Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

Related tags

MiscellaneousSysWhispers2BOF
Overview

SysWhispers2BOF

Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs.

Introduction

This script was initially created to fix specific Cobalt Stike BOFs, such as @rookuu's MiniDumpWriteDump that did not work on Windows 21H1. The reason for the BOFs breaking was that they relied on direct system calls based on a syscalls.h file generated using @Outflank's InlineWhispers - which generates syscall wrappers based on the original SysWhispers project. The original version of SysWhispers relies on a table that maps system call names to system call numbers, which requires updating for each new Windows version to include the appropriate system call numbers for the updated Windows version. This means that a new syscalls.h file needs to be generated and BOFs using this syscalls.h file need to be recompiled each time a new Windows version is released.

A new version of SysWhispers called SysWhispers2 was released in March 2021 by Jackson T.. It uses a different technique and resolves the system call numbers on the target machine instead of relying on a pre-calculated list of system call numbers. This allows generating the syscalls.h and compiled BOF once and this single version should work on new Windows versions without updates.

Unfortunately, the output generated by SysWhispers2 cannot be directly used inside Cobalt Strike BOFs and requires some tweaks to convert it into a format that can be used by Cobalt Strike BOFs. The script provided in this repository performs those tweaks automatically for you and can also be used to convert an existing syscalls.h file from an existing BOF to a new syscalls.h file that uses SysWhispers2.

Installation

Start by cloning this repository. Once the repository is cloned, clone the SysWhispers2 repository inside, for example:

$ git clone https://github.com/FalconForceTeam/SysWhispers2BOF
$ cd SysWhispers2BOF
$ git clone https://github.com/jthuraisamy/SysWhispers2

Usage

The tool can be used to generate a syscalls.h file. To do this, the list of system calls to include in the .h file needs to be specified. This can be specified in 3 different ways:

  1. On the command-line using --syscalls=comma,separated,list, e.g. --syscalls=NtOpenProcess,NtQuerySystemInformation
  2. By reading the syscalls.h file from an existing BOF. This allows easy conversion of the BOF to use SysWhispers2 using --syscalls_h=file_name.h, e.g. --syscalls=bof/syscalls.h
  3. By reading the functions from a text file in the same method used by InlineWhispers, using --syscalls_file=filename, e.g. --syscalls_file=functions.txt. Note: make sure to use the Nt prefix rather than the Zw prefix for the system call names.

It will produce a syscalls.h file in the current directory.

Usage Examples

Example of using it during BOF development:

$ python3 syswhispers2bof.py --syscalls=NtOpenProcess,NtQuerySystemInformation
[*] Used syscalls: ['NtOpenProcess', 'NtQuerySystemInformation']
[*] Calling SysWhispers2 to generate stubs for these system calls

                  .                         ,--.
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-.    /
`-. | | `-. |/|/  | | | `-. | | |-' |   `-. ,-'
`-' `-| `-' ' '   ' ' ' `-' |-' `-' '   `-' `---
     /|                     |  @Jackson_T
    `-'                     '  @modexpblog, 2021

SysWhispers2: Why call the kernel when you can whisper?

Complete! Files written to:
        syswhispers2bof.h
        syswhispers2bof.c
        syswhispers2bofstubs.asm
[*] Fixing up H file SysWhispers2/syswhispers2bof.h
[*] Fixing up C file SysWhispers2/syswhispers2bof.c
[*] Converting ASM stubs from SysWhispers2/syswhispers2bofstubs.asm
[*] Writing combined output to syscalls.h
[*] Note: asm.h is no longer needed

This will provide a single file: syscalls.h that can be included in the BOF to make direct system calls.

Example of using it to update the syscalls.h file on an existing BOF to create a version of the BOF that works on Windows 21H1 and later.

# Clone a BOF that is not compatible with Windows 21H1 since it uses an older version of syscalls.h
$ git clone https://github.com/rookuu/BOFs
Cloning into 'BOFs'...
<snip>
$ python3 syswhispers2bof.py --syscalls_h=BOFs/MiniDumpWriteDump/syscalls.h
[*] Extracting syscalls from BOFs/MiniDumpWriteDump/syscalls.h
[*] Used syscalls: ['NtReadVirtualMemory', 'NtOpenProcessToken', 'NtAdjustPrivilegesToken', 'NtOpenProcess', 'NtClose', 'NtQuerySystemInformation']
<snip>
[*] Writing combined output to syscalls.h
[*] Note: asm.h is no longer needed
$ cp syscalls.h BOFs/MiniDumpWriteDump
$ cd BOFs/MiniDumpWriteDump
$ rm asm.h
$ make
x86_64-w64-mingw32-gcc -o minidumpwritedump.x64.o -c bof.c -masm=intel -Wno-multichar
# New .o file should be usable across newer Windows versions without the need to recompile it.

Notes

The tool was only tested on Mac and Linux - it might not work fully on Windows.

