jthuraisamy / syswhispers Goto Github PK

Hi iam new in reverse engineering iam
using the sys calls and while debugging my exe .
the sys call is done success and the registery manpulated success but after theas things is done .
the KasperSky still kill my process ,
can some one help

Once I set the flag preset as "all", then I got some errors for missing function definitions.
I will write these functions as the following.
Functions: NtPssCaptureVaSpaceBulk, NtAllocateUserPhysicalPagesEx, NtAcquireCrossVmMutant, NtCreateCrossVmMutant, NtDirectGraphicsCall, NtWriteErrorLogEntry, NtCreateWinStation, NtOpenWinStation, NtSetWinStationInformation, NtQueryWinStationInformation
Type: CHANNEL_MESSAGE

I can't find any information on the above.

I have tried both SysWhisper and SysWhisper2. VS is throwing the following error messages. I have enabled the MASM in build customization and also the asm file is set to Macro Assembler.

1 . The first error on the line for NtAllocateVirtualMemory.
Error (active) | E0167 | argument of type "PULONG" is incompatible with parameter of type "PSIZE_T" | NewMetaPlayerLow | main.cpp | 127 |  
status = NtAllocateVirtualMemory(process_handle, &pointer_after_allocated, 0, (PULONG)&allocation_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

2. The second error is on the ASM file.
   Error | A2088 | END directive required at end of file | NewMetaPlayerLow |
   c:\project\folder\syscalls_common.asm | 2872 |  

3. The third error is
   Error | MSB3721 | The command "ml64.exe /c /nologo /Zi /Fo"x64\Release\syscalls_common.obj" /W3 /errorReport:prompt  /Tasyscalls_common.asm" exited with code 1. | NewMetaPlayerLow | C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Microsoft\VC\v160\BuildCustomizations\masm.targets | 70 |  

Any help would be great or if you have a working visual studio project, that I can use to compare against my environment, would be big help too.

How Can We Do It in 32bit mode & on WOW64?

Your project is very nice, gives a lot of help for any developer.

Why don't you add support for x32 ? The syscall would be:

	mov eax, FUNCTION
	call sysentry
	ret 0x14
	mov edx,esp
	sysenter
	retn

Hi,

It appears syscall structures have been changed in the latest Windows 10 build (21H1 / build 19043), as tools using Syswhispers fail on this build. Verification of this and an update would be much appreciated! :)

Many thanks in advance.

Hi,

I've been trying to get NtQueryVirtualMemory to work in a sample x64 PoC with the current generated NQVM prototype; the call to NQVM keep failing with "0xc0000005" error code.

the current generated prototype:

NTSTATUS status = NtQueryVirtualMemory(hProcess, (PVOID)p_addr, MemoryBasicInformation, &memInfo, sizeof(memInfo), &retBytes);
		
EXTERN_C NTSTATUS NtQueryVirtualMemory(
	IN HANDLE ProcessHandle,
	IN PVOID BaseAddress,
	IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
	OUT PVOID MemoryInformation,
	IN ULONG MemoryInformationLength, <====
	OUT PULONG ReturnLength OPTIONAL);

I had to change the "MemoryInformationLength" type to ULONG_PTR (unsigned long long) to get it working;

NTSTATUS status = NtQueryVirtualMemory(hProcess, (PVOID)p_addr, MemoryBasicInformation, &memInfo, sizeof(memInfo), &retBytes);
		

EXTERN_C NTSTATUS NtQueryVirtualMemory(
	IN HANDLE ProcessHandle,
	IN PVOID BaseAddress,
	IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
	OUT PVOID MemoryInformation,
	IN ULONG_PTR MemoryInformationLength, <<====
	OUT PULONG ReturnLength OPTIONAL);

OS: Windows 10
Build Number: 18363