Home

Awesome

SharpWhispers

LOGO

C# porting of SysWhispers2.

It uses SharpASM to find the code caves for executing the system call stub.

Read the blog post for the technical details: https://www.secforce.com/blog/sharpasm-sharpwhispers/

Requirements

Usage


   ______               _      ____   _                    
  / __/ /  ___ ________| | /| / / /  (_)__ ___  ___ _______
 _\ \/ _ \/ _ `/ __/ _ \ |/ |/ / _ \/ (_-</ _ \/ -_) __(_-<
/___/_//_/\_,_/_/ / .__/__/|__/_//_/_/___/ .__/\__/_/ /___/
                 /_/                    /_/                

@d_glenx
@SECFORCE_LTD

=============================================================


usage: SharpWhispers.py [-h] [-p PRESET] [-f FUNCTIONS] -o OUT_FILE

optional arguments:
  -h, --help            show this help message and exit
  -p PRESET, --preset PRESET
                        Preset ("all", "common", "dinvoke")
  -f FUNCTIONS, --functions FUNCTIONS
                        Comma-separated functions
  -o OUT_FILE, --out-file OUT_FILE
                        Output basename (w/o extension)

The instructions to create the Visual Studio project are provided here

A basic process injection example is provided here

Presets

At the moment the json files contains the data to generate 33 system calls.

Note: the All preset contains a subset of all the system calls.

All

==== System Calls Imported ====

==[DInvoke]==
[i] Number of Delegates: 13

NtCreateThreadEx
NtCreateSection
NtUnmapViewOfSection
NtMapViewOfSection
NtQueryInformationProcess
NtOpenProcess
NtAllocateVirtualMemory
NtFreeVirtualMemory
NtQueryVirtualMemory
NtProtectVirtualMemory
NtWriteVirtualMemory
NtReadVirtualMemory
NtOpenFile

==[Additional]==
[i] Number of Delegates: 20

NtOpenThread
NtQueueApcThread
NtOpenSection
NtSuspendThread
NtQueryInformationFile
NtSetContextThread
NtResumeProcess
NtOpenProcessToken
NtWaitForMultipleObjects
NtQueryDirectoryFile
NtAdjustPrivilegesToken
NtQuerySystemInformation
NtDeviceIoControlFile
NtResumeThread
NtCreateProcess
NtSuspendProcess
NtGetContextThread
NtClose
NtQueryInformationThread
NtTestAlert

Common

NtCreateThreadEx
NtCreateSection
NtUnmapViewOfSection
NtMapViewOfSection
NtQueryInformationProcess
NtAllocateVirtualMemory
NtFreeVirtualMemory
NtProtectVirtualMemory
NtWriteVirtualMemory
NtOpenFile
NtReadVirtualMemory
NtQueryVirtualMemory
NtOpenProcess

DInvoke

NtCreateThreadEx
NtCreateSection
NtUnmapViewOfSection
NtMapViewOfSection
NtQueryInformationProcess
NtOpenProcess
NtAllocateVirtualMemory
NtFreeVirtualMemory
NtQueryVirtualMemory
NtProtectVirtualMemory
NtWriteVirtualMemory
NtReadVirtualMemory
NtOpenFile

Templates

Delegates.cs

Dynamically Generated

Contains the delegates of the system calls to generate

PEB.cs

Depends on SharpASM

Helper to get the address of PEB using ASM

SharpASM.cs

Contains the code to dynamically call ASM in c#. The function public static IntPtr callASM(byte[] stub) can be used to call the shellcode passing a byte array.

SharpWhispers.cs

Dynamically Generated - The script generates a random seed to hash the system call names

Contains the code to retrieve the system call numbers using ElephantSe4l's technique (code ported from SysWhispers2).

Syscalls.cs

Depends on SharpASM

Contains the code to execute the system calls dynamically using ASM.

Contains also the wrappers for the system calls (e.g. Syscall.NtAllocateVirtualMemory) (Dynamically Generated)

DInvoke Data types

Dynamically Generated

SharpWhispers output files can be used directly into a C# project. The needed data types are a subset of the data types defined in the DInvoke project (some data types are actually borrowed form Rastamouse's minimized project) so as to reduce the detection surface. The data types are defined in the SharpWhisper.Data namspace to avoid overlapping with DInvoke's definitions.

Note: The data types are generated only if needed (i.e. if a system call needs a data type) to minimize the detection surface.

The following templates are used to generate the needed data types: