恶意的Loader和PIS(Position-Independent Shellcode)会使用各种技术来绕过AV/EDR和安全人员的分析,其中代码执行这个环节经常会通过“回调函数”的方式来隐蔽的执行。回调的本质是将函数A的地址传给函数B,在函数B执行的过程中,触发某个条件后,停下来执行函数A
回调分为异步的和同步的
异步的回调例如,鼠标移动时,对应的Hook被触发,Hook处理的同时,鼠标继续移动
同步的回调例如,函数A要读取数据B,触发某个条件后,函数C修改数据B,然后函数A继续读取数据B
下面是一个回调函数的示例
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
| #include <windows.h>
// 声明窗口过程回调函数,用于处理窗口消息
LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
// 注册窗口类
// 定义并初始化一个常量、宽字符数组
const wchar_t CLASS_NAME[] = L"Sample Window Class";
// 向操作系统注册一种名为CLASS_NAME的新窗口类型,这种类型的窗口属于当前应用程序实例hInstance,并且所有发送给这类窗口的消息都由WindowProc函数来处理
WNDCLASS wc = { };
wc.lpfnWndProc = WindowProc; // 设置回调函数
wc.hInstance = hInstance;
wc.lpszClassName = CLASS_NAME;
RegisterClass(&wc);
// 创建窗口
HWND hwnd = CreateWindowEx(
0, // 扩展窗口样式
CLASS_NAME, // 窗口类
L"回调函数示例", // 窗口标题
WS_OVERLAPPEDWINDOW, // 窗口样式
CW_USEDEFAULT, CW_USEDEFAULT, 400, 300, // 位置和大小
NULL, // 父窗口
NULL, // 菜单
hInstance, // 实例句柄
NULL // 附加数据
);
if (hwnd == NULL) {
return 0;
}
// 显示窗口
ShowWindow(hwnd, nCmdShow);
// 消息循环
MSG msg = { };
while (GetMessage(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return 0;
}
// 窗口过程回调函数实现
LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {
switch (uMsg)
{
case WM_DESTROY:
PostQuitMessage(0);
return 0;
case WM_PAINT:
{
PAINTSTRUCT ps;
HDC hdc = BeginPaint(hwnd, &ps);
// 在窗口上绘制文本
TextOut(hdc, 50, 50, L"这是一个回调函数示例", 9);
EndPaint(hwnd, &ps);
return 0;
}
case WM_LBUTTONDOWN:
MessageBox(hwnd, L"您点击了鼠标左键!", L"提示", MB_OK); // 鼠标左键点击时显示消息框
return 0;
}
return DefWindowProc(hwnd, uMsg, wParam, lParam);
}
|
代码编译执行后,如下图
注释中已经讲的很清楚了,再补充两句,Windows开发中好多东西看着眼花缭乱,其实就是typedef定义的别名,比如这条语句中
1
| LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam);
|
CALLBACK就是__stdcall的别名,LRESULT是LONG_PTR的别名,而LONG_PTR会根据是64位还是32位,选择是__int64还是long,原型如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| typedef LONG_PTR LRESULT;
#if defined(_WIN64)
typedef __int64 LONG_PTR;
#else
typedef long LONG_PTR;
#endif
long:C/C++中基本的数据类型,有个需要注意的地方是,Windows下不管32位还是64位,long都是4字节有符号整数,但在Unix下long是8字节有符号整数
__int64:微软编译器(MSVC)特有的数据类型,8字节有符号整数
typedef unsigned int UINT;
// 在64位系统上 (_WIN64 defined)
typedef UINT_PTR WPARAM; // UINT_PTR 是64位无符号整型
typedef LONG_PTR LPARAM; // LONG_PTR 是64位有符号整型
// 在32位系统上
typedef UINT WPARAM; // UINT 是32位无符号整型
typedef LONG LPARAM; // LONG 是32位有符号整型
#define WINAPI __stdcall
HWND:窗口句柄,可以理解为指向窗口这个对象的类型
HINSTANCE:应用程序实例句柄,一个应用程序在内存中可以有多个实例(进程),每个实例(进程)都是独一无二的,可以理解为指向这个应用程序实例对象的类型
HMODULE:模块句柄,和HINSTANCE等价
|
每次有新的回调函数被发现,都会给安全分析人员带来挑战,因此恶意软件开发者经常研究新的回调函数,下面将尝试列出全部的回调函数(准确的说是微软和第三方网站记录的),有助于AV/EDR重点监控
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
| acmDriverEnumCallback
acmDriverProc
acmFilterChooseHookProc
acmFilterEnumCallback
acmFilterTagEnumCallback
