Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

Overview

SysWhispers2BOF

Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs.

Introduction

This script was initially created to fix specific Cobalt Stike BOFs, such as @rookuu's MiniDumpWriteDump that did not work on Windows 21H1. The reason for the BOFs breaking was that they relied on direct system calls based on a syscalls.h file generated using @Outflank's InlineWhispers - which generates syscall wrappers based on the original SysWhispers project. The original version of SysWhispers relies on a table that maps system call names to system call numbers, which requires updating for each new Windows version to include the appropriate system call numbers for the updated Windows version. This means that a new syscalls.h file needs to be generated and BOFs using this syscalls.h file need to be recompiled each time a new Windows version is released.

A new version of SysWhispers called SysWhispers2 was released in March 2021 by Jackson T.. It uses a different technique and resolves the system call numbers on the target machine instead of relying on a pre-calculated list of system call numbers. This allows generating the syscalls.h and compiled BOF once and this single version should work on new Windows versions without updates.

Unfortunately, the output generated by SysWhispers2 cannot be directly used inside Cobalt Strike BOFs and requires some tweaks to convert it into a format that can be used by Cobalt Strike BOFs. The script provided in this repository performs those tweaks automatically for you and can also be used to convert an existing syscalls.h file from an existing BOF to a new syscalls.h file that uses SysWhispers2.

Installation

Start by cloning this repository. Once the repository is cloned, clone the SysWhispers2 repository inside, for example:

$ git clone https://github.com/FalconForceTeam/SysWhispers2BOF
$ cd SysWhispers2BOF
$ git clone https://github.com/jthuraisamy/SysWhispers2

Usage

The tool can be used to generate a syscalls.h file. To do this, the list of system calls to include in the .h file needs to be specified. This can be specified in 3 different ways:

  1. On the command-line using --syscalls=comma,separated,list, e.g. --syscalls=NtOpenProcess,NtQuerySystemInformation
  2. By reading the syscalls.h file from an existing BOF. This allows easy conversion of the BOF to use SysWhispers2 using --syscalls_h=file_name.h, e.g. --syscalls=bof/syscalls.h
  3. By reading the functions from a text file in the same method used by InlineWhispers, using --syscalls_file=filename, e.g. --syscalls_file=functions.txt. Note: make sure to use the Nt prefix rather than the Zw prefix for the system call names.

It will produce a syscalls.h file in the current directory.

Usage Examples

Example of using it during BOF development:

$ python3 syswhispers2bof.py --syscalls=NtOpenProcess,NtQuerySystemInformation
[*] Used syscalls: ['NtOpenProcess', 'NtQuerySystemInformation']
[*] Calling SysWhispers2 to generate stubs for these system calls

                  .                         ,--.
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-.    /
`-. | | `-. |/|/  | | | `-. | | |-' |   `-. ,-'
`-' `-| `-' ' '   ' ' ' `-' |-' `-' '   `-' `---
     /|                     |  @Jackson_T
    `-'                     '  @modexpblog, 2021

SysWhispers2: Why call the kernel when you can whisper?

Complete! Files written to:
        syswhispers2bof.h
        syswhispers2bof.c
        syswhispers2bofstubs.asm
[*] Fixing up H file SysWhispers2/syswhispers2bof.h
[*] Fixing up C file SysWhispers2/syswhispers2bof.c
[*] Converting ASM stubs from SysWhispers2/syswhispers2bofstubs.asm
[*] Writing combined output to syscalls.h
[*] Note: asm.h is no longer needed

This will provide a single file: syscalls.h that can be included in the BOF to make direct system calls.

Example of using it to update the syscalls.h file on an existing BOF to create a version of the BOF that works on Windows 21H1 and later.

# Clone a BOF that is not compatible with Windows 21H1 since it uses an older version of syscalls.h
$ git clone https://github.com/rookuu/BOFs
Cloning into 'BOFs'...
<snip>
$ python3 syswhispers2bof.py --syscalls_h=BOFs/MiniDumpWriteDump/syscalls.h
[*] Extracting syscalls from BOFs/MiniDumpWriteDump/syscalls.h
[*] Used syscalls: ['NtReadVirtualMemory', 'NtOpenProcessToken', 'NtAdjustPrivilegesToken', 'NtOpenProcess', 'NtClose', 'NtQuerySystemInformation']
<snip>
[*] Writing combined output to syscalls.h
[*] Note: asm.h is no longer needed
$ cp syscalls.h BOFs/MiniDumpWriteDump
$ cd BOFs/MiniDumpWriteDump
$ rm asm.h
$ make
x86_64-w64-mingw32-gcc -o minidumpwritedump.x64.o -c bof.c -masm=intel -Wno-multichar
# New .o file should be usable across newer Windows versions without the need to recompile it.

