SysWhispers2: AV/EDR evasion via direct system calls

by do son · Published January 4, 2021 · Updated January 4, 2021

SysWhispers2

SysWhispers helps with AV/EDR evasion by generating header/ASM files implants can use to make direct system calls.

All core syscalls are supported and example generated files available in the example-output/ folder.

Difference Between SysWhispers 1 and 2

The usage is almost identical to SysWhispers1 but you don’t have to specify which versions of Windows to support. Most of the changes are under the hood. It no longer relies on @j00ru‘s syscall tables and instead uses the “sorting by system call address” technique popularized by @modexpblog. This significantly reduces the size of the syscall stubs.

The specific implementation in SysWhispers2 is a variation of @modexpblog’s code. One difference is that the function name hashes are randomized on each generation. @ElephantSe4l, who had published this technique earlier, has another implementation based in C++17 which is also worth checking out.

The original SysWhispers repository is still up but maybe deprecated in the future.

Introduction

Various security products place hooks in user-mode API functions which allow them to redirect execution flow to their engines and detect suspicious behavior. The functions in ntdll.dll that make the syscalls consist of just a few assembly instructions, so re-implementing them in your own implant can bypass the triggering of those security product hooks. This technique was popularized by @Cn33liz and his blog post has more technical details worth reading.

SysWhispers provides red teamers the ability to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe). The headers will also include the necessary type of definitions.