ReactOS winapis for general purpose obfuscation

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

Post Reply
Rn86
Posts: 1
Joined: Tue Aug 25, 2020 7:42 pm

ReactOS winapis for general purpose obfuscation

Post by Rn86 »

Hello,
I admire your work. Beautiful implementation.
I work with software security and I noticed that a very nice solution for api obfuscation could be implemented using your SDKs.

Because you have a very nice implementation of winapi libraries, syscall/sysenter/interupt gateway could be implemented to hide from API monitors, breakpoins and reverse engineering.

This is my POC.

Assembly for 32bit and wow64 processes

Code: Select all

syscall_get_offset PROC
    mov eax, ds:[7FFE026Ch]
    cmp eax, 10
    je win10
    mov eax, 7FFE0300h
    ret
    win10:
    mov eax, 7FFE0308h
    ret
syscall_get_offset ENDP

syscall2 PROC
    ASSUME FS:NOTHING
    call syscall_get_offset
    test byte ptr [eax], 1
    mov eax, [esp + 12]
    je wow64
    mov edx, esp
    sysenter
    ret
    wow64:
    mov edx, fs:[030h]
    mov edx, [edx + 254h]
    test edx, 2
    jnz interupt
    call dword ptr fs:[0C0h]
    ret
    interupt:
    int 2Eh
    ret
    ASSUME FS:ERROR
syscall2 ENDP
Assembly for 64bit

Code: Select all

syscall_get_offset PROC
    mov eax, ds:[7FFE026Ch]
    cmp eax, 10
    je win10
    mov eax, 7FFE0300h
    ret
    win10:
    mov eax, 7FFE0308h
    ret
syscall_get_offset ENDP

syscall2 PROC
    mov r10, rcx
    call syscall_get_offset
    test byte ptr [eax], 1
    mov eax, r8d
    jne interupt
    syscall
    ret
    interupt:
    int 2Eh
    ret
syscall2 ENDP
C/C++

Code: Select all

extern "C" void syscall2(...);
 
#define SYSCALL_2(type, arg1, arg2) \
    ((type(*)(...))syscall2)(arg1, arg2, syscall_number(__FUNCTION__))
 
NTSTATUS
NTAPI
NtTerminateProcess(
    IN HANDLE               ProcessHandle OPTIONAL,
    IN NTSTATUS             ExitStatus)
{
    return SYSCALL_2(NTSTATUS, ProcessHandle, ExitStatus);
}
That ds:7FFE0308h comes from KUSER_SHARED_DATA structure, and its a fast way to check if SystemCall field is set or not, on 32bits if this field is set that means its not wow64, if its not set its wow64. On 64bits if that field is set that means interupt mechanizm is being used if not set that means syscall mechanizm is being used. The thing is that only since win10 offset 7FFE0308 is correct, from XP to win10 offset 7FFE0300 was being used. So you need to check operating system version to deduct correct offset. Its very easy to do - in ds:7FFE026C is written major windows version.

syscall_number function parses out syscall/sysenter/interupt value from ntdll.dll code. I removed it for simplicity.

Now you have a gateway for syscalls with 2 arguments that works for every windows version from XP to win10, 32bits, wow64 and 64bits. And the code becomes very hard to reverse engineer and track what is going on.

Using your winapi's you could implement a very nice static windows libraries for security engineers.

iamrn86.
Post Reply

Who is online

Users browsing this forum: No registered users and 17 guests