动态获取API函数实现免杀技术详解<\/h1>

一、导入表基础<\/h2>

1.1 导入表概念<\/h3>
导入表(Import Directory)存储了PE文件运行时所需的API及相关DLL模块信息。安全产品(AV\/EDR)常通过分析导入表中的敏感API(如`VirtualAlloc<\/code>、VirtualProtect<\/code>、CreateThread<\/code>等)来判断文件风险等级。<\/p>`

1.2 查看导入表工具<\/h3>

studyPE+<\/strong>：可查看文件的导入信息<\/li>
IDA<\/strong>：在Import界面查看导入信息<\/li>
<\/ul>
二、动态获取API函数的三种方式<\/h2>
2.1 方法对比：GetModuleHandle vs LoadLibrary<\/h3>



特性<\/th>
GetModuleHandle<\/th>
LoadLibrary<\/th>
<\/tr>
<\/thead>


主要作用<\/td>
获取已加载模块句柄(不增加引用计数)<\/td>
加载模块到进程地址空间(增加引用计数)<\/td>
<\/tr>

适用场景<\/td>
模块已加载，需重复获取句柄<\/td>
模块未加载，需显式加载<\/td>
<\/tr>

引用计数管理<\/td>
不增加<\/td>
增加(需配合FreeLibrary)<\/td>
<\/tr>

返回值<\/td>
模块未加载返回NULL<\/td>
模块已加载返回现有句柄(引用计数+1)<\/td>
<\/tr>
<\/tbody>
<\/table>
2.2 函数指针声明<\/h3>
动态获取API需要声明相应的函数指针类型，格式如下：<\/p>
typedef<\/span> FARPROC<\/span> (WINAPI *<\/span>GETPROCADDR)(HMODULE hModule, LPCSTR lpProcName);
<\/span><\/span><\/code><\/pre>调用约定对比<\/h4>



调用约定<\/th>
参数顺序<\/th>
堆栈清理者<\/th>
典型应用场景<\/th>
变参支持<\/th>
<\/tr>
<\/thead>


__stdcall<\/td>
右→左<\/td>
被调用者<\/td>
Windows API、COM接口<\/td>
否<\/td>
<\/tr>

__cdecl<\/td>
右→左<\/td>
调用者<\/td>
C\/C++默认、可变参数函数<\/td>
是<\/td>
<\/tr>

__fastcall<\/td>
右→左<\/td>
被调用者<\/td>
寄存器传参优化场景<\/td>
否<\/td>
<\/tr>
<\/tbody>
<\/table>
2.3 方法一：GetModuleHandle+GetProcAddress组合<\/h3>
核心API<\/h4>

GetModuleHandle<\/strong>：检索已加载模块的句柄<\/li>
GetProcAddress<\/strong>：从DLL检索导出函数或变量的地址<\/li>
<\/ul>
示例：动态调用MessageBoxW<\/h4>
typedef<\/span> int<\/span> (WINAPI *<\/span>MESSAGEBOXW)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    HMODULE hUser32 =<\/span> GetModuleHandleW(L<\/span>"user32.dll"<\/span>);
<\/span><\/span>    MESSAGEBOXW pMessageBoxW =<\/span> (MESSAGEBOXW)GetProcAddress(hUser32, "MessageBoxW"<\/span>);
<\/span><\/span>    pMessageBoxW(NULL, L<\/span>"Hello"<\/span>, L<\/span>"Title"<\/span>, MB_OK);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>实战应用<\/h4>

使用加密版将shellcode加密并输出<\/li>
将shellcode保存到shellcode.txt<\/li>
用VS的MSVC或Cling-cl编译解密版代码<\/li>
将编译好的exe和shellcode.txt放到目标机器同一目录<\/li>
<\/ol>
2.4 方法二：PEB + GetModuleHandle+GetProcAddress<\/h3>
2.4.1 获取PEB结构体地址<\/h4>
64位系统：<\/strong><\/p>
\/\/ 方法一：从TEB出发
<\/span><\/span><\/span><\/span>PPEB pPeb =<\/span> (PPEB)__readgsqword(0x60<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 方法二：直接从GS寄存器
<\/span><\/span><\/span><\/span>PPEB pPeb =<\/span> (PPEB)__readgsqword(0x60<\/span>);
<\/span><\/span><\/code><\/pre>32位系统：<\/strong><\/p>
\/\/ 方法一：从TEB出发
<\/span><\/span><\/span><\/span>PPEB pPeb =<\/span> (PPEB)__readfsdword(0x30<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 方法二：直接从FS寄存器
<\/span><\/span><\/span><\/span>PPEB pPeb =<\/span> (PPEB)__readfsdword(0x30<\/span>);
<\/span><\/span><\/code><\/pre>2.4.2 关键结构体<\/h4>

_PEB_LDR_DATA<\/strong>：位于PEB结构体0x18位置<\/li>
_LIST_ENTRY<\/strong>：双向链表，包含Flink和Blink指针<\/li>
LDR_DATA_TABLE_ENTRY<\/strong>：描述已加载模块信息的关键结构<\/li>
<\/ol>
2.4.3 导出表相关数据结构<\/h4>

