Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs

Related tags

MiscellaneousSysWhispers2BOF
Overview

SysWhispers2BOF

Script to use SysWhispers2 direct system calls from Cobalt Strike BOFs.

Introduction

This script was initially created to fix specific Cobalt Stike BOFs, such as @rookuu's MiniDumpWriteDump that did not work on Windows 21H1. The reason for the BOFs breaking was that they relied on direct system calls based on a syscalls.h file generated using @Outflank's InlineWhispers - which generates syscall wrappers based on the original SysWhispers project. The original version of SysWhispers relies on a table that maps system call names to system call numbers, which requires updating for each new Windows version to include the appropriate system call numbers for the updated Windows version. This means that a new syscalls.h file needs to be generated and BOFs using this syscalls.h file need to be recompiled each time a new Windows version is released.

A new version of SysWhispers called SysWhispers2 was released in March 2021 by Jackson T.. It uses a different technique and resolves the system call numbers on the target machine instead of relying on a pre-calculated list of system call numbers. This allows generating the syscalls.h and compiled BOF once and this single version should work on new Windows versions without updates.

Unfortunately, the output generated by SysWhispers2 cannot be directly used inside Cobalt Strike BOFs and requires some tweaks to convert it into a format that can be used by Cobalt Strike BOFs. The script provided in this repository performs those tweaks automatically for you and can also be used to convert an existing syscalls.h file from an existing BOF to a new syscalls.h file that uses SysWhispers2.

Installation

Start by cloning this repository. Once the repository is cloned, clone the SysWhispers2 repository inside, for example:

$ git clone https://github.com/FalconForceTeam/SysWhispers2BOF
$ cd SysWhispers2BOF
$ git clone https://github.com/jthuraisamy/SysWhispers2

Usage

The tool can be used to generate a syscalls.h file. To do this, the list of system calls to include in the .h file needs to be specified. This can be specified in 3 different ways:

  1. On the command-line using --syscalls=comma,separated,list, e.g. --syscalls=NtOpenProcess,NtQuerySystemInformation
  2. By reading the syscalls.h file from an existing BOF. This allows easy conversion of the BOF to use SysWhispers2 using --syscalls_h=file_name.h, e.g. --syscalls=bof/syscalls.h
  3. By reading the functions from a text file in the same method used by InlineWhispers, using --syscalls_file=filename, e.g. --syscalls_file=functions.txt. Note: make sure to use the Nt prefix rather than the Zw prefix for the system call names.

It will produce a syscalls.h file in the current directory.

Usage Examples

Example of using it during BOF development:

$ python3 syswhispers2bof.py --syscalls=NtOpenProcess,NtQuerySystemInformation
[*] Used syscalls: ['NtOpenProcess', 'NtQuerySystemInformation']
[*] Calling SysWhispers2 to generate stubs for these system calls

                  .                         ,--.
,-. . . ,-. . , , |-. o ,-. ,-. ,-. ,-. ,-.    /
`-. | | `-. |/|/  | | | `-. | | |-' |   `-. ,-'
`-' `-| `-' ' '   ' ' ' `-' |-' `-' '   `-' `---
     /|                     |  @Jackson_T
    `-'                     '  @modexpblog, 2021

SysWhispers2: Why call the kernel when you can whisper?

Complete! Files written to:
        syswhispers2bof.h
        syswhispers2bof.c
        syswhispers2bofstubs.asm
[*] Fixing up H file SysWhispers2/syswhispers2bof.h
[*] Fixing up C file SysWhispers2/syswhispers2bof.c
[*] Converting ASM stubs from SysWhispers2/syswhispers2bofstubs.asm
[*] Writing combined output to syscalls.h
[*] Note: asm.h is no longer needed

This will provide a single file: syscalls.h that can be included in the BOF to make direct system calls.

Example of using it to update the syscalls.h file on an existing BOF to create a version of the BOF that works on Windows 21H1 and later.

# Clone a BOF that is not compatible with Windows 21H1 since it uses an older version of syscalls.h
$ git clone https://github.com/rookuu/BOFs
Cloning into 'BOFs'...
<snip>
$ python3 syswhispers2bof.py --syscalls_h=BOFs/MiniDumpWriteDump/syscalls.h
[*] Extracting syscalls from BOFs/MiniDumpWriteDump/syscalls.h
[*] Used syscalls: ['NtReadVirtualMemory', 'NtOpenProcessToken', 'NtAdjustPrivilegesToken', 'NtOpenProcess', 'NtClose', 'NtQuerySystemInformation']
<snip>
[*] Writing combined output to syscalls.h
[*] Note: asm.h is no longer needed
$ cp syscalls.h BOFs/MiniDumpWriteDump
$ cd BOFs/MiniDumpWriteDump
$ rm asm.h
$ make
x86_64-w64-mingw32-gcc -o minidumpwritedump.x64.o -c bof.c -masm=intel -Wno-multichar
# New .o file should be usable across newer Windows versions without the need to recompile it.

