A Proof of Concept for weaponizing SysWhispers for making direct system calls in Cobalt Strike Beacon Object File.
The initial output (functions.txt
and syscalls-asm.h
) are created as an example for WdToggle.
Additional guidance can be found in this blog post: https://outflank.nl/blog/?p=1592
Raphael Mudge (the creator of Cobalt Strike) created a tutorial video on how to use this tool: https://www.youtube.com/watch?v=mZyMs2PP38w
Demonstrate the ability to easily use syscalls using inline assembly in BOFs.
- (Optionally) Install SysWhispers
git clone https://github.com/jthuraisamy/SysWhispers.git
cd SysWhispers
pip3 install -r .\requirements.txt
py .\syswhispers.py --versions 7,8,10 -o syscalls
was used to generate the includedsyscalls.asm
andsyscalls.h
.
- Clone this repository.
- Update which functions are required in
functions.txt
to include only necessary functions from syscalls.asm. - Run the
python InlineWhispers.py
command to generate the inline assembly (syscalls-asm.h
) header file. - Remove function definitions in
Syscalls.h
that are not included. - Include
Syscalls.h
in your project.
- The
Syscalls.h
header file provided includes many extern function definitions by default. This can lead to compilation without actually having the function included in your object (if not removed). - Inline assembly is only supported by Mingw-w64. Visual Studio does not support inline assembly.
- The assembly code used within this tool is based on the assembly output from the SysWhispers tool from @Jackson_T.
- All people credited for SysWhispers