• Stars
    star
    1,256
  • Rank 37,419 (Top 0.8 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 2 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SysWhispers on Steroids - AV/EDR evasion via direct system calls.

🚩 This is the public repository of SysWhispers3, for latest version and updates please consider supporting us through https://porchetta.industries/

SysWhispers3

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.

🚩 Sponsors

If you want to sponsors this project and have the latest updates on SysWhispers3, latest issues fixed, latest features, please support us on https://porchetta.industries/

Official Discord Channel

Come hang out on Discord!

Porchetta Industries

Why on earth didn't I create a PR to SysWhispers2?

The reason for SysWhispers3 to be a standalone version are many, but the most important are:

  • SysWhispers3 is the de-facto "fork" used by Inceptor, and implements some utils class which are not relevant to the original version of the tool.
  • SysWhispers2 is moving towards supporting NASM compilation (for gcc/mingw), while this version is specifically designed and tested to support MSVC (because Inceptor will stay a Windows-only framework for the near future).
  • SysWhispers3 contains partially implemented features (such as egg-hunting) which would not be sensible to include in the original version of the tool.

Differences with SysWhispers2

The usage is pretty similar to SysWhispers2, with the following exceptions:

  • It also supports x86/WoW64
  • It supports syscalls instruction replacement with an EGG (to be dynamically replaced)
  • It supports direct jumps to syscalls in x86/x64 mode (in WOW64 it's almost standard)
  • It supports direct jumps to random syscalls (borrowing @ElephantSeal's idea)

A better explanation of these features are better outlined i the blog post SysWhispers is dead, long live SysWhispers!

Introduction

Security products, such as AVs and EDRs, usually place hooks in user-mode API functions to analyse a program execution flow, in order to detect potentially malicious activities.

SysWhispers2 is a tool designed to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe), which can then be integrated and called directly from C/C++ code, evading user-lands hooks.

The tool, however, generates some patters which can be included in signatures, or behaviour which can be detected at runtime.

SysWhispers3 is built on top of SysWhispers2, and integrates some helpful features to bypass these forms of detection.

Installation

C:\> git clone https://github.com/klezVirus/SysWhispers3.git
C:\> cd SysWhispers3
C:\> python .\syswhispers.py --help

Usage and Examples

The help shows all the available commands and features of the tool:

C:\>python syswhispers.py -h

usage: syswhispers.py [-h] [-p PRESET] [-a {x86,x64}] [-m {embedded,egg_hunter,jumper,jumper_randomized}] [-f FUNCTIONS] -o OUT_FILE [--int2eh] [--wow64] [-v] [-d]

SysWhispers3 - SysWhispers on steroids

optional arguments:
  -h, --help            show this help message and exit
  -p PRESET, --preset PRESET
                        Preset ("all", "common")
  -a {x86,x64}, --arch {x86,x64}
                        Architecture
  -c {msvc,mingw,all}, --compiler {msvc,mingw,all}
                        Compiler
  -m {embedded,egg_hunter,jumper,jumper_randomized}, --method {embedded,egg_hunter,jumper,jumper_randomized}
                        Syscall recovery method
  -f FUNCTIONS, --functions FUNCTIONS
                        Comma-separated functions
  -o OUT_FILE, --out-file OUT_FILE
                        Output basename (w/o extension)
  --int2eh              Use the old `int 2eh` instruction in place of `syscall`
  --wow64               Use Wow64 to run x86 on x64 (only usable with x86 architecture)
  -v, --verbose         Enable debug output
  -d, --debug           Enable syscall debug (insert software breakpoint)

Command Lines

Standard SysWhispers, embedded system calls (x64)

# Export all functions with compatibility for all supported Windows versions (see example-output/).
py .\syswhispers.py --preset all -o syscalls_all

# Export just the common functions (see below for list).
py .\syswhispers.py --preset common -o syscalls_common

# Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions.
py .\syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem

SysWhispers3-only samples

# Normal SysWhispers, 32-bits mode
py .\syswhispers.py --preset all -o syscalls_all -m jumper --arch x86

# Normal SysWhispers, using WOW64 in 32-bits mode (only specific functions)
py .\syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem --arch x86 --wow64

# Egg-Hunting SysWhispers, to bypass the "mark of the sycall" (common function)
py .\syswhispers.py --preset common -o syscalls_common -m egg_hunter

# Jumping/Jumping Randomized SysWhispers, to bypass dynamic RIP validation (all functions) using MinGW as the compiler
py .\syswhispers.py --preset all -o syscalls_all -m jumper -c mingw

Script Output

PS C:\Projects\SysWhispers2> py .\syswhispers.py --preset common --out-file temp\syscalls_common -v 
                                                       
                  .                         ,--.
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-.  __/
`-. | | `-. |/|/  | | | `-. | | |-' |   `-. .  \
`-' `-| `-' ' '   ' ' ' `-' |-' `-' '   `-'  '''
     /|                     |  @Jackson_T
    `-'                     '  @modexpblog, 2021

                      Edits by @klezVirus,  2022
SysWhispers3: Why call the kernel when you can whisper?


Common functions selected.

Complete! Files written to:
        temp\syscalls_common.h
        temp\syscalls_common.c
        temp\syscalls_common_.asm
Press a key to continue...

Importing into Visual Studio

  1. Copy the generated H/C/ASM files into the project folder.
  2. In Visual Studio, go to Project β†’ Build Customizations... and enable MASM.
  3. In the Solution Explorer, add the .h and .c/.asm files to the project as header and source files, respectively.
  4. Go to the properties of the ASM file, and set the Item Type to Microsoft Macro Assembler.

