inline_syscall
SysWhispers2
| inline_syscall | SysWhispers2 | |
|---|---|---|
| 1 | 6 | |
| 609 | 1,436 | |
| - | - | |
| 1.8 | 0.0 | |
| almost 2 years ago | over 1 year ago | |
| C++ | Assembly | |
| Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
inline_syscall
-
Can't do exploitation research on a novel unhooking approach without a database of the DLLs for every Windows version. Ideas?
https://github.com/JustasMasiulis/inline_syscall (AFAIK the only library that produces inline-able syscall stubs)
SysWhispers2
-
BEST KALI TOOL TO MAKE UNDETECTABLE BACKDOOR 2022?
syswhispers2 -- tool for helping unhook userland hooks by reimplementing syscalls. Basically just generates a header file; you still have to write the loader yourself.
- Syswhispers2 - AV/EDR evasion via direct system calls.
-
Are the logs from all .evtx and .etl files included with Get-EventLog and Get-WinEvent?
Yes, and based on this table sysmon actually causes additional events to be generated (although I think it is hooking high level APIs, so I think a technique like SysWhispers might cause some of these events to be invisible through Sysmon) so that could be useful even if we're not focused on the GUI. Writing my own ETW consumer / providers is a little advanced for me right now, so that's cool.
-
Can't do exploitation research on a novel unhooking approach without a database of the DLLs for every Windows version. Ideas?
https://github.com/jthuraisamy/SysWhispers2 (one of the more recent infosec "inventions")
-
Obfuscating powershell beacons
If you wanna stay with unmanaged code look into https://github.com/jthuraisamy/SysWhispers2 I'm a noob with native languages so can't say how effective it is. It also has a downside including ASM references to the binary that are unusual and might be detected, not sure on this tho.
- AV/EDR evasion via direct system calls
What are some alternatives?
lazy_importer - library for importing functions from dlls in a hidden, reverse engineer unfriendly way
DInvoke - Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
Black-Angel-Rootkit - Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.
etl-parser - Event Trace Log file parser in pure Python
ZwProcessHollowing - ZwProcessHollowing is a x64 process hollowing project which uses direct systemcalls, dll unhooking and RC4 payload decryption
HellsGate - Original C Implementation of the Hell's Gate VX Technique
Corth - It's like Porth, but in C++. Yep, we're going full circle.
Shhhloader - Syscall Shellcode Loader (Work in Progress)
introvert
ThreatCheck - Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
donut - Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
obfuscator