CWA.c vs lowcallApi.c

[Munsta]

As this is maybe the only way to communicate with you, I wanted to know what are the differences between these 2 methods ?

[r41p41]

Hi, i have removed lowcallApi.c because of a mistake on my behalf in assuming that it would fully bypass usermode hooking (it wont). as for your question: CWA is using inline assembly to find address of function in dll (hashes provided on stack) and then adjusting the stack to call the api you wanted with desired parameters. so in short you can use it like this CWA(hash_of_messagebox,hash_of_dll,hwnd, title, text, MB_OK); it will automatically call messagebox with parameters provided and return back to next line.

while lowcallApi.c was made to call SysCalls in windows (x86 and x64) with only their syscall identifier (the value eax has when syscall is executed) So you could've produced your own jump to kernelmode api's without relying on ntdll.dll (just in case it was hooked)

[Munsta]

Can you reupload latest version of lowcallApi.c again please? I was trying to find it in my collection, then I found unclosed tab ( hail the "All Tabs Helper" ) with link to it, bottom line I maybe saved in somewhere or not, but, I wanted to try it against Sanboxes like Cuckoo and not HIPS. HIPS bypassing from ring3 is possible only via specific exploits like @george_nicolaou did. Im really, REALLY, glad you responded, and keep up with nice snippets :), wrap them one day in some class{}; Kudos!

[r41p41]

give me a day or so, i will fix it and reupload.

[r41p41]

Added 32bit Bypass. will add another snippet to get SysCall No from SysCallname first next 64bit Usermode Sandboxes. Let me know of your results with cuckoo, since i tested this with it a long time ago. Also, There are many methods to Hop Hooks. This one being quite low level.

[Munsta]

I know of one, shipping function preambles and spraying them on stack as needed. This way its possible to bypass JMP hooks I think.

[r41p41]

nop =) thats Rop i think. and if i am correct in assuming its ROP/return to libc kinda attacks, they won't bypass api hooking.

[Munsta]

Its from some old BH talk :), AV patches that fast.

[r41p41]

can you post a link to that talk? i'd be misunderstanding your previous statement.

[Munsta]

https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-tsyrklevich.pdf, but its not that one where I saw it, it was black n white presentation, 2005 100% sure. Looking for it.

[Munsta]

This could be from XCON and not BH, but its old, maybe same author, nothing fancy. Same as Tsyrklevich said, but hes talk is more about ring0.

[r41p41]

added it back. check out new commits. LowLevelSysCall_x86.c GetSysCallNo_FromName.c

[Munsta]

I have some issues while debugging it, VS2012 is using some nasty optimisation, /checkstack or such new MS bloatware. Tell me if Im doing tests correctly, calling CreateFile() and RegSetValue() and hoping online sandbox won't pick that up in logs - thats a bypass no :+1:

[r41p41]

first of all, turn of all sorts of optimization in VS 2012. and i do mean all. second of all, Calling CreateFileA calls NtCreateFile at last. so hooks are in place which will detect either of them. So to bypass hooks, you have to call SysCalls which are present in ntdll.

[Munsta]

Hi, I didn't have any luck with bypass of public sandboxing sites but this guy for sure did :) http://www.joxeankoret.com/download/comodo_sandbox_escape/video/sandbox_escape1.htm PS Yes, Comodo HIPS engine #fail again. http://t.co/jxiYffRdZL