I didn't see that anti-viruses zero out syscall ids or something. Still possible to disassembly their hooks and find syscall ids. If can't find syscall ids for some reasons, we have also some tricks to get non patched dlls.
1. NtMapViewOfSection ( av can hook/get kernel callback and patch it before we can do anything )
2. Manually load dlls from the disk, then disassembly the image ( av still can hook/get kernel callback and filter us )
This tricks works, but sucks versus good av.
Still need to cook syscalls correctly, invoke it from the stub/allocated memory sucks as hell. Code cave or rop magic looks more positive.
This is all about x64. Wow64 have similar things, but yeah, this is more complicated, need mess with this stupid shitty emulate subsystem, heaven gates and blah-blah.
I'm didn't analyze it, do anti-viruses hook the 64 bit ntdll inside wow64 process or 32 bit version only?
Последнее редактирование: