULL;
	NTSTATUS status = NULL;
	UNICODE_STRING fileName;
	IO_STATUS_BLOCK osb;

RtlInitUnicodeString(&fileName, (PCWSTR)L"\\??\\c:\\temp\\test.txt");
	ZeroMemory(&osb, sizeof(IO_STATUS_BLOCK));
	InitializeObjectAttributes(&oa, &fileName, OBJ_CASE_INSENSITIVE, NULL, NULL);

SysNtCreateFile(
		&fileHandle, 
		FILE_GENERIC_WRITE, 
		&oa, 
		&osb, 
		0, 
		FILE_ATTRIBUTE_NORMAL, 
		FILE_SHARE_WRITE, 
		FILE_OVERWRITE_IF, 
		FILE_SYNCHRONOUS_IO_NONALERT, 
		NULL, 
		0);

return 0;
}
```

白帽Wiki

一只鸭子

白帽Wiki - 一个简单的wiki