acmFormatChooseHookProc
acmFormatEnumCallback
acmFormatTagEnumCallback
acmStreamConvertCallback
AddInterface
AddPropSheetPageProc
AddSecureMemoryCacheCallback
agePaintHook
ageSetupHook
AllocateMemory
APCProc
ApplicationRecoveryCallback
ApplyCallbackFunction
asswordChangeNotify
asswordFilter
AuthzAccessCheckCallback
AuthzComputeGroupsCallback
AuthzFreeGroupsCallback
BindIoCompletionCallback
BlockConvertServicesToStatic
BlockDeleteStaticServices
BrowseCallbackProc
BufferCallback
CallWndProc
CallWndRetProc
capControlCallback
capErrorCallback
capStatusCallback
capVideoStreamCallback
capWaveStreamCallback
capYieldCallback
CBTProc
CCHookProc
CertChainFindByIssuerCallback
CertDllOpenStoreProv
CertEnumPhysicalStoreCallback
CertEnumSystemStoreCallback
CertEnumSystemStoreLocationCallback
CertStoreProvCloseCallback
CertStoreProvDeleteCertCallback
CertStoreProvDeleteCRLCallback
CertStoreProvDeleteCTL
CertStoreProvFindCert
CertStoreProvFindCRL
CertStoreProvFindCTL
CertStoreProvFreeFindCert
CertStoreProvFreeFindCRL
CertStoreProvFreeFindCTL
CertStoreProvGetCertProperty
CertStoreProvGetCRLProperty
CertStoreProvGetCTLProperty
CertStoreProvReadCertCallback
CertStoreProvReadCRLCallback
CertStoreProvReadCTL
CertStoreProvSetCertPropertyCallback
CertStoreProvSetCRLPropertyCallback
CertStoreProvSetCTLProperty
CertStoreProvWriteCertCallback
CertStoreProvWriteCRLCallback
CertStoreProvWriteCTL
CFHookProc
ClaimMediaLabel
CleanupGroupCancelCallback
ClientCallback
ClientCallback_Function
CloseServiceEnumerationHandle
CollectPerformanceData
CompletionProc
ConnectClient
ControlCallback
CopyProgressRoutine
CounterPathCallBack
CQPageProc
CreateServiceEnumerationHandle
CreateStaticService
CryptGetSignerCertificateCallback
CRYPT_ENUM_KEYID_PROP
CRYPT_ENUM_OID_FUNCTION
CRYPT_ENUM_OID_INFO
CRYPT_RETURN_HWND
CRYPT_VERIFY_IMAGE
CspGetDHAgreement
DavAuthCallback
DavFreeCredCallback
DavRegisterAuthCallback
DavUnregisterAuthCallback
DdeCallback
DdeEnableCallback
DeleteInterface
DeleteStaticService
DemandDialRequest
DhcpAddressDelHook
DhcpAddressOfferHook
DhcpControlHook
DhcpDeleteClientHook
DhcpHandleOptionsHook
DhcpNewPktHook
DhcpPktDropHook
DhcpPktSendHook
DhcpServerCalloutEntry
DialogProc
DigestFunction
DisassociateCurrentThreadFromCallback
DisconnectClient
DllCallbackProc
DllGetClassObject
DoUpdateRoutes
DoUpdateServices
DPA_DestroyCallback
DPA_EnumCallback
DrawStateProc
DriverCallback
DSA_DestroyCallback
DSA_EnumCallback
DSEnumAttributesCallback
EditStreamCallback
EditWordBreakProc
EditWordBreakProcEx
EmbeddedUIHandler
EnableCallback
EnhMetaFileProc
EnumCalendarInfoProc
EnumCalendarInfoProcEx
EnumCalendarInfoProcExEx
EnumChildProc
EnumCodePagesProc
EnumDateFormatsProc
EnumDateFormatsProcEx
EnumDateFormatsProcExEx
