SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.
The reason for SysWhispers3 to be a standalone version are many, but the most important are:
The usage is pretty similar to SysWhispers2, with the following exceptions:
A better explanation of these features are better outlined i the blog post SysWhispers is dead, long live SysWhispers!
Security products, such as AVs and EDRs, usually place hooks in user-mode API functions to analyse a program execution flow, in order to detect potentially malicious activities.
SysWhispers2 is a tool designed to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe
), which can then be integrated and called directly from C/C++ code, evading user-lands hooks.
The tool, however, generates some patters which can be included in signatures, or behaviour which can be detected at runtime.
SysWhispers3 is built on top of SysWhispers2, and integrates some helpful features to bypass these forms of detection.
C:> git clone https://github.com/klezVirus/SysWhispers3.git
C:> cd SysWhispers3
C:> python .\syswhispers.py –help
The help shows all the available commands and features of the tool:
C:>python syswhispers.py -h
usage: syswhispers.py [-h] [-p PRESET] [-a {x86,x64}] [-m {embedded,egg_hunter,jumper,jumper_randomized}] [-f FUNCTIONS] -o OUT_FILE [–int2eh] [–wow64] [-v] [-d]
SysWhispers3 – SysWhispers on steroids
optional arguments:
-h, –help show this help message and exit
-p PRESET, –preset PRESET
Preset (“all”, “common”)
-a {x86,x64}, –arch {x86,x64}
Architecture
-c {msvc,mingw,all}, –compiler {msvc,mingw,all}
Compiler
-m {embedded,egg_hunter,jumper,jumper_randomized}, –method {embedded,egg_hunter,jumper,jumper_randomized}
Syscall recovery method
-f FUNCTIONS, –functions FUNCTIONS
Comma-separated functions
-o OUT_FILE, –out-file OUT_FILE
Output basename (w/o extension)
–int2eh Use the old int 2eh
instruction in place of syscall
–wow64 Use Wow64 to run x86 on x64 (only usable with x86 architecture)
-v, –verbose Enable debug output
-d, –debug Enable syscall debug (insert software breakpoint)
Export all functions with compatibility for all supported Windows versions (see example-output/).
py .\syswhispers.py –preset all -o syscalls_all
Export just the common functions (see below for list).
py .\syswhispers.py –preset common -o syscalls_common
Export NtProtectVirtualMemory and NtWriteVirtualMemory with compatibility for all versions.
py .\syswhispers.py –functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem
Normal SysWhispers, 32-bits mode
py .\syswhispers.py –preset all -o syscalls_all -m jumper –arch x86
Normal SysWhispers, using WOW64 in 32-bits mode (only specific functions)
py .\syswhispers.py –functions NtProtectVirtualMemory,NtWriteVirtualMemory -o syscalls_mem –arch x86 –wow64
Egg-Hunting SysWhispers, to bypass the “mark of the sycall” (common function)
py .\syswhispers.py –preset common -o syscalls_common -m jumper
Jumping/Jumping Randomized SysWhispers, to bypass dynamic RIP validation (all functions) using MinGW as the compiler
py .\syswhispers.py –preset all -o syscalls_all -m jumper -c mingw
PS C:\Projects\SysWhispers2> py .\syswhispers.py –preset common –out-file temp\syscalls_common -v . ,–.
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-. _/ -. | |
-. |/|/ | | | -. | | |-' |
-. . \ -'
-| -' ' ' ' ' '
-‘ |-‘ -' '
-‘ ”’ /| | @Jackson_T `-‘ ‘ @modexpblog, 2021 Edits by @klezVirus, 2022 SysWhispers3: Why call the kernel when you can whisper? Common functions selected. Complete! Files written to: temp\syscalls_common.h temp\syscalls_common.c temp\syscalls_common.asm
Press a key to continue…
Makefile for 64 bits:
Makefile.msvc
OPTIONS = -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS-
LIBS = libvcruntime.lib libcmt.lib ucrt.lib kernel32.lib program:
ML64 /c syscalls-asm.x64.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64
cl.exe $(OPTIONS) syscalls.c program.c
link.exe /OUT:program.x64.exe -nologo $(LIBS) /MACHINE:X64 -subsystem:console -nodefaultlib syscalls-asm.x64.obj syscalls.obj program.obj
Compile with nmake:
nmake -f Makefile.msvc
Makefile for both 64 and 32 bits:
Makefile.mingw
CC_x64 := x86_64-w64-mingw32-gcc
CC_x86 := i686-w64-mingw32-gcc
OPTIONS := -masm=intel -Wall
program:
$(CC_x64) syscalls.c program.c -o program.x64.exe $(OPTIONS)
$(CC_x86) syscalls.c program.c -o program.x86.exe $(OPTIONS)
win32k.sys
) are not supported.Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…