• Stars
    star
    173
  • Rank 220,124 (Top 5 %)
  • Language
    Assembly
  • License
    GNU General Publi...
  • Created almost 3 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Based on https://github.com/outflanknl/InlineWhispers and https://github.com/helpsystems/nanodump work

Note

This project is not a fork, the first version of InlineWhispers is based on SysWhispers, this version is for the second version of SysWhispers, to understand what it changes, take a look at it:

https://github.com/jthuraisamy/SysWhispers2#difference-between-syswhispers-1-and-2

How do I set this up?

git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.py

How to use syscalls in your Cobalt-Strike BOF?

Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls

Now you can use all syscalls that you need:

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

#include "beacon.h"

#include "syscalls.c"

int go(char* args, int length) {
	datap  parser;
	BeaconDataParse(&parser, args, length);

	int pid = BeaconDataInt(&parser);

	BeaconPrintf(CALLBACK_OUTPUT, "	- Opening process: %d.", pid);

	HANDLE hProcess = NULL;
	OBJECT_ATTRIBUTES ObjectAttributes;
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);

	CLIENT_ID uPid = { 0 };
	uPid.UniqueProcess = (HANDLE)(DWORD_PTR)pid;
	uPid.UniqueThread = (HANDLE)0;

	NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
	if (hProcess == NULL || status != 0) {
		BeaconPrintf(CALLBACK_OUTPUT, "	[ERROR] Failed to get processhandle, status: 0x%lx", status);
		return 0;
	}
	BeaconPrintf(CALLBACK_OUTPUT, "	- Handle: %x", hProcess);

	NtClose(hProcess);

	return 0;
}

Limitations

Actually, you can't use NtCallEnclave, NtGetCachedSigningLevel, NtSetCachedSigningLevel, NtCreateSectionEx syscalls

Known issues

[21/07/2022] The version of Syswhispers2 in this repository is not the lastest one, it will be updated later.

Blog Posts/GitHubs who used or quoted InlineWhispers2 (thanks to the authors)

Credits

  • @jthuraisamy for Syswhispers2
  • @outflanknl for the first version of InlineWhispers
  • @helpsystems for the nanodump exemple
  • @boku7 for his awesome work and his kindness
  • @HackingDave because he's the owner of a great DeLorean vroom vroom
  • The French Read The Fancy Manual community, the CyberThreatForce, and OsintFr (@sigsegv_event @CTFofficielFR and @OsintFr)
  • All infosec enthusiasts who share their knowledge without looking down on other enthusiasts

More Repositories

1

Universal-Dear-ImGui-Hook

An universal Dear ImGui Hook for Directx12 D3D12 (D3D11, D3D10 and maybe Vulkan will be added later)
C++
350
star
2

DLLirant

DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.
322
star
3

Universal-ImGui-D3D11-Hook

Universal Directx11 D3D11 Hook Project for all directx11 - 10 applications with ImGui and InputHook included, fullscreen supported.
C++
237
star
4

Lockbit3.0-MpClient-Defender-PoC

Lockbit3.0 Microsoft Defender MpClient.dll DLL Hijacking PoC
C++
169
star
5

Infosec-Useful-Stuff

This repository is my own list of tools / useful stuff for pentest, defensive activities, programming, lockpicking and physical security
52
star
6

french-ezines

French old computer security ezines restored to serve as mirrors. The sources have been slightly tweaked for immediate use.
HTML
33
star
7

API-Hashing

A basic exemple of the API-Hashing method used by Red Teamers but also by malwares developers in C++
C++
32
star
8

log4j-CVE-2021-44228-Public-IoCs

Public IoCs about log4j CVE-2021-44228
YARA
9
star
9

Pentestor

Pentestor is a tool to automatise basic tasks during a Pentest.
Python
6
star
10

Starfield-Game-WideScreen-Patcher

Starfield WideScreen 32/9 Patcher is a tool to patch the Starfield binary to disable the black bars on a 32/9 WideScreen.
C#
5
star
11

Sh0ckFR.github.io

SCSS
3
star
12

easynrich

Script to launch shodan-nrich on the subdomains of a specific domain or a domains list
Python
3
star
13

Burp-Requests-Fusion

Burp Requests Fusion is a Burp Extension to add custom HTTP headers (dynamic headers too) from a local server to all HTTP requests
Java
3
star
14

CVE-2024-4577

Fixed and minimalist PoC of the CVE-2024-4577
Python
2
star
15

DataTranscripters

Another approach to stock big data volumes (theory only)
1
star
16

Alienvault-Takedowns-Helper

A small script to get the registrars and the whois of a domain via AlienVault OTX and RiskIQ
Python
1
star
17

Sh0ckFR

1
star
18

threat-actors.com

Source code of threat-actors.com website, everything you need to know about cyber threat actors.
HTML
1
star