SysWhispers integrated shellcode loader w/ ETW patching & anti-sandboxing

Related tags

CryptographyTymSpecial
Overview

TymSpecial Shellcode Loader

Description

This project was made as a way for myself to learn C++ and gain insight into how EDR products work.

TymSpecial is a shellcode loader which utilizes SysWhispers to make direct syscalls and avoid user-land hooks. The loader takes raw x64 stageless shellcode as input which is then XOR encrypted with a random key and writes a temporary C++ stub to disk which is compiled via g++ to produce an executable.

TymSpecial offers multiple methods of execution via classic thread injection, Windows callback functions, APC queues, and thread hijacking. Additonally, there is an option to patch EtwEventWrite in the local and remote process and there are 4 anti-sandboxing checks which can enabled including:

  • Is the system domain joined?
  • Does the system have < X GB of RAM?
  • Does the system have < Y processors?
  • Are long sleeps fast forwarded?

Detection Ratings

Depending on which method of execution is chosen there are approximately 2-5 AV/EDR vendors detecting the payloads on VirusTotal when stageless Cobalt Strike shellcode is used with cloud fronting (As of 2/13/22). Results may vary from VirusTotal as we do not have insight into how each product is configured on the back end.

vtcheck

antiscan

Use cases:

  • Provide a variety of malware techniques on purple team engagements
  • Inject into an existing process owned by a more privileged user to escalate privileges and avoid interacting with LSASS
  • Inject into an existing process which normally produces network activity (web browsers, svchost, etc.) to blend C2 traffic
  • An alternative to ScareCrow when module stomping & thread creation does not work.

Note:

  • Self-decrypting shellcode is not supported as memory is allocated with RW permissions and then changed to RX after the shellcode has been written into memory to avoid RWX memory pages.

  • Method 5 is not always guaranteed to work and should be targeted against processes with a high thread count and I/O. This is because APCs will not execute until the thread is in an alertable state. Within a local process such as method 1 this is not an issue as we can can force threads into an alertable state via NtTestAlert, however, forcing a remote process to flush it's APC queues is not possible. Additionally, because an APC is queued into every thread it is likely you will get multiple callbacks.

Requirements

  • Python3
  • x86_64-w64-mingw32-g++ cross compiler

Usage

usage: TymSpecial.py [-h] --input FILE --method NUMBER --out FILENAME [--etw] [--hideconsole] [--domainjoined] [--longsleep]
                     [--processors NUMBER] [--ram NUMBER] [--parent PROCESS] [--child PROCESS] [--clonesig FILE]

Shellcode loader which offers multiple execution methods via syscalls and anti-sandboxing options to evade AV & EDR products.

  --method 1 = [LOCAL] Execute shellcode in the local process via the Windows callback function EnumSystemLocalesA
  --method 2 = [LOCAL] Queue an APC in the local process via NtQueueApcThread, and then flush the queue via NtTestAlert
  --method 3 = [INJECTION] Create a thread in a remote process via NtCreateThreadEx (Note: Module Stomping not yet implemented)
  --method 4 = [INJECTION] Spawn a process in a suspended state with a spoofed PPID and queue an APC into the main thread via NtQueueApcThread, then resume the process via NtResumeThread to execute the APC
  --method 5 = [INJECTION] Iterate and queue an APC into every thread in a remote process via NtQueueApcThread
  --method 6 = [INJECTION] Suspend a thread in a remote process via NtSuspendThread, update the thread's RIP register to point to the shellcode via NtGetContextThread & NtSetContextThread, then resume the thread via NtResumeThread
  
optional arguments:
  -h, --help           show this help message and exit
  --input FILE         File containing shellcode, usually a .bin, example: --input shellcode.bin
  --method NUMBER      Method of execution, example: --method 1
  --out FILENAME       The output name of the produced executable (No file extension), example: --out loader
  --etw                Patch EtwEventWrite in the local and remote process
  --hideconsole        Hide the console via: ShowWindow(GetConsoleWindow(), SW_HIDE)
  --domainjoined       Anti-Sandbox Check: If the system is not domain-joined, exit
  --longsleep          Anti-Sandbox Check: Sleep for 90s, if <75s have passed, exit
  --processors NUMBER  Anti-Sandbox Check: If the number of processors is < X, exit
  --ram NUMBER         Anti-Sandbox Check: If the amount of RAM is < X GB, exit
  --parent PROCESS     Specify the parent process for PPID spoofing in method 4, example --parent explorer.exe
  --child PROCESS      Specify the process to spawn for injection into in method 4, example: --child svchost.exe
  --clonesig FILE      Specify a signed file to use for signature cloning, example: --clonesig C:\\chad\\Desktop\\SignedFile.exe

Example Usage: python3 TymSpecial.py --input file.bin --method 6 --etw --domainjoined --ram 8 --processors 4 --hideconsole --clonesig C:\\chad\\Desktop\\RealFile.exe --out threadhijacker
Example Execution: C:\>threadhijacker.exe 20485

