itsMe Posted January 4, 2021 Share Posted January 4, 2021 This is the hidden content, please Sign In or Sign Up SysWhispers helps with AV/EDR evasion by generating header/ASM files implants can use to make direct system calls. All core syscalls are supported and example generated files available in the example-output/ folder. Difference Between SysWhispers 1 and 2 The usage is almost identical to SysWhispers1 but you don’t have to specify which versions of Windows to support. Most of the changes are under the hood. It no longer relies on @j00ru‘s syscall tables and instead uses the “sorting by system call address” technique popularized by @modexpblog. This significantly reduces the size of the syscall stubs. The specific implementation in SysWhispers2 is a variation of @modexpblog’s code. One difference is that the function name hashes are randomized on each generation. @ElephantSe4l, who had published this technique earlier, has another implementation based in C++17 which is also worth checking out. The original SysWhispers repository is still up but maybe deprecated in the future. Introduction Various security products place hooks in user-mode API functions which allow them to redirect execution flow to their engines and detect suspicious behavior. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by @Cn33liz and his blog post has more technical details worth reading. SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe). The headers will also include the necessary type of definitions. This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts