GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → GetRektBoy724 → TripleS

GetRektBoy724 / TripleS

Licence: other
Extracting Syscall Stub, Modernized

Programming Languages

C#
18002 projects

Labels

windowspentestingsyscallav-evasionred-teaming

Projects that are alternatives of or similar to TripleS

inceptor
Template-Driven AV/EDR Evasion Framework
Stars: ✭ 730 (+1331.37%)
Mutual labels:  av-evasion, red-teaming
InlineWhispers2
Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
Stars: ✭ 156 (+205.88%)
Mutual labels:  syscall, red-teaming
Redelk
Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
Stars: ✭ 1,692 (+3217.65%)
Mutual labels:  red-teaming
AlanFramework
A C2 post-exploitation framework
Stars: ✭ 405 (+694.12%)
Mutual labels:  red-teaming
Pluto
A manual system call library that supports functions from both ntdll.dll and win32u.dll
Stars: ✭ 96 (+88.24%)
Mutual labels:  syscall
Defeat-Defender-V1.2
Powerful batch script to dismantle complete windows defender protection and even bypass tamper protection ..Disable Windows-Defender Permanently....Hack windows. POC
Stars: ✭ 885 (+1635.29%)
Mutual labels:  av-evasion
hackarsenaltoolkit
Hacking arsenal. This script download the latest tools, wordlists, releases and install common hacking tools
Stars: ✭ 39 (-23.53%)
Mutual labels:  red-teaming
moonwalk
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚
Stars: ✭ 544 (+966.67%)
Mutual labels:  red-teaming
palinka c2
Just another useless C2 occupying space in some HDD somewhere.
Stars: ✭ 14 (-72.55%)
Mutual labels:  red-teaming
rlimit
Resource limits
Stars: ✭ 13 (-74.51%)
Mutual labels:  syscall
libmem
Advanced Game Hacking Library for C/C++, Rust and Python (Windows/Linux/FreeBSD) (Process/Memory Hacking) (Hooking/Detouring) (Cross Platform) (x86/x64/ARM/ARM64) (DLL/SO Injection) (Internal/External)
Stars: ✭ 336 (+558.82%)
Mutual labels:  syscall
SyscallExtractorAnalyzer
This script will pull and analyze syscalls in given application(s) allowing for easier security research purposes
Stars: ✭ 19 (-62.75%)
Mutual labels:  syscall
SharpUnhooker
C# Based Universal API Unhooker
Stars: ✭ 255 (+400%)
Mutual labels:  av-evasion
JALSI
JALSI - Just Another Lame Shellcode Injector
Stars: ✭ 29 (-43.14%)
Mutual labels:  red-teaming
Hack Tools
The all-in-one Red Team extension for Web Pentester 🛠
Stars: ✭ 2,750 (+5292.16%)
Mutual labels:  red-teaming
Malleable-C2-Profiles
Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike & Empire.
Stars: ✭ 168 (+229.41%)
Mutual labels:  red-teaming
Commando Vm
Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual machine distribution. [email protected]
Stars: ✭ 5,030 (+9762.75%)
Mutual labels:  red-teaming
EVA2
Another version of EVA using anti-debugging techs && using Syscalls
Stars: ✭ 223 (+337.25%)
Mutual labels:  syscall
WiCrackFi
Python Script to help/automate the WiFi hacking exercises.
Stars: ✭ 61 (+19.61%)
Mutual labels:  red-teaming
LAZYPARIAH
A tool for generating reverse shell payloads on the fly.
Stars: ✭ 121 (+137.25%)
Mutual labels:  red-teaming
View All Similar Projects ➔

TripleS - Extracting Syscall Stub, Modernized

TripleS or 3S is short for Syscall Stub Stealer. It freshly "steal" syscall stub straight from the disk. You can use TripleS for evading userland hooks from EDRs/AVs. TripleS doesnt invoke any unmanaged API, its all .NET's managed function. I should rename this program tho, since it doesnt use stubs anymore (v4), instead, it only collects syscall IDs.

Usage

  1. Create a new instance of TripleS
TripleS syscallstealer = new TripleS();
  1. Prepare gate space
bool result = syscallstealer.PrepareGateSpace();
if (!result) {
    Console.WriteLine("Failed to prepare gate space!");
    return;
}
  1. Collect all the syscalls
syscallstealer.CollectAllSyscalls(); // the syscall informations will be stored on the TripleS object
if (!syscallstealer.IsSyscallReady) {
    Console.WriteLine("Failed to collect syscall!");
    return;
}
  1. Initialize the delegates
NTAVMDelegate NTAVM = (NTAVMDelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTAVMDelegate));
NTCTEDelegate NTCTE = (NTCTEDelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTCTEDelegate));
NTPVMDelegate NTPVM = (NTPVMDelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTPVMDelegate));
NTWFSODelegate NTWFSO = (NTWFSODelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTWFSODelegate));
  1. Use it!
IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
IntPtr AllocationAddress = new IntPtr();
IntPtr ZeroBitsThatZero = IntPtr.Zero;
UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
Console.WriteLine("[*] Allocating memory...");
syscallstealer.Gate(NTAVMHash); // dont forget to set the gate to your destination function ;)
NTAVM(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);

If you still confused, you can take a look at Main function from UsageExample class, its a local shellcode injector function with TripleS implemented. This code uses C# 5, so it can be compiled with the built-in CSC from Windows 10.

Note

  • If you want to copy the code,Please dont forget to credit me.
  • Github doesn't like my Sublime Text indentation settings, so if you see some "weirdness" on the indentation, Im sorry.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].