SysWhispers integrated shellcode loader w/ ETW patching & anti-sandboxing

Overview

TymSpecial Shellcode Loader

Description


This project was made as a way for myself to learn C++ and gain insight into how EDR products work.

TymSpecial is a shellcode loader which utilizes SysWhispers to make direct syscalls and avoid user-land hooks. The loader takes raw x64 stageless shellcode as input which is then XOR encrypted with a random key and writes a temporary C++ stub to disk which is compiled via g++ to produce an executable.

TymSpecial offers multiple methods of execution via classic thread injection, Windows callback functions, APC queues, and thread hijacking. Additonally, there is an option to patch EtwEventWrite in the local and remote process and there are 4 anti-sandboxing checks which can enabled including:

  • Is the system domain joined?
  • Does the system have < X GB of RAM?
  • Does the system have < Y processors?
  • Are long sleeps fast forwarded?

Detection Ratings

Depending on which method of execution is chosen there are approximately 2-5 AV/EDR vendors detecting the payloads on VirusTotal when stageless Cobalt Strike shellcode is used with cloud fronting (As of 2/13/22). Results may vary from VirusTotal as we do not have insight into how each product is configured on the back end.

vtcheck

antiscan

Use cases:

  • Provide a variety of malware techniques on purple team engagements
  • Inject into an existing process owned by a more privileged user to escalate privileges and avoid interacting with LSASS
  • Inject into an existing process which normally produces network activity (web browsers, svchost, etc.) to blend C2 traffic
  • An alternative to ScareCrow when module stomping & thread creation does not work.

Note:

  • Self-decrypting shellcode is not supported as memory is allocated with RW permissions and then changed to RX after the shellcode has been written into memory to avoid RWX memory pages.

  • Method 5 is not always guaranteed to work and should be targeted against processes with a high thread count and I/O. This is because APCs will not execute until the thread is in an alertable state. Within a local process such as method 1 this is not an issue as we can can force threads into an alertable state via NtTestAlert, however, forcing a remote process to flush it's APC queues is not possible. Additionally, because an APC is queued into every thread it is likely you will get multiple callbacks.

Requirements


  • Python3
  • x86_64-w64-mingw32-g++ cross compiler

Usage


usage: TymSpecial.py [-h] --input FILE --method NUMBER --out FILENAME [--etw] [--hideconsole] [--domainjoined] [--longsleep]
                     [--processors NUMBER] [--ram NUMBER] [--parent PROCESS] [--child PROCESS] [--clonesig FILE]

Shellcode loader which offers multiple execution methods via syscalls and anti-sandboxing options to evade AV & EDR products.

  --method 1 = [LOCAL] Execute shellcode in the local process via the Windows callback function EnumSystemLocalesA
  --method 2 = [LOCAL] Queue an APC in the local process via NtQueueApcThread, and then flush the queue via NtTestAlert
  --method 3 = [INJECTION] Create a thread in a remote process via NtCreateThreadEx (Note: Module Stomping not yet implemented)
  --method 4 = [INJECTION] Spawn a process in a suspended state with a spoofed PPID and queue an APC into the main thread via NtQueueApcThread, then resume the process via NtResumeThread to execute the APC
  --method 5 = [INJECTION] Iterate and queue an APC into every thread in a remote process via NtQueueApcThread
  --method 6 = [INJECTION] Suspend a thread in a remote process via NtSuspendThread, update the thread's RIP register to point to the shellcode via NtGetContextThread & NtSetContextThread, then resume the thread via NtResumeThread
  
optional arguments:
  -h, --help           show this help message and exit
  --input FILE         File containing shellcode, usually a .bin, example: --input shellcode.bin
  --method NUMBER      Method of execution, example: --method 1
  --out FILENAME       The output name of the produced executable (No file extension), example: --out loader
  --etw                Patch EtwEventWrite in the local and remote process
  --hideconsole        Hide the console via: ShowWindow(GetConsoleWindow(), SW_HIDE)
  --domainjoined       Anti-Sandbox Check: If the system is not domain-joined, exit
  --longsleep          Anti-Sandbox Check: Sleep for 90s, if <75s have passed, exit
  --processors NUMBER  Anti-Sandbox Check: If the number of processors is < X, exit
  --ram NUMBER         Anti-Sandbox Check: If the amount of RAM is < X GB, exit
  --parent PROCESS     Specify the parent process for PPID spoofing in method 4, example --parent explorer.exe
  --child PROCESS      Specify the process to spawn for injection into in method 4, example: --child svchost.exe
  --clonesig FILE      Specify a signed file to use for signature cloning, example: --clonesig C:\\chad\\Desktop\\SignedFile.exe