Credits / References

To Do:

  • Implement module stomping
  • Incorporate SigThief for signature cloning
  • Add the option to unhook ntdll
Owner
Nick Frischkorn
OSEP | OSCP | CCNA
Nick Frischkorn
GitHub Repository
DIY gravity falls cryptograms made with python

ciphers-cryptograms some diy code to implementing ciphers-cryptograms from gravity falls with python, it's fun tho Algorithm or ciphers list Caesar At

Muhammad Asthi Seta Ari Yuwana 3 Jun 26, 2022
A tool that can encrypt python2 or python3 code with the given password and can reuse with that password

A tool that can encrypt python2 or python3 code with the given password and can reuse with that password

Md Rasel Bhuyan 3 Feb 28, 2022
Python Cryptocurrency with stealth addresses

Python Cryptocurrency with stealth addresses. Goal is to have create a cryptocurency that hides transactions totally. I.E. Cant see ammount sent, to who, or from who.

3 Aug 04, 2022
A workshop to build an NFT smart contract on the polygon blockchain

Polygon NFT Workshop This is an interactive workshop that guides you through the steps to deploy an NFT smart contract on the Polygon blockchain. By t

Banjo Obayomi 56 Oct 14, 2022
GreenDoge is a modern community-centric green cryptocurrency based on a proof-of-space-and-time consensus algorithm.

GreenDoge Blockchain Download GreenDoge blockchain GreenDoge is a modern community-centric green cryptocurrency based on a proof-of-space-and-time con

40 Sep 11, 2022
Python based project to pull useful account statistics from the Algorand block chain.

PlanetWatchStats Python based project to pull useful account statistics from the Algorand block chain. Setup pip install -r requirements.txt Run pytho

M0x40 1 Jan 27, 2022
A python-jvm wrapper for interacting with the Ergo blockchain.

ergpy A python-jvm wrapper for interacting with the Ergo blockchain. Usage Requires Java 8 or higher to be installed on system pip install JPype1 pip

mgpai 16 Oct 05, 2022
The Intelligent Bitcoin Miner, Part II

The Intelligent Bitcoin Miner, Part II At a Glance This app simulates the behavior and profitability of Bitcoin miners for The Intelligent Bitcoin Min

Karim Helmy 20 Dec 16, 2022
Simple BRender SDK KeyGen.

Super Simple BRender KeyGen Simple BRender SDK KeyGen. Info This is just a super simple keygen for the BRender SDK installer coded in python. All test

1 Jan 15, 2022
A python script for AES Angecryption in Steganography

Angecryption is an encryption or an decryption result from a file to create an other file with the same / or not type.

ISIS 3 Jul 25, 2022
The (Python-based) mining software required for the Nintendo Switch mining project.

ntgbtminer - Nintendo Switch edition This is a version of ntgbtminer that works with the Nintendo Switch bitcoin miner. ntgbtminer ntgbtminer is a no

4 Jun 03, 2021
A symmetric cryptographic module.

Exemple of use : import Seleni MyKey = "GitHub" MySecretText = "Seleni is wonderfull !!!" MyEncryptedText = Seleni.crypt(MyKey, MySecretText) print(My

Polaris 1 Jan 15, 2022
PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password !

PyCrypter PyCrypter , A Tool To Encrypt/Decrypt Text/Code With Ease And Safe Using Password ! Requirements pyfiglet And colorama Usage First Clone The

1 Nov 12, 2021
FileGuard - File crypter and packing utility

FILEGUARD FILEGUARD is a file crypter and packing utility. This project was orig

11 Nov 28, 2022
An BlockChain Based solution for storing the medical records

Blockchain-based Medical Records 📄 Abstract Blockchain has the ability to keep an incorruptible, decentralized, and transparent log of all patient da

Yuvraj Singh Deora 3 Jan 14, 2022
A bot for FaucetCrypto a cryptocurrency faucet. The bot can currently claim PTC ads, main reward and all the shortlinks except exe.io and fc.lc.

A bot for the high paying popular cryptocurrency faucet Faucet Crypto. The bot is built using Python and Selenium, currently it is under active develo

Sourav R S 81 Dec 19, 2022
Salted Crypto Python library

Salted Crypto Python library. Allows to encrypt and decrypt files and directories using popular cryptographic algorithms with salty key(s).

7 Jul 18, 2022
Decrypting winrm traffic using password/ntlm hash

Decrypting winrm traffic using password/ntlm hash

Haoxi Tan 9 Jan 05, 2022
The leading native Python SSHv2 protocol library.

Paramiko Paramiko: Python SSH module Copyright: Copyright (c) 2009 Robey Pointer 8.1k Jan 08, 2023

E2EE disabling plugin for Synapse

E2EE disabling plugin for Synapse This Pluggable Module disables end-to-end encryption in a self-hosted Synapse servers. It works by stripping out req

Konstantin Sharlaimov 9 Nov 30, 2022