InlineWhispers2
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
Based on https://github.com/outflanknl/InlineWhispers and https://github.com/helpsystems/nanodump work
Note
This project is not a fork, the first version of InlineWhispers is based on SysWhispers, this version is for the second version of SysWhispers, to understand what it changes, take a look at it:
https://github.com/jthuraisamy/SysWhispers2#difference-between-syswhispers-1-and-2
How do I set this up?
git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.pyHow to use syscalls in your Cobalt-Strike BOF?
Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls
Now you can use all syscalls that you need:
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include "beacon.h"
#include "syscalls.c"
int go(char* args, int length) {
datap parser;
BeaconDataParse(&parser, args, length);
int pid = BeaconDataInt(&parser);
BeaconPrintf(CALLBACK_OUTPUT, " - Opening process: %d.", pid);
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
CLIENT_ID uPid = { 0 };
uPid.UniqueProcess = (HANDLE)(DWORD_PTR)pid;
uPid.UniqueThread = (HANDLE)0;
NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
if (hProcess == NULL || status != 0) {
BeaconPrintf(CALLBACK_OUTPUT, " [ERROR] Failed to get processhandle, status: 0x%lx", status);
return 0;
}
BeaconPrintf(CALLBACK_OUTPUT, " - Handle: %x", hProcess);
NtClose(hProcess);
return 0;
}Limitations
Actually, you can't use NtCallEnclave, NtGetCachedSigningLevel, NtSetCachedSigningLevel, NtCreateSectionEx syscalls
Known issues
[21/07/2022] The version of Syswhispers2 in this repository is not the lastest one, it will be updated later.
Blog Posts/GitHubs who used or quoted InlineWhispers2 (thanks to the authors)
- https://blog.nviso.eu/2021/12/20/kernel-karnage-part-7-out-of-the-lab-and-back-to-reality/
- https://github.com/Cerbersec/KillDefenderBOF
- https://github.com/Cerbersec/notes
- https://github.com/Simpsonpt/AppSecEzine/blob/master/Ezines/405%20-%20AppSec%20Ezine
- https://github.com/pe3zx/my-infosec-awesome/blob/master/Offensive.md
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/BOFs/BOFs
- https://github.com/N7WEra/BofAllTheThings
Credits
- @jthuraisamy for Syswhispers2
- @outflanknl for the first version of InlineWhispers
- @helpsystems for the nanodump exemple
- @boku7 for his awesome work and his kindness
- @HackingDave because he's the owner of a great DeLorean vroom vroom
- The French Read The Fancy Manual community, the CyberThreatForce, and OsintFr (@sigsegv_event @CTFofficielFR and @OsintFr)
- All infosec enthusiasts who share their knowledge without looking down on other enthusiasts