Example Usage: python3 TymSpecial.py --input file.bin --method 6 --etw --domainjoined --ram 8 --processors 4 --hideconsole --clonesig C:\\chad\\Desktop\\RealFile.exe --out threadhijacker
Example Execution: C:\>threadhijacker.exe 20485

Credits / References


To Do:


  • Implement module stomping
  • Incorporate SigThief for signature cloning
  • Add the option to unhook ntdll
Owner
Nick Frischkorn
OSEP | OSCP | CCNA
Nick Frischkorn
A simple graphical interface for encrypting sentences

A simple graphical interface for encrypting sentences

Marcus Vinícius Ribeiro Andrade 1 Oct 09, 2021
A tool used to encrypt Python scripts version < 2.7 and version < 3.9

A tool used to encrypt Python scripts version 2.7 and version 3.9

Fajar Kim 1 Dec 14, 2021
Python Cryptocurrency with stealth addresses

Python Cryptocurrency with stealth addresses. Goal is to have create a cryptocurency that hides transactions totally. I.E. Cant see ammount sent, to who, or from who.

3 Aug 04, 2022
Deriving RSA public keys from message-signature pairs

The repository contains: Experimental code to calculate RSA public keys based on two known message-signature pairs

Silent Signal 120 Dec 31, 2022
Python FFI bindings for libsecp256k1 (maintained)

secp256k1-py Python FFI bindings for libsecp256k1 (an experimental and optimized C library for EC operations on curve secp256k1). Previously maintaine

Rusty Russell 29 Dec 29, 2022
Scrambler - Useful File/Directory Encryption Program

This is a program that is used to scramble/encrypt files on your computer. Do not use this program to do malicious things with. I am not responsible for any damage that you do with this software.

0 Oct 01, 2021
gcrypter: an encryption algorithm based on bytes and their correspondent numbers to encode strings

gcrypter: an encryption algorithm based on bytes and their correspondent numbers to encode strings

Nuninha-GC 1 Jan 10, 2022
A crypto wallet to send bnb and ether coin using web3.py and moralis speedy node

A crypto wallet to send bnb and ether coin using web3.py and moralis speedy node

Ciscoquan 3 Aug 16, 2022
A simple key-based text encryption process that encrypts a string based in a list of characteres pairs.

Simple Cipher Encrypter About | New Features | Exemple | How To Use | License ℹ️ About A simple key-based text encryption process that encrypts a stri

Guilherme Farrel 1 Oct 21, 2021
Buckley 2 Jul 24, 2022
A web app to scan crypto markets based on candlestick pattern recognition from

Crypto_Scanner A web app to scan crypto markets based on candlestick pattern recognition from "Japanese Candlestick Charting Techniques: A Contemporar

Chris Qi 27 Jan 01, 2023
The (Python-based) mining software required for the Game Boy mining project.

The (Python-based) mining software required for the Game Boy mining project.

Ghidra Ninja 31 Nov 04, 2022
This project aims to assist in the search for leaked passwords while maintaining a high level of privacy using the k-anonymity method.

To achieve this, the APIs of different services are used, sending only a part of the Hash of the password we want to check, for example, the first 5 characters.

Telefónica 36 Jul 06, 2022
Persian caesar and rot16 encryptor and decryptor

persian caesar and rot16 encrypt and decrypt how to install if you use windows python -m venv .venv .\.venv\Script\activate python -m pip install -r r

Mehdi Radfar 5 Oct 28, 2022
A self-contained cryptographic library for Python

PyCryptodome PyCryptodome is a self-contained Python package of low-level cryptographic primitives. It supports Python 2.7, Python 3.4 and newer, and

Helder Eijs 2.2k Jan 08, 2023
obj-encrypt is an encryption library based on the AES-256 algorithm.

obj-encrypt is an encryption library based on the AES-256 algorithm. It uses Python objects as the basic unit, which can convert objects into binary ciphertext and support decryption. Objects encrypt

Cyberbolt 2 May 04, 2022
SysWhispers integrated shellcode loader w/ ETW patching & anti-sandboxing

TymSpecial Shellcode Loader Description This project was made as a way for myself to learn C++ and gain insight into how EDR products work. TymSpecial

Nick Frischkorn 145 Dec 20, 2022
GmJEWEL - The monorepo for the Greedy Merchants Guild

Greedy Merchants Guild Hello! Welcome to the monorepo for the Greedy Merchants G

Greedy Merchants Guild 5 Mar 09, 2022
Audit of classmate's smart contract in blockchain seminar

Solidity-contract-audit Audit of classmate's smart contract in blockchain seminar Assignment: The task was to create a complete audit, including unit

smrza 0 Feb 04, 2022
Accounting Cycle Program with Blockchain Component

In the first iteration of my accounting cycle program, I talked about adding in a blockchain component that allows the user to verify the inegrity of

J. Brandon Walker 1 Nov 29, 2021