SysPlant - Your syscall factory
Project description
..:: SysPlant ::..
Your Syscall Factory (feat. Canterlot's Gate)
SysPlant is a small implementation in NIM of the currently known syscall hooking methods. It currently supports following gates:
- Hell's Gate : Lookup syscall by first opcodes
- Halos's Gate : Lookup syscall by first opcodes and search nearby if first instruction is a JMP
- Tartarus' Gate : Lookup syscall by first opcodes and search nearby if first or third instruction is a JMP
- FreshyCalls : Lookup syscall by name (start with Nt and not Ntdll), sort addresses to retrieve syscall number
- SysWhispers2 : Lookup syscall by name (start with Zw), sort addresses to retrieve syscall number
- Canterlot's Gate ! :unicorn: :rainbow: (from an initial idea of MDSEC article) but who was missing a pony name : Lookup syscall using Runtime Exception Table (sorted by syscall number) and detect padding to syscall instruction for random jumps.
- Custom Allows you to choose a generation method, a syscall resolver (basic / random) and a syscall stub (direct / indirect). Careful: some combinations means nothing so it won't work (eg: freshy iterator + random resolver + indirect stub => as Freshy return back the syscall stub entry address, your syscall number will be rewrite by a random one)
Note: You can also generate your own combinations using the proper options... But be careful some options might not work or even make sense
:warning: DISCLAIMER Please only use this tool on systems you have permission to access. Usage is restricted to Pentesting or Education only. All credits are based on my own research, please feel free to claim any method if I made mistakes...
Introduction
This personal project aims to be a simple tool to better understand & generate different syscall retrieval methods, and being able to play with direct / indirect syscall stub. The first goal was to get my hands into NIM and then it overflow :wink: ...
SysPlant has been developped for Linux users, some stuff might be broken within Windows or Mac. PR are welcome if you found anything that does not work as expected.
Installation
Requirements: Pyton 3.8+
This is a python project that will generate NIM/C/etc... source code (bit weird hu ?! :grin:). So you can use it inside your python project as an external module or directly on your device as a tool.
As a Python module
If you are using standard pip3 package manager
pip3 install sysplant
If you are more inclined to use virtual environments (you should!) this project is based on Poetry virtual env.
poetry add sysplant
As a single tool
Install the project as you would do for any GitHub project
git clone https://github.com/x42en/sysplant && cd sysplant
poetry shell
poetry install
./main.py -h
Help
This tool comes with various options that should be self-explanatory using the standard -h
flag
$ ./main.py -h
usage: main.py [-h] [--debug | --verbose | --quiet] {list,generate} ...
..:: SysPlant - Your Syscall Factory ::..
positional arguments:
{list,generate}
optional arguments:
-h, --help show this help message and exit
Output options:
--debug Display all DEBUG messages upon execution
--verbose Display all INFO messages upon execution
--quiet Remove all messages upon execution
By now only two actions are supported list
(that will parse file or directory to find NtFunction usage) and generate
that will generate a syscall hooking file to import into your project
List action
In order to use the list action you could check the associated help ./main.py list -h
$ ./main.py list -h
usage: main.py list [-h] path
positional arguments:
path Path to search for NtFunction, could be a file or a directory
optional arguments:
-h, --help show this help message and exit
Generate action
In order to use the generate action you could check the associated help ./main.py generate -h
$ ./main.py generate -h
usage: main.py generate [-h] [-x86 | -wow | -x64] [-p {all,donut,common} | -f FUNCTIONS] [-x] -o OUTPUT {hell,halo,tartarus,freshy,syswhispers,canterlot,custom} ...
positional arguments:
{hell,halo,tartarus,freshy,syswhispers,canterlot,custom}
optional arguments:
-h, --help show this help message and exit
-x, --scramble Randomize internal function names to evade static analysis
-o OUTPUT, --output OUTPUT
Output path for NIM generated file
Architecture options:
-x86 Set mode to 32bits
-wow Set mode to WoW64 (execution of 32bits on 64bits)
-x64 Set mode to 64bits (Default True)
Syscall options:
-p {all,donut,common}, --preset {all,donut,common}
Preset functions to generate (Default: common)
-f FUNCTIONS, --functions FUNCTIONS
Comma-separated functions
If you choose the custom
generation method, some precise options apply:
$ ./main.py generate custom -h
usage: main.py generate custom [-h] [-i {hell,halo,tartarus,freshy,syswhispers,canterlot}] [-r {basic,random}] [-s {direct,indirect}]
optional arguments:
-h, --help show this help message and exit
-i {hell,halo,tartarus,freshy,syswhispers,canterlot}, --iterator {hell,halo,tartarus,freshy,syswhispers,canterlot}
Select syscall iterator (Default: canterlot)
-r {basic,random}, --resolver {basic,random}
Select syscall resolver (Default: basic)
-s {direct,indirect}, --stub {direct,indirect}
Select syscall stub (Default: indirect)
Usage
Here are some usage examples that will generate common NtFunctions only. This tool is not restricted to them, please READ THE DOC
Hell's Gate generation
$ ./main.py generate -o syscall.nim hell
Halo's Gate generation
$ ./main.py generate -o syscall.nim halo
Tartarus's Gate generation
$ ./main.py generate -o syscall.nim tartarus
FreshyCall generation
$ ./main.py generate -o syscall.nim freshy
Syswhispers2 like generation
$ ./main.py generate -o syscall.nim syswhispers
Canterlot's Gate generation
$ ./main.py generate -o syscall.nim canterlot
Custom generation
$ ./main.py generate -o syscall.nim custom -i canterlot -r random -s indirect
Example
A simple example (launching calc.exe) is accessible using inject.nim
.
- Be sure to install winim library first:
nimble install winim
- Generate the
syscall.nim
file with./main.py -o example/syscall.nim canterlot
- Compile the injection template file with
nim c -d=release -d=danger -d=strip --opt=size -d=mingw --app=console --cpu=amd64 --out=app.exe example/inject.nim
on Linux (be sure to have mingw installed) - Copy the
app.exe
generated on your Windows device.
Happy Hacking :beach: !
Credits
Massive shout-out to these useful projects that helps me during this journey, or individuals for their reviews
- @alice blogpost about syscalls techniques
- @redops blogpost about direct vs indirect syscalls
- @Jackson_T & @modexpblog for Syswhispers2
- @klezvirus for syswhispers3
:construction: TODO
This project is really in WIP state...
Some PR & reviews are more than welcome :tada: !
- Add internal names randomization
- Setup documentation
- [-] Add some tests
- Add x86 support
- Add WoW64 support
- Setup C templates
- Setup Go templates
- Setup Rust? templates
License
This project is licensed under the MIT License, for individuals only. If you want to integrate this work in your commercial project please contact me through 0x42en[at]gmail.com
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.