How to use Acheron to modify Go programs and try to bypass antivirus product detection.

The Acheron tool can add the ability to perform indirect system calls to Golang programs and use this to bypass user mode hooks andInstruction callbackDetected antivirus products/EDR.

Feature characteristics

1. No other dependent components are required;

2. Developed based on pure Go language or Go assembly;

3. Support custom string encryption and hash functions to counter static code analysis;

Tool operation mechanism

When a new system call proxy instance is created, the tool will perform the following steps:

1. Traverse the PEB and retrieve the base address of ntdll.dll in memory;

2. Parse the export directory and retrieve the address of each exported function;

3. Calculate the number of system services for each Zw* function;

4. Enumerate clean syscall in ntdll.dll;ret tool;

5. Create a proxy instance to send indirect/direct system calls;

Tool download

Since this tool is developed based on Golang, we first need to install and configure the Golang environment on the local device.

Next, researchers can use the following command to clone the project source code locally:

git clone https://github.com/f1zm0/acheron.git

Or use go get command to download Acheron:

go get -u github.com/f1zm0/acheron

Tool usage

After the download is complete, we just need to call acheron.New() in the code to create a system call proxy instance, and use acheron.Syscall() to send indirect system calls to Nt* API.

Simplified example:

package main

 

import (

"fmt"

"unsafe"

 

"github.com/f1zm0/acheron"

)

 

func main() {

var (

baseAddr uintptr

hSelf = uintptr(0xffffffffffffffff)

)

 

// creates Acheron instance, resolves SSNs, collects clean trampolines in ntdll.dlll, etc.

ach, err := acheron.New()

if err != nil {

panic(err)

}

 

// indirect syscall for NtAllocateVirtualMemory



if retcode, err := ach.Syscall(

s1,                                 // function name hash

hSelf,                             // arg1: _In_   HANDLE ProcessHandle,

uintptr(unsafe.Pointer(&baseAddr)),   // arg2: _Inout_  PVOID *BaseAddress,

uintptr(unsafe.Pointer(nil)), // arg3: _In_ ULONG_PTR ZeroBits

0x1000, // arg4: _Inout_ PSIZE_T RegionSize,

windows.MEM_COMMIT|windows.MEM_RESERVE, // arg5: _In_ ULONG AllocationType,

windows.PAGE_EXECUTE_READWRITE, // arg6: _In_ ULONG Protect

); err != nil {

panic(err)

}

fmt.Printf(

"allocated memory with NtAllocateVirtualMemory (status: 0x%x)\n",

retcode,

)

 

// ...

}

Tool usage example

License Agreement

The development and release of this project followMITOpen Source License Agreement.

Project address

Acheron：【GitHub Gateway】

Reference materials

https://github.com/klezVirus/SysWhispers3

https://github.com/crummie5/FreshyCalls

https://github.com/thefLink/RecycledGate

https://winternl.com/detecting-manual-syscalls-from-user-mode/

https://www.usenix.org/legacy/events/vee06/full_papers/p154-bhansali.pdf

https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low