InlineWhispers2
InlineWhispers2 copied to clipboard
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
InlineWhispers2
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
Based on https://github.com/outflanknl/InlineWhispers and https://github.com/helpsystems/nanodump work
Note
This project is not a fork, the first version of InlineWhispers is based on SysWhispers, this version is for the second version of SysWhispers, to understand what it changes, take a look at it:
https://github.com/jthuraisamy/SysWhispers2#difference-between-syswhispers-1-and-2
How do I set this up?
git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.py
How to use syscalls in your Cobalt-Strike BOF?
Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls
Now you can use all syscalls that you need:
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include "beacon.h"
#include "syscalls.c"
int go(char* args, int length) {
datap parser;
BeaconDataParse(&parser, args, length);
int pid = BeaconDataInt(&parser);
BeaconPrintf(CALLBACK_OUTPUT, " - Opening process: %d.", pid);
HANDLE hProcess = NULL;
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
CLIENT_ID uPid = { 0 };
uPid.UniqueProcess = (HANDLE)(DWORD_PTR)pid;
uPid.UniqueThread = (HANDLE)0;
NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
if (hProcess == NULL || status != 0) {
BeaconPrintf(CALLBACK_OUTPUT, " [ERROR] Failed to get processhandle, status: 0x%lx", status);
return 0;
}
BeaconPrintf(CALLBACK_OUTPUT, " - Handle: %x", hProcess);
NtClose(hProcess);
return 0;
}
Limitations
Actually, you can't use NtCallEnclave, NtGetCachedSigningLevel, NtSetCachedSigningLevel, NtCreateSectionEx
syscalls
Known issues
[21/07/2022] The version of Syswhispers2 in this repository is not the lastest one, it will be updated later.
Blog Posts/GitHubs who used or quoted InlineWhispers2 (thanks to the authors)
- https://blog.nviso.eu/2021/12/20/kernel-karnage-part-7-out-of-the-lab-and-back-to-reality/
- https://github.com/Cerbersec/KillDefenderBOF
- https://github.com/Cerbersec/notes
- https://github.com/Simpsonpt/AppSecEzine/blob/master/Ezines/405%20-%20AppSec%20Ezine
- https://github.com/pe3zx/my-infosec-awesome/blob/master/Offensive.md
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/BOFs/BOFs
- https://github.com/N7WEra/BofAllTheThings
Credits
- @jthuraisamy for Syswhispers2
- @outflanknl for the first version of InlineWhispers
- @helpsystems for the nanodump exemple
- @boku7 for his awesome work and his kindness
- @HackingDave because he's the owner of a great DeLorean vroom vroom
- The French Read The Fancy Manual community, the CyberThreatForce, and OsintFr (@sigsegv_event @CTFofficielFR and @OsintFr)
- All infosec enthusiasts who share their knowledge without looking down on other enthusiasts