本帖最后由 00006666 于 2025-7-29 10:37 编辑
杀软和EDR常用的R3钩子(ntdll hook)的原理介绍,转载自之前看到的一篇技术文章 原文地址
Since Microsoft introduced Kernel Patch Protection (aka PatchGuard) in 2005, many modifications to the kernel are now prevented. Previously, security products monitored user mode calls from inside the kernel by hooking the SSDT. Since all Nt/Zw functions are implemented in the kernel, all user mode calls must go through the SSDT, and are therefore subject to SSDT hooks. Patch guard makes SSDT hooking off-limits, so many EDRs resorted to hooking ntdll.
A look at where security products place hooks before and after patch guard.
Since the SSDT exists in the kernel, user mode applications were not able to interfere with these hooks without loading a kernel driver. Now, the hooks are placed in user mode, alongside the application.
So, what does a user mode hook look like?
An example of a ntdll function before and after hooking.
To hook a function in ntdll.dll, most EDRs just overwrite the first 5 bytes of the function’s code with a jmp instruction. The jmp instruction will redirect code execution to some code within the EDR’s own DLL (which is automatically loaded into every process). After the CPU has been redirected to the EDR’s DLL, the EDR can perform security checks by inspecting the function parameters and return address. Once the EDR is done, it can resume the ntdll call by executing the overwritten instructions, then jumping to the location in ntdll right after the hook (jmp instruction).
Control flow example for hooked ntdll function.
In the above example, NtWriteFile is hooked. The green instructions are the original instructions from NtWriteFile. The first 3 instructions of NtWriteFile have been overwritten by the EDR’s hook (a jmp that redirects execution to a function named NtWriteFile in edr.dll). Whenever the EDR wants to call the real NtWriteFile, it executes the 3 overwritten instructions, then jumps to the 4th instruction of the hooked function to complete the syscall.
Whilst EDR hooks may vary slightly from vendor to vendor, the principal is still the same, and all share the same weakness: they’re located in user mode. Since both the hooks and the EDR’s DLL have to be placed inside every process’s address space, a malicious process can tamper with them.
|
发表于 2025-7-29 10:34:57
楼主
我都在想会不会有什么黑产投递Battleye来致盲EDR
