jthuraisamy / syswhispers2 Goto Github PK
View Code? Open in Web Editor NEWAV/EDR evasion via direct system calls.
License: Apache License 2.0
AV/EDR evasion via direct system calls.
License: Apache License 2.0
Correct me if im wrong but from what i understand to move from 1 -> 2 all i should have to do is replace .h file on the #include part of my code if the code using SysWhispers1 was working with that old .h syscalls file?
I ask because im getting a error when using x86_64-w64-mingw32. Error is "Undefined reference to '{INSERT syscall NAME}'
1.got the inline head file
python3 syswhispers.py --functions test,test -l inlinegas -o syscalls
2.include the file
syscallsinline.rnd.x64.h
3.complie
x86_64-w64-mingw32-gcc -w -o test.x64.o -c testc -DRANDSYSCALL -masm=intel
when i compile,i got this error
syscalls.h:260:9: error: missing terminating " character
260 | asm(".intel_syntax noprefix
| ^~~~~~~~~~~~~~~~~~~~~~~
syscalls.h:261:5: error: expected string literal before '.' token
261 | .global WhisperMain
| ^
syscalls.h:287:5: error: missing terminating " character
I have spent quite a few hours in debugging and finally nailed down why process injection is failing. The call to NtCreateThreadEX using SysWhispers2 isn't really working for me. The process crashes as soon as the thread is injected.
My code is very simple that I open the process using Pid, create a virtual memory and then create RemoteThreadEX. I have ported all the calls to Syswhispers from High level APis but when I call NtCreateThreadEX, the process is crashing. When I just call CreateRemoteThread Directly, it works fine.
This is how I am calling the function
NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, process_handle, pointer_after_allocated, pointer_after_allocated, FALSE, NULL, NULL, NULL, NULL);
I am trying to follow this tutorial but in my code, I take PID to inject.
https://sevrosecurity.com/2020/04/08/process-injection-part-1-createremotethread/
How to solve symbol redefinition : NtProtectVirtualMemory
and unmatched block nesting : NtProtectVirtualMemory
issue
Hi,
Got link error LNK 2005 for WhisperMain and any other sys call the was added.
already defined in syscallsstubs.md.x86/x64.obj
while linking, i got error:
syscallsstubs.x64.s:18:(.text+0x1c): relocation truncated to fit: R_X86_64_32S against
.data'.`
can't we add other functions in other dlls using the same technique
I have tried both SysWhisper and SysWhisper2. VS is throwing the following error messages. I have enabled the MASM in build customization and also the asm file is set to Macro Assembler.
1 . The first error on the line for NtAllocateVirtualMemory.
Error (active) | E0167 | argument of type "PULONG" is incompatible with parameter of type "PSIZE_T" | NewMetaPlayerLow | main.cpp | 127 |
status = NtAllocateVirtualMemory(process_handle, &pointer_after_allocated, 0, (PULONG)&allocation_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
The second error is on the ASM file.
Error | A2088 | END directive required at end of file | NewMetaPlayerLow |
c:\project\folder\syscalls_common.asm | 2872 |
The third error is
Error | MSB3721 | The command "ml64.exe /c /nologo /Zi /Fo"x64\Release\syscalls_common.obj" /W3 /errorReport:prompt /Tasyscalls_common.asm" exited with code 1. | NewMetaPlayerLow | C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\BuildCustomizations\masm.targets | 70 |
Any help would be great or if you have a working visual studio project, that I can use to compare against my environment, would be big help too.
does not want to work in any NtWriteVirtualMemory x86
NtReadVirtualMemory works good
I found some new functions were added in the newest Windows 10 build. But I can't look for their document. Will write the undocumented functions and a structure.
Functions:
NtPssCaptureVaSpaceBulk, NtAllocateUserPhysicalPagesEx, NtAcquireCrossVmMutant, NtCreateCrossVmMutant, NtDirectGraphicsCall, NtWriteErrorLogEntry, NtCreateWinStation, NtOpenWinStation, NtSetWinStationInformation, NtQueryWinStationInformation
Type:
CHANNEL_MESSAGE
I'm able to compile BOFs using the random syscall output with -DRANDSYSCALL
; however, the BOF doesn't execute. No error is thrown by Cobalt Strike, it simply does nothing.
Using the embedded syscalls works absolutely fine. It's only the random jumps that fail.
Commit 2689d07 should be reverted. "RtlCreateUserThread" is (obviously) not a syscall and, even if it was, the prototype is incorrect for x64 usage.
First of all, great idea and work. Kudos on that! I discovered too late your work and unfortunately for me I had to create something similar years ago with lots of headaches...
Second, I would like to propose a few suggestions:
Small help for x86:
0xB8, 0x0, 0x0, 0x0, 0x0, // mov eax, SYS INDEX
0xE8, 0x3, 0x0, 0x0, 0x0, // call sysentry
0xC2, 0x00, 0x0, // ret ARGUMENTS LENGTH SIZE
// sysenter:
0x8B, 0xD4, // mov edx,esp
0x0F, 0x34, // sysenter
0xC3 // retn
These are just suggestions of course so please take it or leave it. I`m happy with just the x64 version for some future projects :)
Hi,
I take example code from your description (how inject DLL) but get 2 errors during compilation- both on line
NtAllocateVirtualMemory(hProcess, &lpAllocationStart, 0, (PULONG)&szAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
Errors :
1 ) argument of type "PULONG" is incompatible with parameter of type "PSIZE_T"
2 ) cannot convert argument 4 from "PULONG" to "PSIZE_T"
All code and the errors can be seen on the link https://ibb.co/JzrBx4y
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.