Hey km.info
A few weeks ago, I've been experimenting a bit with issuing raw system calls by leveraging the raw Intel syscall instruction 0F05 and an own minimal syscall number table for Win 7 up to Win 10 TP 9901.
I have then been able to create new threads in my own process without a single invocation of ntdll or kernel32 by doing so.
My question now is, is there any malware known which exploits this technique in order to do its evil work?
This might be particular usefull since
- The 400+ accessible system calls (heck, you can even add a 0x1000 to the call number and can have access to even the win32k calls) give you everything you need
- No crypter needed to obfuscate your calls, however, it still should't be too easy to statically track down what's the code's purpose is
- Any usermode hooks trying to implement behavioral analysis won't work I guess and only a few system calls can be intercepted without crippling Patch Guard but there might be possibilities to get a process handle other than surveillable (via PsSetCreateThreadNotifyRoutine/ObRegisterCallbacks) NtOpenProcess/NtDuplicateHandle,
- If used in an exploit, neither ASLR nor EAF will work against 0F05...
Downside clearly is
- The interface numbers WILL change with every release of Windows and you have no chance to track the changes.
- The more Windows versions you're willing to support the more syscall numbers you have to figure out and to hardcode.
And the question of the white side:
What can be done in order to oppose against malwares leveraging this technique?
In UM?
In KM?
Kind Regards
Microwave89
A few weeks ago, I've been experimenting a bit with issuing raw system calls by leveraging the raw Intel syscall instruction 0F05 and an own minimal syscall number table for Win 7 up to Win 10 TP 9901.
I have then been able to create new threads in my own process without a single invocation of ntdll or kernel32 by doing so.
My question now is, is there any malware known which exploits this technique in order to do its evil work?
This might be particular usefull since
- The 400+ accessible system calls (heck, you can even add a 0x1000 to the call number and can have access to even the win32k calls) give you everything you need
- No crypter needed to obfuscate your calls, however, it still should't be too easy to statically track down what's the code's purpose is
- Any usermode hooks trying to implement behavioral analysis won't work I guess and only a few system calls can be intercepted without crippling Patch Guard but there might be possibilities to get a process handle other than surveillable (via PsSetCreateThreadNotifyRoutine/ObRegisterCallbacks) NtOpenProcess/NtDuplicateHandle,
- If used in an exploit, neither ASLR nor EAF will work against 0F05...
Downside clearly is
- The interface numbers WILL change with every release of Windows and you have no chance to track the changes.
- The more Windows versions you're willing to support the more syscall numbers you have to figure out and to hardcode.
And the question of the white side:
What can be done in order to oppose against malwares leveraging this technique?
In UM?
In KM?
Kind Regards
Microwave89