-
-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathInlineWhispers2.py
122 lines (104 loc) · 4.27 KB
/
InlineWhispers2.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/usr/bin/env python
# coding: utf-8
import os
import sys
from pathlib import Path
from shutil import copyfile
def get_new_seed():
'''Get new seed'''
with open('SysWhispers2/syscalls_all.h') as file:
for line in file:
if 'SW2_SEED' in line:
return line
def replace_seed():
'''Replace SEED in the new file'''
new_seed = get_new_seed()
replacement = ''
with open('output/syscalls.h', 'r') as file:
for line in file:
line = line.strip()
changes = line.replace('$$SEED$$', new_seed)
replacement = replacement + changes + '\n'
with open('output/syscalls.h', 'w') as file:
file.write(replacement)
def replace_extern():
'''Replace EXTERN_C definitions in the new file'''
replacement = ''
actual_extern_c = ''
is_extern_part = False
with open('output/syscalls.h', 'r') as file:
for line in file:
line = line.strip()
if 'EXTERN_C NTSTATUS' in line:
actual_extern_c = line.replace('EXTERN_C NTSTATUS', '').replace('(', '').replace(')', '').replace(';', '').replace(' ', '')
is_extern_part = True
if is_extern_part and ';' in line:
changes = line.replace(';', f' asm("{actual_extern_c}");')
else:
changes = line
replacement = replacement + changes + '\n'
with open('output/syscalls.h', 'w') as file:
file.write(replacement)
def create_asm_file():
'''Create asm stubs file'''
replacement = ''
with open('SysWhispers2/syscalls_all_stubs.asm', 'r') as file:
for line in file:
line = line.strip()
if '.code' in line:
line = line.replace('.code', '#pragma once\r\n#include <windows.h>\r\n\r\n#if _WIN64')
if 'EXTERN SW2_GetSyscallNumber: PROC' in line:
line = line.replace('EXTERN SW2_GetSyscallNumber: PROC', '')
if 'PROC' in line:
func_nt = line.split(' ', 1)[0]
func_zw = func_nt.replace('Nt', 'Zw')
line = line.replace(f'{func_nt} PROC', f'#define {func_zw} {func_nt}\r\n__asm__("{func_nt}: \\n\\')
if ';' in line:
line = line.split(';', 1)[0]
if 'sub rsp, 28h' in line:
line = line.replace('sub rsp, 28h', 'sub rsp, 0x28').rstrip() + ' \\n\\'
if 'add rsp, 28h' in line:
line = line.replace('add rsp, 28h', 'add rsp, 0x28').rstrip() + ' \\n\\'
if 'mov ecx,' in line:
line = line.replace('mov ecx, ', 'mov ecx, 0x').rstrip()[:-1]
if line.startswith('call'):
line = line.rstrip() + ' \\n\\'
if line.startswith('mov'):
line = line.rstrip() + ' \\n\\'
if line.startswith('syscall'):
line = line.rstrip() + ' \\n\\'
if line.startswith('ret'):
line = line.rstrip() + ' \\n\\'
if 'ENDP' in line:
line = '");'
if line.startswith('end'):
line = '#endif'
changes = line
replacement = replacement + changes + '\n'
with open('output/syscalls-asm.h', 'w') as file:
file.write(replacement)
if __name__ == '__main__':
'''Main'''
print(".___ .__ .__ __ __.__ .__ ________ ")
print("| | ____ | | |__| ____ ____/ \ / \ |__ |__| ____________ ___________ _____\_____ \ ")
print("| |/ \| | | |/ \_/ __ \ \/\/ / | \| |/ ___/\____ \_/ __ \_ __ \/ ___// ____/ ")
print("| | | \ |_| | | \ ___/\ /| Y \ |\___ \ | |_> > ___/| | \/\___ \/ \ ")
print("|___|___| /____/__|___| /\___ >\__/\ / |___| /__/____ >| __/ \___ >__| /____ >_______ \\")
print(" \/ \/ \/ \/ \/ \/ |__| \/ \/ \/")
print("\r\nSh0ckFR - https://twitter.com/Sh0ckFR\r\n")
if not os.path.isdir('SysWhispers2') or not os.path.isfile('SysWhispers2/syscalls_all.h'):
print('[ERROR] SysWhispers2 not present:\r\n')
print('git clone https://github.com/jthuraisamy/SysWhispers2')
print('cd SysWhispers2/ && python3 syswhispers.py --preset all -o syscalls_all && cd ..\r\n')
sys.exit(0)
# Create output directory with the new templates
Path('output').mkdir(parents=True, exist_ok=True)
copyfile('syscalls.c.template', 'output/syscalls.c')
copyfile('syscalls.h.template', 'output/syscalls.h')
# Replace SEED of the new template by the SEED generated by Syswhispers2
replace_seed()
# Replace EXTERN_C in syscalls.h
replace_extern()
# Create asm stub with the correct syscalls format
create_asm_file()
print("Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls")