VirtualAlllocEx/Direct-Syscalls-A-journey-from-high-to-low

Stars
127
Rank 282,790 (Top 6 %)
Language
C
Created over 1 year ago
Updated over 1 year ago

VirtualAlllocEx/Direct-Syscalls-A-journey-from-high-to-low

VirtualAlllocEx

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

Direct-Syscalls-A-journey-from-high-to-low

Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).

The technique of direct system calls is no longer a new attack technique for Red Teamers today (April 2023). I myself have covered this topic several times (DeepSec Vienna 2020) and there are already a large number of well-written articles and useful code repositories on the Internet. Nevertheless, I would like to revisit the topic and look at various aspects related to direct system calls.

More details in my related blog post https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low

Disclaimer

The content and all code examples in this article are for research purposes only and must not be used in an unethical context! The code used is not new and I make no claim to it. Most of the code comes, as so often, from ired.team, thank you @spotheplanet for your brilliant work and sharing it with us all! For the syscall POCs, Syswhispers2 was used, also thanks to @Jackson_T for providing this very helpful code.

References

DEFCON-31-Syscalls-Workshop

Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

Payload-Download-Cradles

This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.

Create-Thread-Shellcode-Fetcher

This POC gives you the possibility to compile a .exe to completely avoid statically detection by AV/EPP/EDR of your C2-shellcode and download and execute your C2-shellcode which is hosted on your (C2)-webserver.

Direct-Syscalls-vs-Indirect-Syscalls

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

Taskschedule-Persistence-Download-Cradles

Depending on the AV/EPP/EDR creating a Taskschedule Job with a default cradle is often flagged

DSC_SVC_REMOTE

This code example allows you to create a malware.exe sample that can be run in the context of a system service, and could be used for local privilege escalation in the context of an unquoted service path, etc. The payload itself can be remotely hosted, downloaded via the wininet library and then executed via direct system calls.

AV-EPP-EDR-Windows-API-Hooking-List

Depending on the AV/EDR we will check which Windows APIs are hooked by the AV/EDR

Create_Thread_Inline_Assembly_x86

This POC provides the possibilty to execute x86 shellcode in form of a .bin file based on x86 inline assembly

C2-Traffic-Redirection

Different possibilities to redirect the C2 traffic with a redirector instance to your C2-server

Shell-we-Assembly

Shellcode execution via x86 inline assembly based on MSVC syntax

Conference-Slides

Create_Thread-Inline_Assembly_x86_Fibers

This POC provides the ability to execute x86 shellcode in the form of a .bin file based on x86 inline assembly and execution over fibers

Mailfilter-and-Firewall-Check

Different attachment file types to check, which attachment types can be downloaded from your windows environment

ObfLoader

MAC, IPv4, UUID shellcode Loaders and Obfuscators to obfuscate the shellcode and using some native API to converts it to it binary format and loads it.

PRE-Pentest

Possibilities to gather information before preparing your malware

Messagebox-Test

Conferences-Slides

Slides from conferences where I have spoken

ProcessInjection

Code for an upcoming course regarding Process Injection techniques