AddressOfNames<\/strong>：按名称导出函数的字符串地址(RVA)<\/li>
AddressOfFunctions<\/strong>：导出函数的实际入口地址(RVA)<\/li>
AddressOfNameOrdinals<\/strong>：函数名称索引与函数地址索引的映射<\/li>
<\/ol>
2.4.4 辅助函数实现<\/h4>
\/\/ 自定义宽字符转小写
<\/span><\/span><\/span><\/span>wchar_t my_towlower<\/span>(wchar_t c) {
<\/span><\/span>    if<\/span> (c >=<\/span> L<\/span>'A'<\/span> &&<\/span> c <=<\/span> L<\/span>'Z'<\/span>)
<\/span><\/span>        return<\/span> c +<\/span> (L<\/span>'a'<\/span> -<\/span> L<\/span>'A'<\/span>);
<\/span><\/span>    return<\/span> c;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 不区分大小写的宽字符串比较
<\/span><\/span><\/span><\/span>int<\/span> MyCompareStringW<\/span>(LPCWSTR str1, LPCWSTR str2) {
<\/span><\/span>    while<\/span> (*<\/span>str1 &&<\/span> *<\/span>str2) {
<\/span><\/span>        if<\/span> (my_towlower(*<\/span>str1) !=<\/span> my_towlower(*<\/span>str2))
<\/span><\/span>            return<\/span> 0<\/span>;
<\/span><\/span>        str1++<\/span>;
<\/span><\/span>        str2++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> (*<\/span>str1 ==<\/span> L<\/span>'\0'<\/span> &&<\/span> *<\/span>str2 ==<\/span> L<\/span>'\0'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ ASCII字符串比较
<\/span><\/span><\/span><\/span>int<\/span> MyCompareStringA<\/span>(LPCSTR str1, LPCSTR str2) {
<\/span><\/span>    while<\/span> (*<\/span>str1 &&<\/span> *<\/span>str2) {
<\/span><\/span>        if<\/span> (*<\/span>str1 !=<\/span> *<\/span>str2)
<\/span><\/span>            return<\/span> 0<\/span>;
<\/span><\/span>        str1++<\/span>;
<\/span><\/span>        str2++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> (*<\/span>str1 ==<\/span> '\0'<\/span> &&<\/span> *<\/span>str2 ==<\/span> '\0'<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 提取DLL名称
<\/span><\/span><\/span><\/span>LPCWSTR ExtractDllName<\/span>(LPCWSTR fullPath) {
<\/span><\/span>    LPCWSTR lastBackslash =<\/span> fullPath;
<\/span><\/span>    while<\/span> (*<\/span>fullPath) {
<\/span><\/span>        if<\/span> (*<\/span>fullPath ==<\/span> L<\/span>'\\'<\/span>)
<\/span><\/span>            lastBackslash =<\/span> fullPath +<\/span> 1<\/span>;
<\/span><\/span>        fullPath++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> lastBackslash;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4.5 GetApiAddressByName实现<\/h4>
FARPROC GetApiAddressByName<\/span>(LPCWSTR dllName, LPCSTR apiName) {
<\/span><\/span>    \/\/ 获取PEB地址
<\/span><\/span><\/span><\/span>    PPEB pPeb =<\/span> (PPEB)__readgsqword(0x60<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取PEB_LDR_DATA
<\/span><\/span><\/span><\/span>    PPEB_LDR_DATA pLdr =<\/span> (PPEB_LDR_DATA)pPeb-><\/span>Ldr;
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取第一个模块
<\/span><\/span><\/span><\/span>    PLIST_ENTRY pListEntry =<\/span> pLdr-><\/span>InMemoryOrderModuleList.Flink;
<\/span><\/span>    
<\/span><\/span>    while<\/span> (pListEntry !=<\/span> &<\/span>pLdr-><\/span>InMemoryOrderModuleList) {
<\/span><\/span>        \/\/ 获取LDR_DATA_TABLE_ENTRY
<\/span><\/span><\/span><\/span>        PLDR_DATA_TABLE_ENTRY pEntry =<\/span> CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
<\/span><\/span>        
<\/span><\/span>        \/\/ 检查DLL名称
<\/span><\/span><\/span><\/span>        if<\/span> (pEntry-><\/span>FullDllName.Buffer) {
<\/span><\/span>            LPCWSTR currentDllName =<\/span> ExtractDllName(pEntry-><\/span>FullDllName.Buffer);
<\/span><\/span>            if<\/span> (MyCompareStringW(currentDllName, dllName)) {
<\/span><\/span>                \/\/ 解析PE头
<\/span><\/span><\/span><\/span>                PIMAGE_DOS_HEADER pDosHeader =<\/span> (PIMAGE_DOS_HEADER)pEntry-><\/span>DllBase;
<\/span><\/span>                PIMAGE_NT_HEADERS pNtHeaders =<\/span> (PIMAGE_NT_HEADERS)((BYTE*<\/span>)pEntry-><\/span>DllBase +<\/span> pDosHeader-><\/span>e_lfanew);
<\/span><\/span>                
<\/span><\/span>                \/\/ 获取导出表
<\/span><\/span><\/span><\/span>                PIMAGE_EXPORT_DIRECTORY pExportDir =<\/span> (PIMAGE_EXPORT_DIRECTORY)((BYTE*<\/span>)pEntry-><\/span>DllBase +<\/span> 
<\/span><\/span>                    pNtHeaders-><\/span>OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
<\/span><\/span>                
<\/span><\/span>                \/\/ 遍历导出表
<\/span><\/span><\/span><\/span>                DWORD*<\/span> nameArray =<\/span> (DWORD*<\/span>)((BYTE*<\/span>)pEntry-><\/span>DllBase +<\/span> pExportDir-><\/span>AddressOfNames);
<\/span><\/span>                WORD*<\/span> ordinalArray =<\/span> (WORD*<\/span>)((BYTE*<\/span>)pEntry-><\/span>DllBase +<\/span> pExportDir-><\/span>AddressOfNameOrdinals);
<\/span><\/span>                DWORD*<\/span> funcArray =<\/span> (DWORD*<\/span>)((BYTE*<\/span>)pEntry-><\/span>DllBase +<\/span> pExportDir-><\/span>AddressOfFunctions);
<\/span><\/span>                
<\/span><\/span>                for<\/span> (DWORD i =<\/span> 0<\/span>; i <<\/span> pExportDir-><\/span>NumberOfNames; i++<\/span>) {
<\/span><\/span>                    LPCSTR currentApiName =<\/span> (LPCSTR)((BYTE*<\/span>)pEntry-><\/span>DllBase +<\/span> nameArray[i]);
<\/span><\/span>                    if<\/span> (MyCompareStringA(currentApiName, apiName)) {
<\/span><\/span>                        return<\/span> (FARPROC)((BYTE*<\/span>)pEntry-><\/span>DllBase +<\/span> funcArray[ordinalArray[i]]);
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        pListEntry =<\/span> pListEntry-><\/span>Flink;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 方法三：完全PEB<\/h3>
与方法二类似，但完全不依赖GetModuleHandle<\/code>和GetProcAddress<\/code>，直接通过PEB遍历获取所有需要的API函数地址。<\/p>
三、免杀测试标准<\/h2>

