An indirect syscall code generation utility for C/C++ windows impants
Project description
About
Wizardcalls is a code generation utility for C/C++ based implants targeting windows. Using wizardcalls, developers can quickly create a template containing desired syscalls for use in an implant via wizardcalls command line or scripting interfaces.
Limitations
At this time, wizardcalls is only intended for use in Windows development environments. Linux is not currently supported but this feature is not off the table in the future.
Wizardcalls only supports x64 based implants at this time. x86 support could be added in the future.
Installation
Wizardcalls can be installed manually from this repository or from PyPi.
Manual Installation
git clone https://github.com/wizardy0ga/wizardcalls
pip install .\wizardcalls
Install via PyPi
pip install wizardcalls
Bugs, Feature & Other Requests
Feel free to open an issue for an issue for things like bugs & feature requests.
Documentation
Module
Using wizardcalls from the command line
Using wizardcalls in a script
Template
Using the wizardcalls source code in your implant
Tutorials
Writing an injector with wizardcalls
Writing a compilation script for the injector with wizardcalls
Basic Usage
This section describes how wizardcalls can be used by developers. Wizardcalls offers two interfaces for developer usage, in a script & on the command line. The sections below provide a brief overview of both interfaces. See the linked documentation above for more inforamtion.
Command Line
After installation, developers can interact with wizardcalls from the commandline via the wizardcalls command. The image below shows the current options available for building the template. Wizardcalls only requires the --syscalls argument for usage. See the command line documentation for more information.
Scripting
Hashycalls offers an interface for developers to automate their implant's build routine via the WizardCalls object. More information can be found in the scipting documentation.
WizardCalls(
syscalls = [ 'NtAllocateVirtualMemory','NtFreeVirtualMemory','NtWriteVirtualMemory','NtCreateThreadEx','NtWaitForSingleObject' ]
, syscall_list_name = 'pSyscallz'
, hash_seed = 10000
, globals = True
, hash_algo = 'djb2'
, randomize_jump_address = True
, debug = True
)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file wizardcalls-2.0.0.tar.gz.
File metadata
- Download URL: wizardcalls-2.0.0.tar.gz
- Upload date:
- Size: 544.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e92b435dd5008c760c56c6c6fdf1273788b23687f92c6d16d7511203b0d734e6
|
|
| MD5 |
c4f53e4e2f7836e0937d247dbfaec9ca
|
|
| BLAKE2b-256 |
b44fcf92a2fa963a7a8eb2918a566095cee23d9c13b0db1a1fd5e3db993ff031
|
Provenance
The following attestation bundles were made for wizardcalls-2.0.0.tar.gz:
Publisher:
publish-to-pypi.yml on wizardy0ga/WizardCalls
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wizardcalls-2.0.0.tar.gz -
Subject digest:
e92b435dd5008c760c56c6c6fdf1273788b23687f92c6d16d7511203b0d734e6 - Sigstore transparency entry: 334501842
- Sigstore integration time:
-
Permalink:
wizardy0ga/WizardCalls@d16eb60840a01a12cebb63ce29c8db63719d4201 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/wizardy0ga
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-to-pypi.yml@d16eb60840a01a12cebb63ce29c8db63719d4201 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file wizardcalls-2.0.0-py3-none-any.whl.
File metadata
- Download URL: wizardcalls-2.0.0-py3-none-any.whl
- Upload date:
- Size: 69.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d0d9d4fbad32b4cf16d03cd961ad55981966904aac55ec3af7d57a5984b01686
|
|
| MD5 |
fbe2bf7a3a3e48e1733192388a2c7cc5
|
|
| BLAKE2b-256 |
18945b8e4c3491a1e20826b3aac05d137e01ba43112a3932499af84230d0ab0e
|
Provenance
The following attestation bundles were made for wizardcalls-2.0.0-py3-none-any.whl:
Publisher:
publish-to-pypi.yml on wizardy0ga/WizardCalls
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
wizardcalls-2.0.0-py3-none-any.whl -
Subject digest:
d0d9d4fbad32b4cf16d03cd961ad55981966904aac55ec3af7d57a5984b01686 - Sigstore transparency entry: 334501858
- Sigstore integration time:
-
Permalink:
wizardy0ga/WizardCalls@d16eb60840a01a12cebb63ce29c8db63719d4201 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/wizardy0ga
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-to-pypi.yml@d16eb60840a01a12cebb63ce29c8db63719d4201 -
Trigger Event:
workflow_dispatch
-
Statement type:
