Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Last update: Dec 31, 2022

Related tags

Miscellaneous InlineWhispers2

Overview

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Based on https://github.com/outflanknl/InlineWhispers and https://github.com/helpsystems/nanodump work

How do I set this up?

git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
git clone https://github.com/jthuraisamy/SysWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.py

How to use syscalls in your Cobalt-Strike BOF?

Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls

Now you can use all syscalls that you need:

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

#include "beacon.h"

#include "syscalls.c"

int go(char* args, int length) {
	datap  parser;
	BeaconDataParse(&parser, args, length);

	int pid = BeaconDataInt(&parser);

	BeaconPrintf(CALLBACK_OUTPUT, "	- Opening process: %d.", pid);

	HANDLE hProcess = NULL;
	OBJECT_ATTRIBUTES ObjectAttributes;
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);

	CLIENT_ID uPid = { 0 };
	uPid.UniqueProcess = (HANDLE)(DWORD_PTR)pid;
	uPid.UniqueThread = (HANDLE)0;

	NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
	if (hProcess == NULL || status != 0) {
		BeaconPrintf(CALLBACK_OUTPUT, "	[ERROR] Failed to get processhandle, status: 0x%lx", status);
		return 0;
	}
	BeaconPrintf(CALLBACK_OUTPUT, "	- Handle: %x", hProcess);

	NtClose(hProcess);

	return 0;
}

Limitations

Actually, you can't use NtCallEnclave, NtGetCachedSigningLevel, NtSetCachedSigningLevel, NtCreateSectionEx syscalls

Credits

@jthuraisamy for Syswhispers2
@outflanknl for the first version of InlineWhispers
@helpsystems for the nanodump exemple
@boku7 for his awesome work and his kindness
@HackingDave because he's the owner of a great DeLorean vroom vroom
The French Read The Fancy Manual community, the CyberThreatForce, and OsintFr (@sigsegv_event @CTFofficielFR and @OsintFr)
All infosec enthusiasts who share their knowledge without looking down on other enthusiasts

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Related tags

Overview

InlineWhispers2

How do I set this up?

How to use syscalls in your Cobalt-Strike BOF?

Limitations

Credits

Owner

Python implementation of the Lox language from Robert Nystrom's Crafting Interpreters

CNKD - Minimalistic Windows ransomware written in Python

Python Osmium Examples

The Begin button and menu for the Meadows operating system. The start button for UNIX/Linux.

Linux Backlight Manager

The fundamentals of Python!

Visualize Data From Stray Scanner https://keke.dev/blog/2021/03/10/Stray-Scanner.html

InfiniPy has some neat features - like the endpoint for function

This script is written with Python for selling steam community items automatically.

A tool to improve Boolean satisfiability (SAT) solver user's life

This is a repository built by the community for the community.

Python library for Minitel communication through serial port

An awesome list of AI for art and design - resources, and popular datasets and how we may apply computer vision tasks to art and design.

Spyware baseado em Python para Windows que registra como atividades da janela em primeiro plano, entradas do teclado.

You'll learn about Iterators, Generators, Closure, Decorators, Property, and RegEx in detail with examples.

A tool to determine optimal projects for Gridcoin crunchers. Maximize your magnitude!

Python library for creating and parsing HSReplay XML files

Double Pendulum implementation in Python, now with added pendulums and trails :D

Set up a sidechain for the XRPL quickly and easily

urlwatch is intended to help you watch changes in webpages and get notified of any changes.