EnumDesktopProc
EnumDirTreeProc
EnumerateGetNextService
EnumerateLoadedModulesProc64
EnumFontFamExProc
EnumFontFamProc
EnumFontsProc
EnumGeoInfoProc
EnumICMProfilesProcCallback
EnumInputContext
EnumLanguageGroupLocalesProc
EnumLanguageGroupsProc
EnumLocalesProc
EnumLocalesProcEx
EnumMetaFileProc
EnumObjectsProc
EnumPageFilesProc
EnumRegisterWordProc
EnumResLangProc
EnumResNameProc
EnumResTypeProc
EnumThreadWndProc
EnumTimeFormatsProc
EnumTimeFormatsProcEx
EnumUILanguagesProc
EnumWindowsProc
EnumWindowStationProc
EventCallback
EventClassCallback
EventRecordCallback
Event_Handler_Function_Name
EVT_SUBSCRIBE_CALLBACK
ExportCallback
FaxLineCallback
FaxRouteAddFile
FaxRouteDeleteFile
FaxRouteEnumFile
FaxRouteEnumFiles
FaxRouteGetFile
FaxRouteModifyRoutingData
FaxRoutingInstallationCallback
FaxSendCallback
FAX_RECIPIENT_CALLBACK
FExecuteInAppDomainCallback
FiberProc
FileIOCompletionRoutine
FILE_RESTORE_CALLBACK
FindDebugInfoFileProc
FindExecutableImageProc
FLockClrVersionCallback
FlsCallback
FNCCERTDISPLAYPROC
FNCFILTERPROC
FNCMFILTERPROC
FNCMHOOKPROC
FNDAENUMCALLBACK
FNDPAENUMCALLBACK
FNDSAENUMCALLBACK
FNPEER_FREE_SECURITY_DATA
FNPEER_SECURE_RECORD
FNPEER_VALIDATE_RECORD
FN_AUTHENTICATION_CALLBACK
FN_AUTHENTICATION_CALLBACK_EX
FN_BLUETOOTH_ENUM_ATTRIBUTES_CALLBACK
FN_CDF_PARSE_ERROR_CALLBACK
FN_CERT_CHAIN_FIND_BY_ISSUER_CALLBACK
FN_CERT_DLL_OPEN_STORE_PROV_FUNC
FN_CERT_ENUM_PHYSICAL_STORE
FN_CERT_ENUM_SYSTEM_STORE
FN_CERT_STORE_PROV_CLOSE
FN_CERT_STORE_PROV_DELETE_CERT
FN_CERT_STORE_PROV_DELETE_CRL
FN_CERT_STORE_PROV_READ_CERT
FN_CERT_STORE_PROV_READ_CRL
FN_CERT_STORE_PROV_SET_CERT_PROPERTY
FN_CERT_STORE_PROV_SET_CRL_PROPERTY
FN_CERT_STORE_PROV_SET_CTL_PROPERTY
FN_CERT_STORE_PROV_WRITE_CERT
FN_CERT_STORE_PROV_WRITE_CRL
FN_CERT_STORE_PROV_WRITE_CTL
FN_CRYPT_XML_CREATE_TRANSFORM
FN_CRYPT_XML_DATA_PROVIDER_CLOSE
FN_CRYPT_XML_DATA_PROVIDER_READ
FN_CRYPT_XML_ENUM_ALG_INFO
FN_CRYPT_XML_WRITE_CALLBACK
FN_DEVICE_CALLBACK
FN_WdsCliCallback
FN_WdsCliTraceFunction
FN_WdsTransportClientReceiveContents
FN_WdsTransportClientReceiveMetadata
FN_WdsTransportClientSessionComplete
FN_WdsTransportClientSessionStart
FN_WdsTransportClientSessionStartEx
ForegroundIdleProc
FreeMemory
FRHookProc
FuncReturnhWnd
FunctionTableAccessProc64
FuncVerifyImage
GenerateGroupPolicy
GetApplicationRecoveryCallback
GetEventMessage
GetFirstOrderedService
GetGlobalInfo
GetInterfaceInfo
GetMfeStatus
GetModuleBaseProc64
GetMsgProc
GetNeighbors
GetNextOrderedService
GetRequest
GetResponse
GetServiceCount
GetSize
GetTSAudioEndpointEnumeratorForSession
gluNurbsCallback
gluQuadricCallback
gluTessCallback
GopherAttributeEnumerator
HandlerEx
HandlerRoutine
honeCallbackFunc
hone_Event
HyphenateProc
ICMProgressProcCallback
