jthuraisamy / syswhispers2 Goto Github PK

Correct me if im wrong but from what i understand to move from 1 -> 2 all i should have to do is replace .h file on the #include part of my code if the code using SysWhispers1 was working with that old .h syscalls file?
I ask because im getting a error when using x86_64-w64-mingw32. Error is "Undefined reference to '{INSERT syscall NAME}'

1.got the inline head file
python3 syswhispers.py --functions test,test -l inlinegas -o syscalls
2.include the file
syscallsinline.rnd.x64.h
3.complie
x86_64-w64-mingw32-gcc -w -o test.x64.o -c testc -DRANDSYSCALL -masm=intel

when i compile，i got this error

syscalls.h:260:9: error: missing terminating " character
260 | asm(".intel_syntax noprefix
| ^~~~~~~~~~~~~~~~~~~~~~~
syscalls.h:261:5: error: expected string literal before '.' token
261 | .global WhisperMain
| ^
syscalls.h:287:5: error: missing terminating " character

I have spent quite a few hours in debugging and finally nailed down why process injection is failing. The call to NtCreateThreadEX using SysWhispers2 isn't really working for me. The process crashes as soon as the thread is injected.

My code is very simple that I open the process using Pid, create a virtual memory and then create RemoteThreadEX. I have ported all the calls to Syswhispers from High level APis but when I call NtCreateThreadEX, the process is crashing. When I just call CreateRemoteThread Directly, it works fine.

This is how I am calling the function
NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, process_handle, pointer_after_allocated, pointer_after_allocated, FALSE, NULL, NULL, NULL, NULL);

I am trying to follow this tutorial but in my code, I take PID to inject.
https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/

How to solve symbol redefinition : NtProtectVirtualMemory and unmatched block nesting : NtProtectVirtualMemory issue

Hi,
Got link error LNK 2005 for WhisperMain and any other sys call the was added.
already defined in syscallsstubs.md.x86/x64.obj

while linking, i got error:
syscallsstubs.x64.s:18:(.text+0x1c): relocation truncated to fit: R_X86_64_32S against .data'.`

can't we add other functions in other dlls using the same technique

I have tried both SysWhisper and SysWhisper2. VS is throwing the following error messages. I have enabled the MASM in build customization and also the asm file is set to Macro Assembler.

1 . The first error on the line for NtAllocateVirtualMemory.
Error (active) | E0167 | argument of type "PULONG" is incompatible with parameter of type "PSIZE_T" | NewMetaPlayerLow | main.cpp | 127 |
status = NtAllocateVirtualMemory(process_handle, &pointer_after_allocated, 0, (PULONG)&allocation_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

The second error is on the ASM file.
Error | A2088 | END directive required at end of file | NewMetaPlayerLow |
c:\project\folder\syscalls_common.asm | 2872 |

The third error is
Error | MSB3721 | The command "ml64.exe /c /nologo /Zi /Fo"x64\Release\syscalls_common.obj" /W3 /errorReport:prompt /Tasyscalls_common.asm" exited with code 1. | NewMetaPlayerLow | C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\BuildCustomizations\masm.targets | 70 |

Any help would be great or if you have a working visual studio project, that I can use to compare against my environment, would be big help too.

does not want to work in any NtWriteVirtualMemory x86

NtReadVirtualMemory works good

I found some new functions were added in the newest Windows 10 build. But I can't look for their document. Will write the undocumented functions and a structure.

Functions:
NtPssCaptureVaSpaceBulk, NtAllocateUserPhysicalPagesEx, NtAcquireCrossVmMutant, NtCreateCrossVmMutant, NtDirectGraphicsCall, NtWriteErrorLogEntry, NtCreateWinStation, NtOpenWinStation, NtSetWinStationInformation, NtQueryWinStationInformation

Type:
CHANNEL_MESSAGE

I'm able to compile BOFs using the random syscall output with -DRANDSYSCALL; however, the BOF doesn't execute. No error is thrown by Cobalt Strike, it simply does nothing.

Using the embedded syscalls works absolutely fine. It's only the random jumps that fail.

Commit 2689d07 should be reverted. "RtlCreateUserThread" is (obviously) not a syscall and, even if it was, the prototype is incorrect for x64 usage.

First of all, great idea and work. Kudos on that! I discovered too late your work and unfortunately for me I had to create something similar years ago with lots of headaches...

Second, I would like to propose a few suggestions:

• Add option to create or just create function prefixes (this is because if someone is using a library like phnt, or already has functions Nt/Zw defined it will horribly conflict)
• Try to introduce x86 support as well (you need to create a compile time template and resolve the function arguments size)
• Have a look at rewolf's wow64 gate, it may be possible to introduce wow64 support

Small help for x86:

0xB8, 0x0, 0x0, 0x0, 0x0, // mov eax, SYS INDEX
0xE8, 0x3, 0x0, 0x0, 0x0, // call sysentry
0xC2, 0x00, 0x0,  // ret ARGUMENTS LENGTH SIZE
// sysenter:
0x8B, 0xD4, // mov edx,esp
0x0F, 0x34, // sysenter
0xC3 // retn

These are just suggestions of course so please take it or leave it. I`m happy with just the x64 version for some future projects :)

Hi,

I take example code from your description (how inject DLL) but get 2 errors during compilation- both on line

NtAllocateVirtualMemory(hProcess, &lpAllocationStart, 0, (PULONG)&szAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

Errors :
1 ) argument of type "PULONG" is incompatible with parameter of type "PSIZE_T"
2 ) cannot convert argument 4 from "PULONG" to "PSIZE_T"

All code and the errors can be seen on the link https://ibb.co/JzrBx4y