tdeerenberg/InlineWhispers3
1
1
Fork 0
mirror of https://github.com/tdeerenberg/InlineWhispers3.git synced 2025-07-17 00:44:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
13 Commits 1 Branch 0 Tags
2876b26e718504fd2fe3f8fcd3e9b27ebea8f237
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Thijn 2876b26e71 Update README.md
2025-04-08 17:36:36 +02:00
example-output
Added missing data from SysWhispers3 & added example-output for reference
2025-04-08 17:22:34 +02:00
sample_bof
Sample BOF with NtCreateProcessEx
2025-04-08 17:29:27 +02:00
SysWhispers3
Changed example output
2025-04-08 17:25:09 +02:00
InlineWhispers3.py
Initial Commit
2025-04-08 16:23:06 +02:00
LICENSE
Initial commit
2025-04-02 16:32:44 +02:00
README.md
Update README.md
2025-04-08 17:36:36 +02:00
syscalls.c.template
Initial Commit
2025-04-08 16:23:06 +02:00
syscalls.h.template
Initial Commit
2025-04-08 16:23:06 +02:00

README.md

InlineWhispers3

InlineWhispers3 is an updated version of InlineWhispers2, designed to work with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOFs) using SysWhispers3. This tool helps changing SysWhispers3 generated files to be BOF compatible.

How to set this up and run this?

  1. Clone the repo to your device
  2. Generate stubs with SysWhispers3
  3. Make SysWhispers3 output BOF compatible

See commands:

git clone https://github.com/tdeerenberg/InlineWhispers3 && cd InlineWhispers3
cd SysWhispers3/ && python3 syswhispers.py -p all -a x64 -m jumper -o syscalls_all && cd ..
python3 InlineWhispers3.py --aio

This generates the required syscalls.c/h files and then runs InlineWhispers3 to make the files compatible with BOFs.

At the moment of writing this, the latest SysWhispers3 commit 31cfc93 is used, from Dec 23, 2023

The --aio flag is optional and merges all output files into one .h file, which can also be used instead of using syscalls.c, syscalls.h, and syscalls-asm.h

How to use indirect syscalls in your BOF

Import syscalls.h, syscalls.c, and syscalls-asm.h (or only syscalls-aio.h) in your project and include syscalls.c (or syscalls-aio.h) in your C code to start using syscalls.

An example BOF for reference (creates a new process using NtCreateProcessEx):

#include <windows.h>
#include "beacon.h"
#include "syscalls.c"

void go(char* args, int length) {
    HANDLE hProcess;
    OBJECT_ATTRIBUTES oa = {sizeof(oa)};

    NTSTATUS status = Sw3NtCreateProcessEx(&hProcess, PROCESS_ALL_ACCESS, &oa, 
        (HANDLE)(LONG_PTR)-1, 0, NULL, NULL, NULL, 0);

    if (status == 0) {
        BeaconPrintf(CALLBACK_OUTPUT, "[+] NtCreateProcessEx successful");
    } else {
        BeaconPrintf(CALLBACK_ERROR, "[-] NtCreateProcessEx failed: 0x%X\n", status);
        return;
    }
}

Credits

  • @klezVirus for SysWhispers3
  • @Sh0ckFR for InlineWhispers2
  • @outflanknl for the first version of InlineWhispers and their informative blog post about it
  • The Cyber Security Community for all the articles and resources
Description
Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 for EDR evasion
beacon-object-filebeaconobjectfilebofcobalt-strikecobaltstrikecybersecurityedr-evasionevasion-techniquesoffensive-securityred-teamred-team-engagementred-team-toolsred-teamingredteamsyscallsyscallswindowswindows-api
Readme GPL-3.0 212 KiB
Languages
C 73.6%
Assembly 23.3%
Python 3.1%