VirtualAlllocEx/DEFCON-31-Syscalls-Workshop VirtualAlllocEx/DEFCON-31-Syscalls-Workshop

  • Stars
    star
    613
  • Rank 73,175 (Top 2 %)
  • Language
    C
  • Created over 1 year ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
VirtualAlllocEx/DEFCON-31-Syscalls-Workshop
github

VirtualAlllocEx

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

image

(In)direct Syscalls: A journey from high to low

RedOps | Red Team Village | DEF CON 31

Getting Started

All the theory and playbooks for the exercises can be found in the wiki, which together with the prepared POCs is the heart of this project. The POCs for the exercises can be found here on the main page.

Happy Learning!

Daniel Feichter

Disclaimer

First of all, many thanks to my girlfriend, who has supported me in everything I do for over 10 years now! Without her support and backing none of my projects in the last 10 years would have been possible.

Thanks also to my good friend Andreas Clementi of AV-Comparatives, who has been supporting me since we first met. Also thanks to my friend Jonas Kemmner (who is an excellent Red Teamer) for supporting me and reading all my blog posts in advance. I am very grateful to have crossed paths with all these amazing people.

The content and all code examples in this repository are for educational and research purposes only and should only be used in an ethical context! The code examples are not new and I do not claim them to be. Most of the code or the basis comes, as so often, from ired.team, thank you @spotheplanet for your brilliant work and sharing it with us all. Also many thanks to @mrexodia for your awesome tool x64dbg.

Furthermore, and very importantly, this workshop is not a silver bullet in the context of EDR evasion, but it should help to understand the basics of Win32 APIs, Native APIs, direct syscalls and indirect syscalls and a bit about call stacks in context of shellcode execution and EDR evasion, no more and no less. The aim of this workshop is not to show the most stealthy options or the most complex POCs for direct and indirect syscalls, instead I will focus on teaching the basics.This means using as few tools as possible and doing as much work manually as possible.

I would like to thank all those members of the infosec community who have researched, shaped and continue to research the topic of syscalls, direct system calls and indirect syscalls etc.

Creds and References

Twitter Handle Contribution and Research
@Cneelis https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
https://github.com/outflanknl/Dumpert
@spotheplanet His whole awesome blog and research
https://www.ired.team/
@NinjaParanoid For his blogs, research, courses and always answering my questions.
https://0xdarkvortex.dev/hiding-in-plainsight/
https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
@ShitSecure For his research, his blog https://s3cur3th1ssh1t.github.io/ and for the great discussion about EDRs, syscalls, etc.
@AliceCliment For her blog, research and the discussions about EDRs, syscalls etc.
https://alice.climent-pommeret.red/posts/how-and-why-to-unhook-the-import-address-table/
https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/
@0xBoku For his overall research, and contributions to infosec, helping new community members, and the continued advancement of infosec
https://0xboku.com/
https://github.com/boku7/AsmHalosGate
https://github.com/boku7/HellsGatePPID
https://github.com/boku7/halosgate-ps
@Jackson_T For his research and tools SysWhispers and SysWhispers2
https://github.com/jthuraisamy/SysWhispers)
https://github.com/jthuraisamy/SysWhispers2
@KlezVirus For his blog, research, great discussions about EDRs, syscalls, etc. and SysWhispers3
https://github.com/klezVirus/SysWhispers3
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
https://github.com/klezVirus/SilentMoonwalk
@j00ru https://j00ru.vexillium.org/syscalls/nt/64/
@modexpblog https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
@netero_1010 https://www.netero1010-securitylab.com/evasion/indirect-syscall-in-csharp)
@CaptMeelo https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html
Paul Laîné @am0nsec and smelly__vx @RtlMateusz https://github.com/am0nsec/HellsGate/tree/master
@mrd0x https://github.com/Maldev-Academy/HellHall
@SEKTOR7net https://blog.sektor7.net/#!res/2021/halosgate.md
@D1rkMtr https://github.com/TheD1rkMtr/D1rkLdr
@trickster012 https://github.com/trickster0/TartarusGate
@thefLinkk https://github.com/thefLink/RecycledGate
@ElephantSe4l and MarioBartolome https://github.com/crummie5/FreshyCalls

Further resources

More Repositories

1

Payload-Download-Cradles

This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.
PowerShell
257
star
2

Create-Thread-Shellcode-Fetcher

This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.
C++
247
star
3

Direct-Syscalls-vs-Indirect-Syscalls

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls
C
156
star
4

Direct-Syscalls-A-journey-from-high-to-low

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
C
127
star
5

Taskschedule-Persistence-Download-Cradles

Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged
HTML
86
star
6

DSC_SVC_REMOTE

This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.
C
50
star
7

AV-EPP-EDR-Windows-API-Hooking-List

Depending on the AV/EDR we will check which Windows APIs are hooked by the AV/EDR
30
star
8

Create_Thread_Inline_Assembly_x86

This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly
C++
17
star
9

C2-Traffic-Redirection

Different possibilities to redirect the C2 traffic with a redirector instance to your C2-server
13
star
10

Shell-we-Assembly

Shellcode execution via x86 inline assembly based on MSVC syntax
C++
12
star
11

Conference-Slides

6
star
12

Create_Thread-Inline_Assembly_x86_Fibers

This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers
C++
6
star
13

Mailfilter-and-Firewall-Check

Different attachment file types to check, which attachment types can be downloaded from your windows environment
Python
5
star
14

ObfLoader

MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.
C++
2
star
15

PRE-Pentest

Possibilities to gather information before preparing your malware
PowerShell
2
star
16

Messagebox-Test

PowerShell
1
star
17

Conferences-Slides

Slides from conferences where I have spoken
1
star
18

ProcessInjection

Code for an upcoming course regarding Process Injection techniques
C++
1
star