ShellWasp and Offensive Usage of Windows Syscalls in Shellcode

by Black Hat Middle East and Africa
on
ShellWasp and Offensive Usage of Windows Syscalls in Shellcode

Abstract

While syscalls and Windows have exploded in popularity, permitting offensive security tools to weaponize direct Windows syscalls to avoid EDR, they have virtually never been utilized in the context of shellcode, except for Egghunters, a specialized shellcode that uses only one syscall. The reason why syscalls historically had not been used much, and why they have not been used in the context of shellcode, is the lack of portability for shellcode as the necessary syscall values (SSNs), which must be provided in the ex-register. SSNs can change with each new OS build. Windows 10, for instance has more than thirteen distinct OS builds. This research provides a novel methodology to overcome the portability problem with shellcode. This research presents a novel tool, ShellWasp, which provides a solution to the portability problem, while auto-mating much of the process in terms of utilizing said solution. With ShellWasp, the SSN for a particular syscall can be delivered at runtime, allowing for a syscall to be able to work across not only multiple OS builds, but multiple OS’s. In addition to providing a solution to the aforementioned research problem, ShellWasp is able to reduce the human labor required to construct syscall shellcodes, by generating a tem-plate for syscall shellcode, with syscall parameter types and names labeled.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles