SysWhispers2
AV/EDR evasion via direct system calls. (by jthuraisamy)
donut
Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters (by TheWover)
SysWhispers2 | donut | |
---|---|---|
6 | 4 | |
1,436 | 3,245 | |
- | - | |
0.0 | 0.0 | |
over 1 year ago | about 2 months ago | |
Assembly | C | |
Apache License 2.0 | BSD 3-clause "New" or "Revised" License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
SysWhispers2
Posts with mentions or reviews of SysWhispers2.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-09-13.
-
BEST KALI TOOL TO MAKE UNDETECTABLE BACKDOOR 2022?
syswhispers2 -- tool for helping unhook userland hooks by reimplementing syscalls. Basically just generates a header file; you still have to write the loader yourself.
- Syswhispers2 - AV/EDR evasion via direct system calls.
-
Are the logs from all .evtx and .etl files included with Get-EventLog and Get-WinEvent?
Yes, and based on this table sysmon actually causes additional events to be generated (although I think it is hooking high level APIs, so I think a technique like SysWhispers might cause some of these events to be invisible through Sysmon) so that could be useful even if we're not focused on the GUI. Writing my own ETW consumer / providers is a little advanced for me right now, so that's cool.
-
Can't do exploitation research on a novel unhooking approach without a database of the DLLs for every Windows version. Ideas?
https://github.com/jthuraisamy/SysWhispers2 (one of the more recent infosec "inventions")
-
Obfuscating powershell beacons
If you wanna stay with unmanaged code look into https://github.com/jthuraisamy/SysWhispers2 I'm a noob with native languages so can't say how effective it is. It also has a downside including ASM references to the binary that are unusual and might be detected, not sure on this tho.
- AV/EDR evasion via direct system calls
donut
Posts with mentions or reviews of donut.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-08-27.
-
Bypassing Windows Defender (10 Ways)
The Donut project by TheWover is a very effective Position-Independent shellcode generator from PEs/DLLs. Depending on the input file given, it works different ways. For this PoC I will be using Mimikatz, so let us see how it works at a high level. From a brief look at the code, this would be the main routine of the Donut.exe executable tool:
-
Cannot Load .NET assemblies in memory!
Note that I used the loader from donut and it worked as expected! What am I doing wrong here people?
-
BEST KALI TOOL TO MAKE UNDETECTABLE BACKDOOR 2022?
Donut -- tool to convert (certain, very simple, non-.NET) PE files into shellcode.
- Does anyone know any good x64 shellcode loaders?
What are some alternatives?
When comparing SysWhispers2 and donut you can also consider the following projects:
DInvoke - Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
DripLoader - Evasive shellcode loader for bypassing event-based injection detection (PoC)
inline_syscall - Inline syscalls made easy for windows on clang
Shhhloader - Syscall Shellcode Loader (Work in Progress)
etl-parser - Event Trace Log file parser in pure Python
vivanewvegas-wabbajack - A Wabbajack port of the Viva New Vegas modding guide.
HellsGate - Original C Implementation of the Hell's Gate VX Technique
pe_to_shellcode - Converts PE into a shellcode
ThreatCheck - Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
obfuscator
SysWhispers2 vs DInvoke
donut vs DripLoader
SysWhispers2 vs inline_syscall
donut vs Shhhloader
SysWhispers2 vs etl-parser
donut vs vivanewvegas-wabbajack
SysWhispers2 vs HellsGate
donut vs pe_to_shellcode
SysWhispers2 vs Shhhloader
donut vs ThreatCheck
SysWhispers2 vs ThreatCheck
donut vs obfuscator