golang implementation of Syswhisper2/Syswhisper3

Doge-Whisper

golang implementation of Syswhisper2/Syswhisper3

按系统调用地址排序获取System Service Number(SSN)即为sysid以绕过hook,

Sorting by System Call Address

dogewhisper.DWhisper() will parse the EAT of NTDLL.dll, locating all function names that begin with "Zw". 

dogewhisper.DWhisper() 将解析 NTDLL.dll 的 EAT,定位所有以“Zw”开头的函数名。

It replaces "Zw" with "Nt" before generating a hash of the function name.

它在生成函数名称的散列之前将“Zw”替换为“Nt”。

It then saves the hash and address of code stub to a table of SYSCALL_ENTRY structures. 

然后它将代码存根的哈希和地址保存到 SYSCALL_ENTRY 结构表中。

After gathering all the names, it uses a simple bubble sort of code addresses in ascending order. 

收集所有名称后,使用简单的冒泡排序代码地址按升序排列。

The SSN is the index of the system call stored in the table. 

System Service Number (SSN) 是存储在表中的系统调用的索引。

与原版的区别之一是在于生成的索引最后是存储于map中以便更快的查找。

目前采用package动态获取的方式,后续有空的话会加上和原版类似的生成用法,指定api生成一个pkg直接调用

后续会集成进gabh项目

使用方式可以借鉴一下example

Usage

package main

import (
	"fmt"
	"github.com/timwhitez/Doge-Whisper/pkg/dogewhisper"
	"syscall"
	"unsafe"
)

//需要被排除掉的api
var hookedapi = []string{"NtAllocateVirtualMemory", "NtAllocateVirtualMemoryEx"}
var hashhooked []string

//致敬原版的hash算法
var SW2_SEED = 0xA7A0175C

func SW2_ROR8(v uint32) uint32 {
	return v>>8 | v<<24
}

func SW2_HashSyscall(fname string) string {
	fn, _ := syscall.BytePtrFromString(fname)
	FunctionName := uintptr(unsafe.Pointer(fn))
	var Hash = uint32(SW2_SEED)
	for j := 0; j < len(fname); j++ {
		i := uintptr(j)
		PartialName := *(*uint16)(unsafe.Pointer(FunctionName + i))
		Hash ^= uint32(PartialName) + SW2_ROR8(Hash)
	}
	return fmt.Sprintf("%x", Hash)
}


func main() {
	// 初始化DW_SYSCALL_LIST ,SW2_HashSyscall可以换成其他加密函数
	var newWhisper = dogewhisper.DWhisper(SW2_HashSyscall)
	if newWhisper == nil {
		return
	}

  //对排除的函数进行hash化,当然你可以直接写成hash之后的list
	for _, v := range hookedapi {
		hashhooked = append(hashhooked, SW2_HashSyscall(v))
	}

  //使用初始化后的DW_SYSCALL_LIST获取NtDelayExecution的sysid
	//SW2_HashSyscall("NtDelayExecution")=4942059d
	sysid := newWhisper.GetSysid("4942059d")
	if sysid == 0 {
		return
	}

	fmt.Printf("NtDelayExecution sysid: 0x%x\n", sysid)
	var ti = -(5000 * 10000)

	//动态获取syscall;ret的地址,排除掉hashhooked列表
	callAddr := dogewhisper.GetCall("", hashhooked, SW2_HashSyscall)
	fmt.Printf("Syscall;ret Address: 0x%x\n", callAddr)

  //执行
	//Call
	r, e1 := dogewhisper.DWcall(sysid, callAddr, uintptr(0), uintptr(unsafe.Pointer(&ti)))
	if e1 != nil {
		fmt.Printf("0x%x\n", r)
		fmt.Println(e1)
	}

}

Reference

https://github.com/Crummie5/Freshycalls

https://github.com/jthuraisamy/SysWhispers2

https://github.com/klezVirus/SysWhispers3

https://github.com/C-Sto/BananaPhone

https://github.com/timwhitez/Doge-Gabh

https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/

Owner
TimWhite
Offensive Security Researcher / Bug Hunter.
TimWhite
Similar Resources

Reference implementation of globaldce protocol coded in go

globaldce This is the reference implementation of the command line interface of globaldce coded in the go programming language. This project is still

Nov 15, 2021

A go language implementation of a CLI, based on input directory files

A go language implementation of a CLI, based on input directory files, using tree output of all file names, based on input database links, dynamic reading of database table information, based on input swagger files to automate the generation of the RESTFUL API.

