【FreeBuf福利群招新啦!精美周边、现金红包送送送...
满50人开启第一次抽奖,FreeBuf盲盒*2
满100人开启第二次抽奖,FreeBuf大象公仔*2
......
群内不定期开启各种福利活动,包括赠书、报告等,
群内每日更新最新网安资讯】
1、不需要任何其他的依赖组件; 2、基于纯Go语言或Go程序集开发; 3、支持自定义字符串加密和哈希函数以对抗静态代码分析;
1、遍历PEB并检索内存中ntdll.dll的基地址; 2、解析导出目录并检索每一个导出函数的地址; 3、计算每一个Zw*函数的系统服务数量; 4、枚举ntdll.dll中干净的syscall;ret工具; 5、创建代理实例,用于发送间接/直接系统调用;
git clone https://github.com/f1zm0/acheron.git
go get -u github.com/f1zm0/acheron
package mainimport ("fmt""unsafe""github.com/f1zm0/acheron")func main() {var (baseAddr uintptrhSelf = uintptr(0xffffffffffffffff))// creates Acheron instance, resolves SSNs, collects clean trampolines in ntdll.dlll, etc.ach, err := acheron.New()if err != nil {panic(err)}// indirect syscall for NtAllocateVirtualMemorys1 := ach.HashString("NtAllocateVirtualMemory")if retcode, err := ach.Syscall(s1, // function name hashhSelf, // arg1: _In_ HANDLE ProcessHandle,uintptr(unsafe.Pointer(&baseAddr)), // arg2: _Inout_ PVOID *BaseAddress,uintptr(unsafe.Pointer(nil)), // arg3: _In_ ULONG_PTR ZeroBits,0x1000, // arg4: _Inout_ PSIZE_T RegionSize,windows.MEM_COMMIT|windows.MEM_RESERVE, // arg5: _In_ ULONG AllocationType,windows.PAGE_EXECUTE_READWRITE, // arg6: _In_ ULONG Protect); err != nil {panic(err)}fmt.Printf("allocated memory with NtAllocateVirtualMemory (status: 0x%x)\n",retcode,)// ...}(向右滑动,查看更多)
https://github.com/crummie5/FreshyCalls
https://github.com/thefLink/RecycledGate
https://winternl.com/detecting-manual-syscalls-from-user-mode/
https://www.usenix.org/legacy/events/vee06/full_papers/p154-bhansali.pdf
https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low
文章引用微信公众号"FreeBuf",如有侵权,请联系管理员删除!
