Coder Social home page Coder Social logo

triples's Introduction

TripleS - Extracting Syscall Stub, Modernized

TripleS or 3S is short for Syscall Stub Stealer. It freshly "steal" syscall stub straight from the disk. You can use TripleS for evading userland hooks from EDRs/AVs.TripleS doesnt invoke any unmanaged API, its all .NET's managed function. I cant say that its better than D/Invoke's GetSyscallStub, but in my opinion, its better. Anyway, I suck at making description, so if you have any question,you can DM me on Discord.

Story

I always hate the idea of hard-coding syscall stub on our malware, cause syscall is version dependent, and its kinda complicated to implement it on your code. And after I know that D/Invoke has a function to get the syscall stub from the disk, I challenged myself, can I make one too? And can I make it even better? Well, this is the result of that challenge.

Usage

  1. Create a new instance of TripleS
TripleS syscallstealer = new TripleS();
  1. Steal the syscall stub that you want (you can steal more syscall later on without creating a new instance again)
string[] requiredSyscalls = { "NtProtectVirtualMemory", "NtAllocateVirtualMemory", "NtCreateThreadEx", "NtWaitForSingleObject" };
syscallstealer.StealSyscallStub(requiredSyscalls);
  1. Use the syscall stub while its hot (dont forget to prepare the delegate ;) )
NTAVM fSyscallNTAVM = (NTAVM)Marshal.GetDelegateForFunctionPointer(syscallstealer.StubAddressTable["NtAllocateVirtualMemory"], typeof(NTAVM));
NTPVM fSyscallNTPVM = (NTPVM)Marshal.GetDelegateForFunctionPointer(syscallstealer.StubAddressTable["NtProtectVirtualMemory"], typeof(NTPVM));
NTCTE fSyscallNTCTE = (NTCTE)Marshal.GetDelegateForFunctionPointer(syscallstealer.StubAddressTable["NtCreateThreadEx"], typeof(NTCTE));
NTWFSO fSyscallNTWFSO = (NTWFSO)Marshal.GetDelegateForFunctionPointer(syscallstealer.StubAddressTable["NtWaitForSingleObject"], typeof(NTWFSO));

If you still confused ,you can take a look at main function from UsageExample class,its a local shellcode injector function with TripleS implemented. This code uses C# 5,so it can be compiled with the built-in CSC from Windows 10.

TripleSUsageExample

Note

  • If you want to copy the code,Please dont forget to credit me.
  • Github dont like my Sublime indentation settings so dont roast me please.

triples's People

Contributors

getrektboy724 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.