Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Last update: Dec 31, 2022

Related tags

Miscellaneous InlineWhispers2

Overview

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Based on https://github.com/outflanknl/InlineWhispers and https://github.com/helpsystems/nanodump work

How do I set this up?

git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
git clone https://github.com/jthuraisamy/SysWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.py

How to use syscalls in your Cobalt-Strike BOF?

Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls

Now you can use all syscalls that you need:

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

#include "beacon.h"

#include "syscalls.c"

int go(char* args, int length) {
	datap  parser;
	BeaconDataParse(&parser, args, length);

	int pid = BeaconDataInt(&parser);

	BeaconPrintf(CALLBACK_OUTPUT, "	- Opening process: %d.", pid);

	HANDLE hProcess = NULL;
	OBJECT_ATTRIBUTES ObjectAttributes;
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);

	CLIENT_ID uPid = { 0 };
	uPid.UniqueProcess = (HANDLE)(DWORD_PTR)pid;
	uPid.UniqueThread = (HANDLE)0;

	NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
	if (hProcess == NULL || status != 0) {
		BeaconPrintf(CALLBACK_OUTPUT, "	[ERROR] Failed to get processhandle, status: 0x%lx", status);
		return 0;
	}
	BeaconPrintf(CALLBACK_OUTPUT, "	- Handle: %x", hProcess);

	NtClose(hProcess);

	return 0;
}

Limitations

Actually, you can't use NtCallEnclave, NtGetCachedSigningLevel, NtSetCachedSigningLevel, NtCreateSectionEx syscalls

Credits

@jthuraisamy for Syswhispers2
@outflanknl for the first version of InlineWhispers
@helpsystems for the nanodump exemple
@boku7 for his awesome work and his kindness
@HackingDave because he's the owner of a great DeLorean vroom vroom
The French Read The Fancy Manual community, the CyberThreatForce, and OsintFr (@sigsegv_event @CTFofficielFR and @OsintFr)
All infosec enthusiasts who share their knowledge without looking down on other enthusiasts

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Related tags

Overview

InlineWhispers2

How do I set this up?

How to use syscalls in your Cobalt-Strike BOF?

Limitations

Credits

Owner

Programming in Bioinformatics, Block 3

Bitflip Fault Simulation Platform by Daniele Rizzieri (2021)

Generates images with semantic content from distribution A in the style of distribution B

Simulation simplifiée du fonctionnement du protocole RIP

En este repositorio pondré archivos graciositos de python que hago de vez en cuando

A hackers attempt at an MVP anki plugin

Open source style Deep Dream project

A blazing fast mass certificate generator script for the community ⚡

VacationCycleLogicBackEnd - Vacation Cycle Logic BackEnd With Python

Model Quantization Benchmark

LPCV Winner Solution of Spring Team

Simple rofi script to choose player for playerctl to execute its command

Mengzhan (John) code for Closed Loop Control system of Sharp Wave Ripples in Hippocampus CA3 region

This repository containing cross-section cut and fill calculations using Python programming language.

A partial-transpiler that converts a subset of Python to the Folders esoteric programming language

A basic tic tac toe game on python!

A joke conlang with minimal semantics

Example applications, dashboards, scripts, notebooks, and other utilities built using Polygon.io

Calculate the efficient frontier

A set of simple functions to upload and fetch pastes on paste.uploadgram.me