Nov 20, 2021

An experimental AOT implementation of PHP

Trunk An experimental PHP implementation that transpiles PHP code into Go code.

Jun 2, 2022

A TUI implementation of the popular word quiz wordle!

gordle A TUI implementation of the popular word quiz Wordle! Building Build the cli command: $ go build ./cmd/cli Empty output on build success Buil

Apr 9, 2022

A Go implementation of gnu-coreutils programs

Go-Coreutils A Go implementation of gnu-coreutils programs (https://www.gnu.org/software/coreutils/manual/coreutils.html) Build and Run In the root di

Jan 15, 2022

Go-snake - Go CLI implementation of Snake game, using channels

Go-snake - Go CLI implementation of Snake game, using channels

go-snake 🐍 Go CLI implementation of Snake game, using channels. NB: this code w

May 8, 2022

Argparse for golang. Just because `flag` sucks

Golang argparse Let's be honest -- Go's standard command line arguments parser flag terribly sucks. It cannot come anywhere close to the Python's argp

Jun 25, 2022

Golang library with POSIX-compliant command-line UI (CLI) and Hierarchical-configuration. Better substitute for stdlib flag.

Golang library with POSIX-compliant command-line UI (CLI) and Hierarchical-configuration. Better substitute for stdlib flag.

cmdr cmdr is a POSIX-compliant, command-line UI (CLI) library in Golang. It is a getopt-like parser of command-line options, be compatible with the ge

Jun 28, 2022

Fully featured Go (golang) command line option parser with built-in auto-completion support.

go-getoptions Go option parser inspired on the flexibility of Perl’s GetOpt::Long. Table of Contents Quick overview Examples Simple script Program wit

Jun 15, 2022
Readline is a pure go(golang) implementation for GNU-Readline kind library
Readline is a pure go(golang) implementation for GNU-Readline kind library

A powerful readline library in Linux macOS Windows Solaris Guide Demo Shortcut Repos using readline Feedback If you have any questions, please submit

Jun 24, 2022
Simple trie based auto-completion engine implementation in golang.
Simple trie based auto-completion engine implementation in golang.

Simple auto-complete engine implementation in golang. Quick start $ git clone https://github.com/benbarron/trie-auto-completion-engine $ cd trie-auto-

Nov 28, 2021
Golang implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs

Doge-SelfDelete Golang implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs Golang 实现的文件自删除,来自@jonaslyk和@LloydLabs etc add

Jun 22, 2022
Golang implementation of Reflective load PE from memory

?? Frog For Automatic Scan ?? Doge For Defense Evasion & Offensive Security Doge-MemX Golang implementation of Reflective load PE from memory Only Sup

Jul 4, 2022
Nano API Implementation in Golang

nanoapi Nano API Implementation in GO TL;DR The idea is to create a very simple

Jan 9, 2022
An implementation of the Nano cryptocurrency protocol in golang

Go Nano An implementation of the Nano protocol written from scratch in Go (golang). About the Project A crypto currency has to be resilient to survive

Mar 21, 2022
Golisp-wtf - A lisp interpreter (still just a parser) implementation in golang. You may yell "What the fuck!?.." when you see the shitty code.

R6RS Scheme Lisp dialect interpreter This is an implementation of a subset of R6RS Scheme Lisp dialect in golang. The work is still in progress. At th

Jan 7, 2022
Doge-AddSSP - Load ssp dll golang implementation

Doge-AddSSP Load ssp dll golang implementation Administrator/System Privilege Us

Jan 21, 2022
An implementation of sed in Go. Just because!

Sed-Go An implementation of sed in Go. Just because! Status Command-Line processing: Done. It accepts '-e', '-f', '-n' and long versions of the same.

Jun 29, 2022
Reference go implementation of globalDCE protocol

globalDCE-go This is the reference implementation of the command line interface of globalDCE coded in the go programming language. This project is sti

Nov 15, 2021