Skip to content

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF)

Notifications You must be signed in to change notification settings

outflanknl/InlineWhispers

Repository files navigation

InlineWhispers

A Proof of Concept for weaponizing SysWhispers for making direct system calls in Cobalt Strike Beacon Object File.

The initial output (functions.txt and syscalls-asm.h) are created as an example for WdToggle.

Additional guidance can be found in this blog post: https://outflank.nl/blog/?p=1592

Raphael Mudge (the creator of Cobalt Strike) created a tutorial video on how to use this tool: https://www.youtube.com/watch?v=mZyMs2PP38w

What is this repository for?

Demonstrate the ability to easily use syscalls using inline assembly in BOFs.

How do I set this up?

  • (Optionally) Install SysWhispers
    • git clone https://github.com/jthuraisamy/SysWhispers.git
    • cd SysWhispers
    • pip3 install -r .\requirements.txt
    • py .\syswhispers.py --versions 7,8,10 -o syscalls was used to generate the included syscalls.asm and syscalls.h.
  • Clone this repository.
  • Update which functions are required in functions.txt to include only necessary functions from syscalls.asm.
  • Run the python InlineWhispers.py command to generate the inline assembly (syscalls-asm.h) header file.
  • Remove function definitions in Syscalls.h that are not included.
  • Include Syscalls.h in your project.

InlineWhipers

Limitations

  • The Syscalls.h header file provided includes many extern function definitions by default. This can lead to compilation without actually having the function included in your object (if not removed).
  • Inline assembly is only supported by Mingw-w64. Visual Studio does not support inline assembly.

Credits

About

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published