shellcode加密采用自定义XOR加密和Base64编码<\/li>
shellcode分离加载采用本地读取文本文件方式<\/li>
修改VS的默认编译选项<\/li>
不使用修改时间戳、加签名等手段<\/li>
按主题采用相应技术进行免杀测试<\/li>
<\/ol>
四、补充防御规避技术<\/h2>
当动态获取API函数技术失效时，可结合以下技术：<\/p>

API哈希<\/li>
系统调用(直接\/间接)<\/li>
调用栈欺骗<\/li>
<\/ol>
五、参考资料<\/h2>

什么?你连这都不会还学免杀?之「API动态解析」<\/li>
【免杀】隐藏导入表(IAT)的六种方式<\/li>
免杀基础-IAT隐藏<\/li>
隐藏IAT(导入表)敏感API笔记<\/li>
<\/ol>

动态获取API函数实现免杀技术详解<\/h1>

一、导入表基础<\/h2>

1.1 导入表概念<\/h3> 导入表(Import Directory)存储了PE文件运行时所需的API及相关DLL模块信息。安全产品(AV\/EDR)常通过分析导入表中的敏感API(如VirtualAlloc<\/code>、VirtualProtect<\/code>、CreateThread<\/code>等)来判断文件风险等级。<\/p>

二、动态获取API函数的三种方式<\/h2>

2.3 方法一：GetModuleHandle+GetProcAddress组合<\/h3>

2.4 方法二：PEB + GetModuleHandle+GetProcAddress<\/h3>

2.5 方法三：完全PEB<\/h3> 与方法二类似，但完全不依赖GetModuleHandle<\/code>和GetProcAddress<\/code>，直接通过PEB遍历获取所有需要的API函数地址。<\/p>

五、参考资料<\/h2> 什么?你连这都不会还学免杀?之「API动态解析」<\/li> 【免杀】隐藏导入表(IAT)的六种方式<\/li> 免杀基础-IAT隐藏<\/li> 隐藏IAT(导入表)敏感API笔记<\/li> <\/ol>

1.1 导入表概念<\/h3>
导入表(Import Directory)存储了PE文件运行时所需的API及相关DLL模块信息。安全产品(AV\/EDR)常通过分析导入表中的敏感API(如`VirtualAlloc<\/code>、VirtualProtect<\/code>、CreateThread<\/code>等)来判断文件风险等级。<\/p>`

2.5 方法三：完全PEB<\/h3>
与方法二类似，但完全不依赖`GetModuleHandle<\/code>和GetProcAddress<\/code>，直接通过PEB遍历获取所有需要的API函数地址。<\/p>`

五、参考资料<\/h2>

什么?你连这都不会还学免杀?之「API动态解析」<\/li>
【免杀】隐藏导入表(IAT)的六种方式<\/li>
免杀基础-IAT隐藏<\/li>
隐藏IAT(导入表)敏感API笔记<\/li> <\/ol>