Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Last update: Dec 31, 2022

Related tags

Miscellaneous InlineWhispers2

Overview

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Based on https://github.com/outflanknl/InlineWhispers and https://github.com/helpsystems/nanodump work

How do I set this up?

git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
git clone https://github.com/jthuraisamy/SysWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.py

How to use syscalls in your Cobalt-Strike BOF?

Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls

Now you can use all syscalls that you need:

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

#include "beacon.h"

#include "syscalls.c"

int go(char* args, int length) {
	datap  parser;
	BeaconDataParse(&parser, args, length);

	int pid = BeaconDataInt(&parser);

	BeaconPrintf(CALLBACK_OUTPUT, "	- Opening process: %d.", pid);

	HANDLE hProcess = NULL;
	OBJECT_ATTRIBUTES ObjectAttributes;
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);

	CLIENT_ID uPid = { 0 };
	uPid.UniqueProcess = (HANDLE)(DWORD_PTR)pid;
	uPid.UniqueThread = (HANDLE)0;

	NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
	if (hProcess == NULL || status != 0) {
		BeaconPrintf(CALLBACK_OUTPUT, "	[ERROR] Failed to get processhandle, status: 0x%lx", status);
		return 0;
	}
	BeaconPrintf(CALLBACK_OUTPUT, "	- Handle: %x", hProcess);

	NtClose(hProcess);

	return 0;
}

Limitations

Actually, you can't use NtCallEnclave, NtGetCachedSigningLevel, NtSetCachedSigningLevel, NtCreateSectionEx syscalls

Credits

@jthuraisamy for Syswhispers2
@outflanknl for the first version of InlineWhispers
@helpsystems for the nanodump exemple
@boku7 for his awesome work and his kindness
@HackingDave because he's the owner of a great DeLorean vroom vroom
The French Read The Fancy Manual community, the CyberThreatForce, and OsintFr (@sigsegv_event @CTFofficielFR and @OsintFr)
All infosec enthusiasts who share their knowledge without looking down on other enthusiasts

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Related tags

Overview

InlineWhispers2

How do I set this up?

How to use syscalls in your Cobalt-Strike BOF?

Limitations

Credits

Owner

Easy, clean, reliable Python 2/3 compatibility

Attempt at a Windows version of the plotman Chia Plot Manager system

Repo with data from local elections in Portugal from 2009 to 2013

pybicyclewheel calulates the required spoke length for bicycle wheels

Something like Asteroids but not really, done in CircuitPython

A simple and efficient computing package for Genshin Impact gacha analysis

Learning a Little about Containerlab

A very basic ciphering/deciphering tool

An improved version of the common ˙pacman -S˙

El_Binario - A converter for Binary, Decimal, Hexadecimal and Octal numbers

Hashcrack - A non-object oriented open source, Software for Windows/Linux made in Python 3

Urban Big Data Centre Housing Sensor Project

Built as part of an assignment for S5 OOSE Subject CSE

Grouping nucleotide coordinate ranges.

Chemical Analysis Calculator, with full solution display.

SimplePyBLE - Python bindings for SimpleBLE

ROS Foxy + Raspi + Adafruit BNO055

Context-free grammar to Sublime-syntax file

Consulta cpf fds

Wannier & vASP Postprocessing module