Credits

Note that this script is just a small wrapper around the excellent work done by @jthuraisamy and was heavily inspired by the output generated by @Outflank's InlineWhispers.

Owner
FalconForce
FalconForce
GitHub Repository
Scitizen - Help scientific research for the benefit of mankind and humanity 🔬

Scitizen - Help scientific research for the benefit of mankind and humanity 🔬 Scitizen has been built from the ground up to give everyone the possibi

Pierre CORBEL 21 Mar 08, 2022
Taking the fight to the establishment.

Throwdown Taking the fight to the establishment. Wat? I wanted a simple markdown interpreter in python and/or javascript to output html for my website

Trevor van Hoof 1 Feb 01, 2022
Med to csv - A simple way to parse MedAssociate output file in tidy data

MedAssociates to CSV file A simple way to parse MedAssociate output file in tidy

Jean-Emmanuel Longueville 5 Sep 09, 2022
Build your own Etherscan with web3.py

Build your own Etherscan with web3.py Video Tutorial: Run it pip3 install -r requirements.txt export FLASK_APP=app export FLASK_ENV=development flask

35 Jan 02, 2023
Python scripts to interact with Upper Deck ePack online trading card platform

This script should connect to the Upper Deck ePack API using your browser cookies and download a list of your current collection and save it as a CSV.

Adrian Kent 1 Nov 22, 2021
A free micro-blog written in Python and powered by Heroku. *Merge requests are appreciated!*

Background Hobo is an ultra-lightweight blog engine written in Python. It has two dependencies, fully integrated into the codebase with no additional

Andrew Nelder 48 Jan 28, 2021
A script for creating battle animations in FEGBA format.

AA2 Made by Huichelaar. I heavily referenced FEBuilderGBA. I also referenced circleseverywhere's Animation Assembler. This is also where I took lzss.p

2 May 31, 2022
(Pre-)compromise operations for MITRE CALDERA

(Pre-)compromise operations for CALDERA Extend your CALDERA operations over the entire adversary killchain. In contrast to MITRE's access plugin, cald

Diederik Bakker 3 Aug 22, 2022
A toy repo illustrating a minimal installable Python package

MyToy: a minimal Python package This repository contains a minimal, toy Python package with a few files as illustration for students of how to lay out

Fernando Perez 19 Apr 24, 2022
This script can be used to get unlimited Gb for WARP.

Warp-Unlimited-GB This script can be used to get unlimited Gb for WARP. How to use Change the value of the 'referrer' to warp id of yours You can down

Anix Sam Saji 1 Feb 14, 2022
A repository containing an introduction to Panel made to be support videos and talks.

👍 Awesome Panel - Introduction to Panel THIS REPO IS WORK IN PROGRESS. PRE-ALPHA Panel is a very powerful framework for exploratory data analysis and

Marc Skov Madsen 51 Nov 17, 2022
Data and analysis relating to the 5.8M Melbourne quake of 2021

quake2021 Data and analysis relating to the 5.8M Melbourne quake of 2021 Monash University Woodside Living Lab Building The building is located here T

Colin Caprani 6 May 16, 2022
Helper to organize your windows on your desktop.

The script of positionsing windows on the screen. How does it work? Select your window to move/res

Andrii D. 1 Jul 09, 2021
An unofficial python API for trading on the DeGiro platform, with the ability to get real time data and historical data.

DegiroAPI An unofficial API for the trading platform Degiro written in Python with the ability to get real time data and historical data for products.

Jorrick Sleijster 5 Dec 16, 2022
An example repository for how to generate results using PyBaMM

PyBaMM results This repository provides a template for generating results (for example, for a paper) using PyBaMM Installation Install PyBaMM using a

PyBaMM Team 7 Oct 09, 2022
A notebook explaining the principle of adversarial attacks and their defences

TL;DR: A notebook explaining the principle of adversarial attacks and their defences Abstract: Deep neural networks models have been wildly successful

1 Jan 22, 2022
Aesthetic NFT Generator

A E S T H E T I C Dependencies Pillow numpy OpenCV You can use pip to install any missing dependencies. Basic Usage Vaporwave artwork can be generated

Mentor Elezi 4 Mar 13, 2022
Materials for the Introduction in Python , Linux , Git and Github

This repository contains all the materials of the presentation on the introduction of python, linux, git and Github.

AMMI 3 Aug 28, 2022
Using Python to parse through email logs received through several backup systems.

outlook-automated-backup-control Backup monitoring on a mailbox: In this mailbox there will be backup logs. The identification will based on the follo

Connor 2 Sep 28, 2022
This bot uploads telegram files to MixDrop.co,File.io.

What is about this bot ? This bot uploads telegram files to MixDrop.co, File.io. Usage: Send any file, and the bot will upload it to MixDrop.co, File.

Abhijith NT 3 Feb 26, 2022