ImportCallback
InitHelperDll
InitializeChangeNotify
InitializeEmbeddedUI
InitOnceCallback
InsertAt
InstalluiHandler
InstalluiHandlerRecord
INSTALLUI_HANDLER
InterfaceStatus
InternetSetStatusCallback
InternetStatusCallback
INTERNET_STATUS_CALLBACK
IoCompletionCallback
IOProc
IsService
JournalPlaybackProc
JournalRecordProc
KeyboardProc
lineCallbackFunc
LineDDAProc
Line_Event
LOG_FULL_HANDLER_CALLBACK
LOG_TAIL_ADVANCE_CALLBACK
LOG_UNPINNED_CALLBACK
LowLevelKeyboardProc
LowLevelMouseProc
LPCQADDFORMSPROC
LPCQADDPAGESPROC
LPCQPAGEPROC
LPDISPLAYVAL
LPDSENUMATTRIBUTES
LPEVALCOMCALLBACK
LPFNDFMCALLBACK
LPFNVIEWCALLBACK
MagGetImageScalingCallback
MagImageScalingCallback
MagSetImageScalingCallback
MappingCallbackProc
MaxMediaLabel
MessageProc
MFAddPeriodicCallback
MFInvokeCallback
MFPERIODICCALLBACK
MFRemovePeriodicCallback
MgmCreationAlertCallback
MgmDisableIgmpCallback
MgmJoinAlertCallback
MgmLocalJoinCallback
MgmLocalLeaveCallback
MgmPruneAlertCallback
MgmRpfCallback
MgmWrongIfCallback
MGM_ENABLE_IGMP_CALLBACK
MibCreate
MibDelete
MIBEntryCreate
MIBEntryDelete
MIBEntryGet
MIBEntryGetFirst
MIBEntryGetNext
MIBEntrySet
MibGet
MibGetFirst
MibGetNext
MibGetTrapInfo
MibSet
MibSetTrapInfo
MidiInProc
MidiOutProc
MiniDumpCallback
MMCFreeNotifyHandle
MMCPropertyChangeNotify
MMCPropertyHelp
MMCPropPageCallback
MMIOProc
MonitorEnumProc
MouseProc
MRUCMPPROC
MyStatusProc
OFNHookProc
OFNHookProcOldStyle
OpenPerformanceData
ORASADFunc
OutOfProcessExceptionEventCallback
OutOfProcessExceptionEventDebuggerLaunchCallback
OutOfProcessExceptionEventSignatureCallback
OutputProc
PIO_APC_ROUTINE
QueryPower
RadiusExtensionFreeAttributes
RadiusExtensionInit
RadiusExtensionProcess
RadiusExtensionProcess2
RadiusExtensionProcessEx
RadiusExtensionTerm
RASADFunc
RasAdminAcceptNewConnection
RasAdminConnectionHangupNotification
RasAdminGetIpAddressForUser
RasAdminReleaseIpAddress
RasCustomDeleteEntryNotify
RasCustomDial
RasCustomDialDlg
RasCustomEntryDlg
RasCustomHangUp
RasCustomScriptExecute
RasDialFunc
RasDialFunc1
RasDialFunc2
RasEapBegin
RasEapEnd
RasEapFreeMemory
RasEapGetIdentity
RasEapGetInfo
RasEapInitialize
RasEapInvokeConfigUI
RasEapInvokeInteractiveUI
RasEapMakeMessage
RasFreeBuffer
RasGetBuffer
RasPBDlgFunc
RasReceiveBuffer
RasRetrieveBuffer
RasSecurityDialogBegin
RasSecurityDialogEnd
RasSendBuffer
RasSetCommSettings
ReaderScroll
ReadProcessMemoryProc64
RegisterApplicationRecoveryCallback
RegisterCallback
RegisterProtocol
RegisterWaitChainCOMCallback
RemoveAt
RemoveSecureMemoryCacheCallback
RemoveTraceCallback
rintHookProc
RM_WRITE_STATUS_CALLBACK
rocessGroupPolicy
rocessGroupPolicyEx
rogressNotificationCallback
ropEnumProc
ropEnumProcEx
ropSheetPageProc
ropSheetProc
RpcAuthKeyRetrievalFn
