Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Last update: Dec 31, 2022

Related tags

Miscellaneous InlineWhispers2

Overview

InlineWhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Based on https://github.com/outflanknl/InlineWhispers and https://github.com/helpsystems/nanodump work

How do I set this up?

git clone https://github.com/Sh0ckFR/InlineWhispers2 && cd InlineWhispers2
git clone https://github.com/jthuraisamy/SysWhispers2
cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..
python3 InlineWhispers2.py

How to use syscalls in your Cobalt-Strike BOF?

Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls

Now you can use all syscalls that you need:

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>

#include "beacon.h"

#include "syscalls.c"

int go(char* args, int length) {
	datap  parser;
	BeaconDataParse(&parser, args, length);

	int pid = BeaconDataInt(&parser);

	BeaconPrintf(CALLBACK_OUTPUT, "	- Opening process: %d.", pid);

	HANDLE hProcess = NULL;
	OBJECT_ATTRIBUTES ObjectAttributes;
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);

	CLIENT_ID uPid = { 0 };
	uPid.UniqueProcess = (HANDLE)(DWORD_PTR)pid;
	uPid.UniqueThread = (HANDLE)0;

	NTSTATUS status = NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &uPid);
	if (hProcess == NULL || status != 0) {
		BeaconPrintf(CALLBACK_OUTPUT, "	[ERROR] Failed to get processhandle, status: 0x%lx", status);
		return 0;
	}
	BeaconPrintf(CALLBACK_OUTPUT, "	- Handle: %x", hProcess);

	NtClose(hProcess);

	return 0;
}

Limitations

Actually, you can't use NtCallEnclave, NtGetCachedSigningLevel, NtSetCachedSigningLevel, NtCreateSectionEx syscalls

Credits

@jthuraisamy for Syswhispers2
@outflanknl for the first version of InlineWhispers
@helpsystems for the nanodump exemple
@boku7 for his awesome work and his kindness
@HackingDave because he's the owner of a great DeLorean vroom vroom
The French Read The Fancy Manual community, the CyberThreatForce, and OsintFr (@sigsegv_event @CTFofficielFR and @OsintFr)
All infosec enthusiasts who share their knowledge without looking down on other enthusiasts

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Related tags

Overview

InlineWhispers2

How do I set this up?

How to use syscalls in your Cobalt-Strike BOF?

Limitations

Credits

Owner

Practice in Oxford_AI&ML class

Ontario-Covid19-Screening - An automated Covid-19 School Screening Tool for Ontario

Цифрова збрoя проти xуйлoвської пропаганди.

Linux Pressure Stall Information (PSI) Status App

A VirtualBox manager with interactive mode

Improving Representations via Similarities

Automatically re-open threads when they get archived, no matter your boost level!

Cup Noodle Vending Maching Ordering Queue

IPython: Productive Interactive Computing

Python script to preprocess images of all Pokémon to finetune ruDALL-E

Mixtaper - Web app to make mixtapes

🟥This is an overview of how to set up and use DataStore3 in your Roblox experiences

Wagtail + Lottie is a Wagtail package for playing Adobe After Effects animations exported as json with Bodymovin.

The most hackable keyboard in all the land

The last walk-through project in code institute diploma course

UdemyPy is a bot that hourly looks for Udemy free courses and post them in my Telegram Channel: Free Courses.

Web UI for your scripts with execution management

A tool to quickly create codeforces contest directories with templates.

Python’s bokeh, holoviews, matplotlib, plotly, seaborn package-based visualizations about COVID statistics eventually hosted as a web app on Heroku

Interactive class notebooks for ECE4076 Computer Vision, weeks 1 - 6