search

Bw3ll / ShellWasp

ShellWasp is a tool to help build shellcode that utilizes Windows syscalls, while overcoming the portability problem associated with Windows syscalls. ShellWasp is built for 32-bit, WoW64. ShellWasp 2.0 includes novel ways to invoke the syscall in WoW64.
MIT License
156 stars 23 forks source link

a little question about meaning of this project #4

Closed ybdt closed 7 months ago

ybdt commented 1 year ago

please what's meaning of syscall in shellcode, purely study or other practical meaning?

Bw3ll commented 1 year ago

The intent is for people to use the tool to help them write shellcode with Windows syscalls in them. The dominant form is using WinAPIs, and there are a lot of courses and information out there on that. Unfortunately, things are very different with writing shellcode with Windows syscalls exclusively (or just mixing them in with WinAPIs). I have done a few conferences presentations on this, and I have had some shellcodes with as many as 10 syscalls to achieve one advanced, malicious functionality.

What is the meaning of syscall in shellcode? It is just an alternative way, which could provide greater stealth and make it harder to detect. As with any shellcode, it will involve writing in Assembly.

ybdt commented 1 year ago

ok, thanks your reply, in fact what i mean is "what's meaning of syscall in shellcode about av/edr evasion", as i know encrypt shellcode can bypass most av/edr, is there any other av/edr will detect shellcode is WinAPI or Syscall ?

Bw3ll commented 1 year ago

As you say, it can bypass most av/edr. If you want to take it to the next level, avoiding WinAPIs altogetehr is one way to go. One argument could be that Windows syscalls are too hard to time consuming, but that is all relative. With greater experience that time and lack of familiarity goes away. The still won't ever be quite the same as WinAPIs, due to limited number of them, but where there is a will, there is a way.

Ultimately, this is a Windows syscall tool for shellcode, not one for Windows APIs. I have had a student write one for WinAPI but not publish it. To each their own. This tool will help you if you want to build Windows syscall shellcode.

As to your last question, not sure I follow, if there is one that distinguishes if it is syscall shellcode or WinAPI? I wouldn't think it would care about that distinction. But, ultimately, you can write a hook for any WinAPI you so desire. That becomes harder for Windows syscalls (especially some of the alternative ways of invoking it provided with this project), but still could be possible.

To me there is nothing inherently weird about writing Windows syscalls for shellcode, since I have done a number, but you do have to think about it differently and recognize some possible limitations vs. WinAPIs. That is, something could be "harder" to do.