Notes

The tool was only tested on Mac and Linux - it might not work fully on Windows.

Credits

Note that this script is just a small wrapper around the excellent work done by @jthuraisamy and was heavily inspired by the output generated by @Outflank's InlineWhispers.

Owner
FalconForce
FalconForce
GitHub Repository
APRS Track Direct is a collection of tools that can be used to run an APRS website

APRS Track Direct APRS Track Direct is a collection of tools that can be used to run an APRS website. You can use data from APRS-IS, CWOP-IS, OGN, HUB

Per Qvarforth 42 Dec 29, 2022
A basic notes app to store your notes.

Notes Webapp A basic notes webapp to keep your notes.You can add, edit and delete notes after signing up. To add a note type your note in the text box

2 Oct 23, 2021
Simplified web browser made in python for a college project

Python browser Simplified web browser made in python for a college project. Web browser has bookmarks, history, multiple tabs, toolbar. It was made on

AmirHossein Mohammadi 9 Jul 25, 2022
Render reMarkable documents to PDF

rmrl: reMarkable Rendering Library rmrl is a Python library for rendering reMarkable documents to PDF files. It takes the original PDF document and th

Robert Schroll 95 Dec 25, 2022
Lock a program and kills it indefinitely if it is started.

Kill By Lock Lock a program and kills it indefinitely if it is started. How start it? It' simple, you just have to double-click on the python file (.p

1 Jan 12, 2022
A python script to make leaderboards using a CSV with the runners name, IDs and Flag Emojis

SrcLbMaker A python script to make speedrun.com global leaderboards. Installation You need python 3.6 or higher. First, go to the folder where you wan

2 Jul 25, 2022
Send notifications created in Frappe or ERPNext as push notication via Firebase Cloud Message(FCM)

FCM Notification for ERPNext Send notifications created in Frappe or ERPNext as push notication via Firebase Cloud Message(FCM) Steps to use the app:

Tridz 9 Nov 14, 2022
Template for pre-commit hooks

Pre-commit hook template This repo is a template for a pre-commit hook. Try it out by running: pre-commit try-repo https://github.com/stefsmeets/pre-c

Stef Smeets 1 Dec 09, 2021
ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic.

ChronoRace is a tool to accurately perform timed race conditions to circumvent application business logic. I've found in my research that w

Tanner 64 Aug 04, 2022
🍬️🦇️ Open source Trick or Treat! 🦇️🍬️

Open Source Halloween! What's an easy way to have fun, and celebrate an open source Halloween? Open source trick or treating, of course! The repositor

Research Software Engineers 3 Oct 18, 2021
Build your own Etherscan with web3.py

Build your own Etherscan with web3.py Video Tutorial: Run it pip3 install -r requirements.txt export FLASK_APP=app export FLASK_ENV=development flask

35 Jan 02, 2023
Python library for converting Python calculations into rendered latex.

Covert art by Joshua Hoiberg handcalcs: Python calculations in Jupyter, as though you wrote them by hand. handcalcs is a library to render Python calc

Connor Ferster 5.1k Jan 07, 2023
This an Anki add on that automatically converts Notion notes into Anki flash cards. Currently in development!

NotionFlash This is an Anki add on in development that will allow automatically convert your Notion study notes into Anki flash cards. The Anki deck c

Neeraj Patel 10 Oct 07, 2022
An Insurance firm providing tour insurance is facing higher claim frequency

An Insurance firm providing tour insurance is facing higher claim frequency. Data is collected from the past few years. Made a model which predicts the claim status using CART, RF & ANN and compare t

1 Jan 27, 2022
Wisdom Tree is a concentration app i am working on.

Wisdom Tree Wisdom Tree is a tui concentration app I am working on. Inspired by the wisdom tree in Plants vs. Zombies which gives in-game tips when it

NO ONE 241 Jan 01, 2023
Script to change official Kali repository to mirrors

Script to change official Kali repository to mirrors. This helps increase packages update and downloading for some user.

Vineet Bhavsar 2 Nov 29, 2021
This is a repository built by the community for the community.

Nutshell Machine Learning Machines can see, hear and learn. Welcome to the future 🌍 The repository was built with a tree-like structure in mind, it c

Edem Gold 82 Nov 18, 2022
Notebook researcher - Notebook researcher with python

notebook_researcher To run the server, you must follow these instructions: At th

4 Sep 02, 2022
Clackety Keyboards Powered by Python

KMK: Clackety Keyboards Powered by Python KMK is a feature-rich and beginner-friendly firmware for computer keyboards written and configured in Circui

KMK Firmware 780 Jan 03, 2023
Osintgram by Datalux but i fixed some errors i found and made it look cleaner

OSINTgram-V2 OSINTgram-V2 is made from Osintgram which is made by Datalux originally but i took the script and fixed some errors i found and made the

2 Feb 02, 2022