A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

Overview

manual-syscall-detect

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

Description

A full write-up of this tool and how it works can be found on my blog here.

Introduction & Thanks

This is an implementation of Nirvana Hooks (a.k.a. Instrumentation Callbacks) that Alex Ionescu presented in 2015 at RECON, titled Hooking Nirvana: Stealthy Instrumentation Hooks. (talk, slides) This code was built on Jack Ullrich's syscall-detect project. For something that I was working on, I needed a version of this technique that worked in x86 processes. To fulfill that need, I wound up doing lots of research and reverse engineering of how Nirvana Hooks work in x86 processes that lead me to write an updated version that supported x86 applications. In the sources section, is a list of some of the blog posts, documentation, and projects that I learned from to write this tool. If anyone responsible for those resources are reading this, thanks for sharing!

Functionality

This project can be compiled as an EXE or a DLL depending on your needs. The EXE is useful for demonstration purposes and testing. The DLL can be loaded into another process to provide telemetry for the process it has been injected into. To compile a specific version, select the appropriate option and build the solution:

  • Debug - EXE
  • Debug-DLL - DLL
  • Release - EXE
  • Release-DLL - DLL

This project makes use of OutputDebugString to provide telemetry. This was done to provide telemetry for applications that could not open a console. To view the telemetry from this tool, you will need to run the application in a debugger, write your own tool to view the debugging messages, or I suggest using DebugViewer.

Demonstration

video

Sources

  1. https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
  2. https://github.com/jthuraisamy/SysWhispers
  3. https://github.com/vxunderground/VXUG-Papers/tree/main/Hells%20Gate
  4. https://github.com/j00ru/windows-syscalls
  5. https://gist.github.com/wbenny/b08ef73b35782a1f57069dff2327ee4d
  6. https://github.com/nothydud/direct-syscall
  7. https://raw.githubusercontent.com/darkspik3/Valhalla-ezines/master/Valhalla%20%231/articles/HEAVEN.TXT
  8. https://github.com/jackullrich/syscall-detect
  9. https://www.youtube.com/watch?v=pHyWyH804xE
  10. https://github.com/ionescu007/HookingNirvana/blob/master/Esoteric%20Hooks.pdf
  11. https://github.com/ionescu007/HookingNirvana
  12. https://secrary.com/Random/InstrumentationCallback/
  13. https://splintercod3.blogspot.com/p/weaponizing-mapping-injection-with.html
  14. https://gist.github.com/esoterix/df38008568c50d4f83123e3a90b62ebb
  15. https://www.codeproject.com/Articles/543542/Windows-x64-system-service-hooks-and-advanced-debu
  16. https://web.archive.org/web/20160825133806/https://sww-it.ru/2016-04-11/1332
  17. https://web.archive.org/web/20160517025353/http://everdox.blogspot.ru/2013/02/instrumentationcallback-and-advanced.html
  18. https://github.com/ec-d/instrumentation-callback-x86
  19. https://wbenny.github.io/2018/11/04/wow64-internals.html
  20. http://blog.rewolf.pl/blog/?p=621
  21. https://docs.microsoft.com/en-us/windows/win32/sysinfo/image-file-machine-constants
  22. https://github.com/x64dbg/ScyllaHide
  23. https://docs.microsoft.com/en-us/sysinternals/downloads/debugview
You might also like...
 EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

flashrom is a utility for detecting, reading, writing, verifying and erasing flash chips

flashrom is a utility for detecting, reading, writing, verifying and erasing flash chips

Gesture-Detecting-Macro-Keyboard - Glorified Bluetooth macro keyboard with machine learning (TensorFlow Lite for Microcontrollers) running on an ESP32.
Gesture-Detecting-Macro-Keyboard - Glorified Bluetooth macro keyboard with machine learning (TensorFlow Lite for Microcontrollers) running on an ESP32.

Gesture detection tldr; Glorified Bluetooth macro keyboard with machine learning (TensorFlow Lite for Microcontrollers) running on an ESP32. Main feat

Arduino-controlled bed that helps in reducing rate of disease infection by detecting whether a person accessed the safe space of a subject who is infected
Arduino-controlled bed that helps in reducing rate of disease infection by detecting whether a person accessed the safe space of a subject who is infected

Infection Control Bed BACKGROUND Spread of COVID-19 occurs via airborne parricels and droplets. People who are infected with COVID an release particle

A tool to kill antimalware protected processes

Backstab Kill EDR Protected Processes Have these local admin credentials but the EDR is standing in the way? Unhooking or direct syscalls are not work

A Linux x64 tool to trace registers and memory regions.
A Linux x64 tool to trace registers and memory regions.

HellTracer Description A Linux x64 tool to trace registers and memory regions. Build the tool Clone the repository. Compile the tool with make. Add th

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)
Simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled (faking secure boot)

SecureFakePkg is a simple EFI runtime driver that hooks GetVariable function and returns data expected by Windows to make it think that it's running with secure boot enabled. In other words, it fakes secure boot status.

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination
Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination

Scans all modules in target process for jmp/int3 hooks dissassembles then and follows jmps to destination.

Owner
Conor Richard
Conor Richard
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

anthemtotheego 188 Dec 25, 2022
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.

FREE Reverse Engineering Self-Study Course HERE Hacking Windows The book and code repo for the FREE Hacking Windows book by Kevin Thomas. FREE Book Do

Kevin Thomas 1.1k Dec 27, 2022
Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

ICO adds a new section into the image, then begins building stubs for each import that uses a extremely basic routine to decrypt an RVA and places them into the section.

null 43 Dec 15, 2022
A D++ Discord Bot template for Visual Studio 2019 (x64 and x86)

D++ Windows Bot Template A D++ Discord Bot template for Visual Studio 2019 (x64 and x86, release and debug). The result of this tutorial. This templat

brainbox.cc 28 Dec 24, 2022
Vmpfix - Universal x86/x64 VMProtect 2.0-3.X Import fixer

vmpfix VMPfix is a dynamic x86/x64 VMProtect 2.0-3.x import fixer. The main goal of this project was to build correct and reliable tool to fix imports

Pavel 195 Dec 28, 2022
Tool for detecting violations of ordering axioms in STL comparators

SortChecker++ is an extension of SortChecker tool to C++ sorting APIs like std::sort or std::binary_search. It verifies that comparators satisfy the S

Yury Gribov 10 Dec 21, 2022
Another version of EVA using anti-debugging techs && using Syscalls

EVA2 Another version of EVA using anti-debugging techs && using Syscalls First thing: Dont Upload to virus total. this note is for you and not for me.

null 273 Dec 26, 2022
A port of the Linux x86 IOLI crackme challenges to x86-64

This is a port of the original Linux x86 IOLI crackme binaries to x86-64. The original set of IOLI crackmes can be found here: https://github.com/Maij

Julian Daeumer 4 Mar 19, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
EarlyBird: a poc of using the tech with syscalls on powershell.exe

EarlyBird: a poc of using the tech with syscalls on powershell.exe injecting cobalt strike shellcode to powershell.exe using EarlyBird Tech USAGE: fir

null 47 Jan 22, 2022