Giter Site home page Giter Site logo

Comments (3)

Bw3ll avatar Bw3ll commented on July 20, 2024

The intent is for people to use the tool to help them write shellcode with Windows syscalls in them. The dominant form is using WinAPIs, and there are a lot of courses and information out there on that. Unfortunately, things are very different with writing shellcode with Windows syscalls exclusively (or just mixing them in with WinAPIs). I have done a few conferences presentations on this, and I have had some shellcodes with as many as 10 syscalls to achieve one advanced, malicious functionality.

What is the meaning of syscall in shellcode? It is just an alternative way, which could provide greater stealth and make it harder to detect. As with any shellcode, it will involve writing in Assembly.

from shellwasp.

ybdt avatar ybdt commented on July 20, 2024

ok, thanks your reply, in fact what i mean is "what's meaning of syscall in shellcode about av/edr evasion", as i know encrypt shellcode can bypass most av/edr, is there any other av/edr will detect shellcode is WinAPI or Syscall ?

from shellwasp.

Bw3ll avatar Bw3ll commented on July 20, 2024

As you say, it can bypass most av/edr. If you want to take it to the next level, avoiding WinAPIs altogetehr is one way to go.
One argument could be that Windows syscalls are too hard to time consuming, but that is all relative. With greater experience that time and lack of familiarity goes away. The still won't ever be quite the same as WinAPIs, due to limited number of them, but where there is a will, there is a way.

Ultimately, this is a Windows syscall tool for shellcode, not one for Windows APIs. I have had a student write one for WinAPI but not publish it. To each their own. This tool will help you if you want to build Windows syscall shellcode.

As to your last question, not sure I follow, if there is one that distinguishes if it is syscall shellcode or WinAPI? I wouldn't think it would care about that distinction. But, ultimately, you can write a hook for any WinAPI you so desire. That becomes harder for Windows syscalls (especially some of the alternative ways of invoking it provided with this project), but still could be possible.

To me there is nothing inherently weird about writing Windows syscalls for shellcode, since I have done a number, but you do have to think about it differently and recognize some possible limitations vs. WinAPIs. That is, something could be "harder" to do.

from shellwasp.

Related Issues (3)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.