RpcMgmtAuthorizationFn
RpcnotificationRoutine
RpcObjectInqFn
RPC_IF_CALLBACK_FN
RtlInstallFunctionTableCallback
RTM_ENTITY_EXPORT_METHOD
RTM_EVENT_CALLBACK
SampleCommand
SampleCommit
SampleConnect
SampleDump
SampleOsVersionCheck
SampleStartHelper
SampleStop
SampleStopHelper
SceSvcAttachmentAnalyze
SceSvcAttachmentConfig
SceSvcAttachmentUpdate
SecureMemoryCacheCallback
SendAsyncProc
SendMessageCallback
ServiceMain
SetAt
SetGlobalInfo
SetInterfaceInfo
SetInterfaceReceiveType
SetLineRecoCallback
SetPower
SetProviderStatusFunc
SetProviderStatusInfoFreeFunc
SetResponseType
SetTraceCallback
SetupDefaultQueueCallback
SetupHookProc
SetupInitDefaultQueueCallback
SetupTermDefaultQueueCallback
ShellProc
ShutdownEmbeddedUI
SimpleCallback
SNMPAPI_CALLBACK
SnmpExtensionClose
SnmpExtensionInit
SnmpExtensionInitEx
SnmpExtensionMonitor
SnmpExtensionQuery
SnmpExtensionQueryEx
SnmpExtensionTrap
SoundSentryProc
SP_FILE_CALLBACK
StackSnapshotCallback
StartComplete
StartProtocol
StatusCallback
StatusMessageCallback
StatusRoutine
StopProtocol
SymEnumerateModulesProc64
SymEnumerateSymbolsProc64
SymEnumLinesProc
SymEnumProcessesProc
SymEnumSourceFilesProc
SymEnumSourceFileTokensProc
SymEnumSymbolsProc
SymFindFileInPathProc
SymRegisterCallback
SymRegisterCallbackProc64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallbackProc64
SyncUpdateProc
SysMsgProc
TaskDialogCallbackProc
ThreadProc
TimeProc
TimeProvClose
TimeProvCommand
TimeProvOpen
TimerAPCProc
TimerCallback
TimerProc
TranslateAddressProc64
TranslateDispatch
TrySubmitThreadpoolCallback
UiaEventCallback
UiaProviderCallback
UiaRegisterProviderCallback
UmsSchedulerProc
UnbindInterface
UndeleteFile
UnregisterApplicationRecoveryCallback
ValidateRoute
VectoredHandler
VERIFYSERVERCERT
WaitCallback
WaitChainCallback
WaitOrTimerCallback
waveInProc
waveOutProc
WdsTransportClientRegisterCallback
WdsTransportProviderCloseContent
WdsTransportProviderCloseInstance
WdsTransportProviderCompareContent
WdsTransportProviderCreateInstance
WdsTransportProviderDumpState
WdsTransportProviderGetContentMetadata
WdsTransportProviderGetContentSize
WdsTransportProviderInitialize
WdsTransportProviderOpenContent
WdsTransportProviderReadContent
WdsTransportProviderRefreshSettings
WdsTransportProviderShutdown
WdsTransportProviderUserAccessCheck
WdsTransportServerRegisterCallback
WinBioCaptureSampleWithCallback
WinBioEnrollCaptureWithCallback
WinBioIdentifyWithCallback
WinBioLocateSensorWithCallback
WinBioVerifyWithCallback
WindowProc
WinEventProc
WinHttpSetStatusCallback
WINHTTP_STATUS_CALLBACK
WLAN_NOTIFICATION_CALLBACK
WorkCallback
WPUQueryBlockingCallback
xeProviderInitialize
xeProviderRecvRequest
xeProviderServiceControl
xeProviderShutdown
xeRegisterCallback
|
