Mordor Rs Save Abandoned
Rusty Syscalls - A direct or indirect Syscall library in Rust using the FreshyCalls/SysWhispers technique
Project README
Syscalls - A direct or indirect Syscall library in Rust
The Rust version of Freshycalls or Syswhispers 1 or 2 or 3 diverges in its approach from the C/C++/Python versions. While it shares similar techniques, this project doesn't generate header/ASM files or output like them. Instead, it functions as a library. Inspired by a friend @janoglezcampos (@httpyxel), I created this project to explore the FreshyCalls/SysWhispers technique that rust_syscalls doesn't employ.
Usage
- Add the library to your Rust
Cargo.tomlfile by setting the git repository or local path and choosing the direct or indirect system call feature by setting_DIRECT_or_INDIRECT_as a feature. Please note you can only choose direct_DIRECT_or_INDIRECT_not both.
[dependencies]
syscalls = { path = "../syscalls-rs/syscalls", features = ["_DIRECT_"] }
[dependencies]
syscalls = { path = "../syscalls-rs/syscalls", features = ["_INDIRECT_"] }
- Make use of the library
use syscalls;
- Dynamically retrieve the
SSNand/orsyscallinstruction fromntdll.dlleven if functions are hooked and call any function using direct and/or indirectsyscall. Note that when calling a function using thesyscallmacro the string will be obfuscated by hashing (NtClosein this example).
unsafe { syscall!("NtClose", process_handle) };
References and Credits
- https://github.com/am0nsec/HellsGate - smelly__vx (@RtlMateusz) and Paul Laîné (@am0nsec)
- https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
- https://blog.sektor7.net/#!res/2021/halosgate.md - @Reenz0h / @SEKTOR7net
- https://github.com/trickster0/TartarusGate (trickster0 / @trickster012)
- https://trickster0.github.io/posts/Halo's-Gate-Evolves-to-Tartarus-Gate/
- https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ @KlezVirus
- https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ - @modexpblog
- https://github.com/janoglezcampos/rust_syscalls/ - @httpyxel
- https://kylemistele.medium.com/a-beginners-guide-to-edr-evasion-b98cc076eb9a - @AliceCliment
- https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/
- https://github.com/crummie5/FreshyCalls - @ElephantSe4l
- https://github.com/jthuraisamy/SysWhispers - @Jackson_T
- https://github.com/jthuraisamy/SysWhispers2 - @Jackson_T
- https://github.com/klezVirus/SysWhispers3 - @klezVirus
Open Source Agenda is not affiliated with "Mordor Rs" Project. README Source: memN0ps/syscalls-rs
Stars
212
Open Issues
0
Last Commit
10 months ago
License
Open Source Agenda Badge