Compiling outside of Visual Studio

Windows

Makefile for 64 bits:

Makefile.msvc

OPTIONS = -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS-
LIBS = libvcruntime.lib libcmt.lib ucrt.lib kernel32.lib

program:
  ML64 /c syscalls-asm.x64.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64
  cl.exe $(OPTIONS) syscalls.c  program.c
  link.exe /OUT:program.x64.exe -nologo $(LIBS) /MACHINE:X64 -subsystem:console -nodefaultlib syscalls-asm.x64.obj syscalls.obj program.obj

Makefile for 32 bits:

Makefile.msvc

OPTIONS = -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS-
LIBS = libvcruntime.lib libcmt.lib ucrt.lib kernel32.lib

program:
  ML /c syscalls-asm.x86.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X86
  cl.exe $(OPTIONS) syscalls.c  program.c
  link.exe /OUT:program.x86.exe -nologo $(LIBS) /MACHINE:X86 -subsystem:console -nodefaultlib syscalls-asm.x86.obj syscalls.obj program.obj

Compile with nmake:

nmake -f Makefile.msvc

Linux

Makefile for both 64 and 32 bits:

Makefile.mingw

CC_x64 := x86_64-w64-mingw32-gcc
CC_x86 := i686-w64-mingw32-gcc
OPTIONS := -masm=intel -Wall

program:
  $(CC_x64) syscalls.c program.c -o program.x64.exe $(OPTIONS)
  $(CC_x86) syscalls.c program.c -o program.x86.exe $(OPTIONS)

Compile with make:

make -f Makefile.mingw

Caveats and Limitations

  • The Egg-Hunter functionality is not implemented within this tool, it is in Inceptor.
  • System calls from the graphical subsystem (win32k.sys) are not supported.
  • Tested on Visual Studio 2019/2022 with Windows 10 SDK.
  • Support for NASM is not guaranteed.
  • Support for GCC and MinGW is not guaranteed.

Troubleshooting

From SysWhispers2

  • Type redefinitions errors: a project may not compile if typedefs in syscalls.h have already been defined.
    • Ensure that only required functions are included (i.e. --preset all is rarely necessary).
    • If a typedef is already defined in another used header, then it could be removed from syscalls.h.

New

  • With --verbose, it is possible to enable troubleshooting output during code generation.
  • With --debug, the tool will insert a software breakpoint in the syscall stub, to ease the debugging in WinDbg.
  • If you get a error A2084:constant value too large during compilation, regenerates the stubs.

Credits

SysWhispers2

Developed by @Jackson_T and @modexpblog, but builds upon the work of many others:

SysWhispers2 (x86/WOW64)

  • @rooster for creating a sample x86/WOW64 compatible fork.

Others

Licence

As the original, this project is also licensed under the Apache License 2.0.

More Repositories

1

inceptor

Template-Driven AV/EDR Evasion Framework
Assembly
1,561
star
2

CVE-2021-40444

CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit
HTML
795
star
3

CheeseTools

Self-developed tools for Lateral Movement/Code Execution
C#
683
star
4

SilentMoonwalk

PoC Implementation of a fully dynamic call stack spoofer
C++
665
star
5

chameleon

PowerShell Script Obfuscator
Python
485
star
6

vortex

VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit
Python
419
star
7

CandyPotato

Pure C++, weaponized, fully automated implementation of RottenPotatoNG
C++
298
star
8

DriverJack

Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths
C++
246
star
9

SharpSelfDelete

C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
C#
147
star
10

NimlineWhispers3

A tool for converting SysWhispers3 syscalls for use with Nim projects
Nim
137
star
11

RpcProxyInvoke

Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar
C++
100
star
12

klezVirus.github.io

CyberSec Blog
JavaScript
96
star
13

SharpLdapRelayScan

C# Port of LdapRelayScan
C#
77
star
14

koppeling-p

Adaptive DLL hijacking / dynamic export forwarding - EAT preserve
Python
66
star
15

DCKFinder

Dangling COM Keys Finder
C++
14
star
16

deser-node

NodeJS Deserialization Payload Generator
JavaScript
9
star
17

codegrepper

Pure python, self-contained, silly implementation of a SAST tool
Python
8
star
18

mapt-run

Simple script to setup a local hosted network for Mobile Application Penetration Testing
Shell
8
star
19

faceless

Faceless - Simple Tool for Text-File Anonymization
Python
7
star
20

msf-revhttp-gen

Little utility to facilitate Metasploit Reverse HTTP Payloads
Shell
7
star
21

nmap-report

A simple tool that can be use to extract usful information from a nmap scan
Shell
7
star
22

CryptoCheck

NIST-CAVS Extended - Encryption Auto Testing Toolkit
Python
4
star
23

deser-py

Python Deserialization Payload Generator
Python
4
star
24

deser-ruby

Ruby Deserialization Payload Generator
Ruby
4
star
25

nx_reporter

Rapid7 Nexpose template-based report generator
Python
4
star
26

muts-opt-encoder

Independent implementation of the optimized SUB-Encoder
Python
4
star
27

klezVirus

Temporary unavailable...
3
star
28

php-ipfinder

A simple tool to enumerate various info on a set of IP addresses
PHP
2
star
29

cves

Public Advisories Redirector
1
star
30

cors-security-remove

JavaScript
1
star
31

Posts

Offensive Security Certifications Reviews
1
star
32

oldrivrs

some old drivers and misc crap from a while ago
C
1
star