jthuraisamy / syswhispers Goto Github PK
View Code? Open in Web Editor NEWAV/EDR evasion via direct system calls.
License: Apache License 2.0
AV/EDR evasion via direct system calls.
License: Apache License 2.0
Hi,
It appears syscall structures have been changed in the latest Windows 10 build (21H1 / build 19043), as tools using Syswhispers fail on this build. Verification of this and an update would be much appreciated! :)
Many thanks in advance.
How Can We Do It in 32bit mode & on WOW64?
Once I set the flag preset as "all", then I got some errors for missing function definitions.
I will write these functions as the following.
Functions: NtPssCaptureVaSpaceBulk, NtAllocateUserPhysicalPagesEx, NtAcquireCrossVmMutant, NtCreateCrossVmMutant, NtDirectGraphicsCall, NtWriteErrorLogEntry, NtCreateWinStation, NtOpenWinStation, NtSetWinStationInformation, NtQueryWinStationInformation
Type: CHANNEL_MESSAGE
I can't find any information on the above.
Hi iam new in reverse engineering iam
using the sys calls and while debugging my exe .
the sys call is done success and the registery manpulated success but after theas things is done .
the KasperSky still kill my process ,
can some one help
Your project is very nice, gives a lot of help for any developer.
Why don't you add support for x32 ? The syscall would be:
mov eax, FUNCTION
call sysentry
ret 0x14
mov edx,esp
sysenter
retn
Hi,
I've been trying to get NtQueryVirtualMemory to work in a sample x64 PoC with the current generated NQVM prototype; the call to NQVM keep failing with "0xc0000005" error code.
the current generated prototype:
NTSTATUS status = NtQueryVirtualMemory(hProcess, (PVOID)p_addr, MemoryBasicInformation, &memInfo, sizeof(memInfo), &retBytes);
EXTERN_C NTSTATUS NtQueryVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
OUT PVOID MemoryInformation,
IN ULONG MemoryInformationLength, <====
OUT PULONG ReturnLength OPTIONAL);
I had to change the "MemoryInformationLength" type to ULONG_PTR (unsigned long long) to get it working;
NTSTATUS status = NtQueryVirtualMemory(hProcess, (PVOID)p_addr, MemoryBasicInformation, &memInfo, sizeof(memInfo), &retBytes);
EXTERN_C NTSTATUS NtQueryVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
OUT PVOID MemoryInformation,
IN ULONG_PTR MemoryInformationLength, <<====
OUT PULONG ReturnLength OPTIONAL);
OS: Windows 10
Build Number: 18363
I have tried both SysWhisper and SysWhisper2. VS is throwing the following error messages. I have enabled the MASM in build customization and also the asm file is set to Macro Assembler.
1 . The first error on the line for NtAllocateVirtualMemory.
Error (active) | E0167 | argument of type "PULONG" is incompatible with parameter of type "PSIZE_T" | NewMetaPlayerLow | main.cpp | 127 |
status = NtAllocateVirtualMemory(process_handle, &pointer_after_allocated, 0, (PULONG)&allocation_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
The second error is on the ASM file.
Error | A2088 | END directive required at end of file | NewMetaPlayerLow |
c:\project\folder\syscalls_common.asm | 2872 |
The third error is
Error | MSB3721 | The command "ml64.exe /c /nologo /Zi /Fo"x64\Release\syscalls_common.obj" /W3 /errorReport:prompt /Tasyscalls_common.asm" exited with code 1. | NewMetaPlayerLow | C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\BuildCustomizations\masm.targets | 70 |
Any help would be great or if you have a working visual studio project, that I can use to compare against my environment, would be big help too.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.