SysWhispers3: AV/EDR evasion via direct system calls

AV/EDR evasion

SysWhispers3

SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls.

Why on earth didn’t I create a PR to SysWhispers2?

The reason for SysWhispers3 to be a standalone version are many, but the most important are:

  • SysWhispers3 is the de-facto “fork” used by Inceptor, and implements some utils class which are not relevant to the original version of the tool.
  • SysWhispers2 is moving towards supporting NASM compilation (for gcc/mingw), while this version is specifically designed and tested to support MSVC (because Inceptor will stay a Windows-only framework for the near future).
  • SysWhispers3 contains partially implemented features (such as egg-hunting) which would not be sensible to include in the original version of the tool.

Differences with SysWhispers2

The usage is pretty similar to SysWhispers2, with the following exceptions:

  • It also supports x86/WoW64
  • It supports syscalls instruction replacement with an EGG (to be dynamically replaced)
  • It supports direct jumps to syscalls in x86/x64 mode (in WOW64 it’s almost standard)
  • It supports direct jumps to random syscalls (borrowing @ElephantSeal’s idea)

Introduction

Security products, such as AVs and EDRs, usually place hooks in user-mode API functions to analyse a program execution flow, in order to detect potentially malicious activities.

SysWhispers2 is a tool designed to generate header/ASM pairs for any system call in the core kernel image (ntoskrnl.exe), which can then be integrated and called directly from C/C++ code, evading user-lands hooks.

The tool, however, generates some patters which can be included in signatures, or behaviour which can be detected at runtime.

SysWhispers3 is built on top of SysWhispers2, and integrates some helpful features to bypass these forms of detection.

Install & Use

Copyright 2019 Jackson T.