Notes

The tool was only tested on Mac and Linux - it might not work fully on Windows.

Credits

Note that this script is just a small wrapper around the excellent work done by @jthuraisamy and was heavily inspired by the output generated by @Outflank's InlineWhispers.

You might also like...
APRS Track Direct is a collection of tools that can be used to run an APRS website

APRS Track Direct APRS Track Direct is a collection of tools that can be used to run an APRS website. You can use data from APRS-IS, CWOP-IS, OGN, HUB

Bootstraparse is a personal project started with a specific goal in mind: creating static html pages for direct display from a markdown-like file

Bootstraparse is a personal project started with a specific goal in mind: creating static html pages for direct display from a markdown-like file

Python script to commit to your github for a perfect commit streak. This is purely for education purposes, please don't use this script to do bad stuff.

Daily-Git-Commit Commit to repo every day for the perfect commit streak Requirments pip install -r requirements.txt Setup Download this repository. Cr

Islam - This is a simple python script.In this script I have written all the suras of Al Quran. As a result, by using this script, you can know the number of any sura at the moment.
Islam - This is a simple python script.In this script I have written all the suras of Al Quran. As a result, by using this script, you can know the number of any sura at the moment.

Introduction: If you want to know sura number of al quran by just typing the name of sura than you can use this script. Usage in termux: $ pkg install

A free and powerful system for awareness and research of the American judicial system.

CourtListener Started in 2009, CourtListener.com is the main initiative of Free Law Project. The goal of CourtListener.com is to provide high quality

Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.

Waydroid is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu.

System Design Assignments as part of Arpit's System Design Masterclass
System Design Assignments as part of Arpit's System Design Masterclass

System Design Assignments The repository contains a set of problem statements around Software Architecture and System Design as conducted by Arpit's S

Simple and easy to use python API for the COVID registration booking system of the math department @ unipd (torre archimede)

Simple and easy to use python API for the COVID registration booking system of the math department @ unipd (torre archimede). This API creates an interface with the official browser, with more useful functionalities.

Collection of system-wide scripts that I use on my Gentoo

linux-scripts Collection of scripts that I use on my Gentoo machine. I tend to put all scripts in /scripts directory. It is not likely that you would

Owner
FalconForce
FalconForce
Code and yara rules to detect and analyze Cobalt Strike

Cobalt Strike Resources This repository contains: analyze.py: a script to analyze a Cobalt Strike beacon (python analyze.py BEACON) extract.py; extrac

Tek 224 Jan 4, 2023
A beacon generator using Cobalt Strike and a variety of tools.

Beaconator is an aggressor script for Cobalt Strike used to generate either staged or stageless shellcode and packing the generated shellcode using your tool of choice.

Capt. Meelo 441 Dec 17, 2022
Cobalt Strike Sleep Python Bridge

This project is 'bridge' between the sleep and python language. It allows the control of a Cobalt Strike teamserver through python without the need for for the standard GUI client. NOTE: This project is very much in BETA. The goal is to provide a playground for testing and is in no way an officially support feature. Perhaps this could be something added in the future to the core product.

Cobalt Strike 140 Jan 4, 2023
Kellogg bad | Union good | Support strike funds

KelloggBot Credit to SeanDaBlack for the basis of the script. req.py is selenium python bot. sc.js is a the base of the ios shortcut [COMING SOON] Set

null 407 Nov 17, 2022
This is a calculator of strike price distance for options.

Calculator-of-strike-price-distance-for-options This is a calculator of strike price distance for options. Options are a type of derivative. One strat

André Luís Lopes da Silva 4 Dec 30, 2022
a pull switch (or BYO button) that gets you out of video calls, quick

zoomout a pull switch (or BYO button) that gets you out of video calls, quick. As seen on Twitter System compatibility Tested on macOS Catalina (10.15

Brian Moore 422 Dec 30, 2022
A tool for light-duty persistent memoization of API calls

JSON Memoize What is this? json_memoize is a straightforward tool for light-duty persistent memoization, created with API calls in mind. It stores the

null 1 Dec 11, 2021
Process RunGap output file of a workout and load data into Apple Numbers Spreadsheet and my website with API calls

BSD 3-Clause License Copyright (c) 2020, Mike Bromberek All rights reserved. ProcessWorkout Exercise data is exported in JSON format to iCloud using

Mike Bromberek 1 Jan 3, 2022
Direct Multi-view Multi-person 3D Human Pose Estimation

Implementation of NeurIPS-2021 paper: Direct Multi-view Multi-person 3D Human Pose Estimation [paper] [video-YouTube, video-Bilibili] [slides] This is

Sea AI Lab 253 Jan 5, 2023
ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

ChainJacking is a tool to find which of your Go lang direct GitHub dependencies is susceptible to ChainJacking attack.

Checkmarx 36 Nov 2, 2022