I admire your work. Beautiful implementation.
I work with software security and I noticed that a very nice solution for api obfuscation could be implemented using your SDKs.
Because you have a very nice implementation of winapi libraries, syscall/sysenter/interupt gateway could be implemented to hide from API monitors, breakpoins and reverse engineering.
This is my POC.
Assembly for 32bit and wow64 processes
Code: Select all
syscall_get_offset PROC
mov eax, ds:[7FFE026Ch]
cmp eax, 10
je win10
mov eax, 7FFE0300h
ret
win10:
mov eax, 7FFE0308h
ret
syscall_get_offset ENDP
syscall2 PROC
ASSUME FS:NOTHING
call syscall_get_offset
test byte ptr [eax], 1
mov eax, [esp + 12]
je wow64
mov edx, esp
sysenter
ret
wow64:
mov edx, fs:[030h]
mov edx, [edx + 254h]
test edx, 2
jnz interupt
call dword ptr fs:[0C0h]
ret
interupt:
int 2Eh
ret
ASSUME FS:ERROR
syscall2 ENDP
Code: Select all
syscall_get_offset PROC
mov eax, ds:[7FFE026Ch]
cmp eax, 10
je win10
mov eax, 7FFE0300h
ret
win10:
mov eax, 7FFE0308h
ret
syscall_get_offset ENDP
syscall2 PROC
mov r10, rcx
call syscall_get_offset
test byte ptr [eax], 1
mov eax, r8d
jne interupt
syscall
ret
interupt:
int 2Eh
ret
syscall2 ENDP
Code: Select all
extern "C" void syscall2(...);
#define SYSCALL_2(type, arg1, arg2) \
((type(*)(...))syscall2)(arg1, arg2, syscall_number(__FUNCTION__))
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus)
{
return SYSCALL_2(NTSTATUS, ProcessHandle, ExitStatus);
}
syscall_number function parses out syscall/sysenter/interupt value from ntdll.dll code. I removed it for simplicity.
Now you have a gateway for syscalls with 2 arguments that works for every windows version from XP to win10, 32bits, wow64 and 64bits. And the code becomes very hard to reverse engineer and track what is going on.
Using your winapi's you could implement a very nice static windows libraries for security engineers.
iamrn86.