Skip to content

Direct Syscall in Windows Meterpreter #777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Direct Syscall in Windows Meterpreter #777

wants to merge 8 commits into from

Conversation

dledda-r7
Copy link
Contributor

@dledda-r7 dledda-r7 commented Oct 8, 2025
edited
Loading

This is an initial work to have direct syscall working in metsrv.

TODO:

  • Make standard wrappers for all the other meterpreter functions
  • Expose the Zw Functions on met_api
  • Add more syscalls! (maybe?)
Migration with Direct Syscall 
DebugString: "[1384] [MIGRATE] Attempting to migrate. ProcessID=1708, Arch=x64"
DebugString: "[1384] [MIGRATE] Attempting to migrate. PayloadLength=291840 StubLength=317"
DebugString: "[1384] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFF82EAE4E0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2"
DebugString: "[1384] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0"
DebugString: "[1384] [MIGRATE] Got SeDebugPrivilege!"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpWinApiSyscalls = 00000000005ECC90"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECD00; dwCryptedHash = 00000000D33D4AED"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005EC960; dwCryptedHash = 00000000F0D09D60"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005EC9B0; dwCryptedHash = 00000000C5D0A4C2"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECA00; dwCryptedHash = 000000003DEFA5C2"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECA50; dwCryptedHash = 00000000BC3F4D89"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECAA0; dwCryptedHash = 000000004FD39C92"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECAF0; dwCryptedHash = 00000000DE63B5C3"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 0 pStub: 00007FFF82F0D7E8, dwSyscallNr: 24"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 1 pStub: 00007FFF82F0D9A8, dwSyscallNr: 38"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 2 pStub: 00007FFF82F0DC28, dwSyscallNr: 58"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 3 pStub: 00007FFF82F0DCC8, dwSyscallNr: 63"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 4 pStub: 00007FFF82F0DEE8, dwSyscallNr: 80"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 5 pStub: 00007FFF82F0D948, dwSyscallNr: 35"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 6 pStub: 00007FFF82F0D8A8, dwSyscallNr: 30"
DebugString: "[1384] [WINAPI][winapi_kernel32_OpenProcess] Syscall ZwOpenProcess returned: 0"
DebugString: "[1384] [MIGRATE] creating the configuration block"
DebugString: "[1384] [CONFIG] preparing the configuration"
DebugString: "[1384] [CONFIG] Allocating 1036 bytes for transport, total of 1604 bytes"
DebugString: "[1384] [CONFIG] Comms handle set to 00000000000001A4"
DebugString: "[1384] [CONFIG] Total of 1614 bytes located at 0x00000000005D9800"
DebugString: "[1384] [MIGRATE] Config of 1614 bytes stashed at 0x00000000005D9800"
DebugString: "[1384] [MIGRATE] Duplicated Event Handle: 0x3d4"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate stub: 0x000002C991350000 -> 317 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate context: 0x000002C99135013D -> 388 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate payload: 0x000002C9913502C1 -> 291840 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Configuration: 0x000002C9913976C1 -> 1614 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFF82EAE4E0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2"
DebugString: "[1384] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationProcess: 00007FFF82F0D800 NtQueryObject: 00007FFF82F0D6E0"
DebugString: "[1384] [INJECT][inject_via_poolparty][ntdll_init] ZwSetIoCompletion: 00007FFF82F10930"
DebugString: "[1384] [INJECT][inject_via_poolparty] using: poolparty_stub_x64"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty] ctx [000002C9913A0112] lpStartAddress: 000002C991350000 lpParameter 000002C99135013D hTriggerEvent 00000000000003E0"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty] Attempting injection with variant POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000025FA3A0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 00000000C0000004"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] HeapReAlloc lpProcessInfo: 00000000025FA3A0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 0000000000000000"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000025FA3A0 dwInformationSizeIn: 9936"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpObjectInfo: 00000000025FCAA0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] hHijackHandle: 00000000000003AC"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty][remote_tp_wait_insertion] ZwSetIoCompletion: 0"
DebugString: "[1384] [INJECT] inject_via_poolparty: injected!"
DebugString: "[1384] [INJECT] inject_via_poolparty: Sending a migrate response..."
DebugString: "[1384] [TRANSMIT] Sending packet to the server"

@dledda-r7 dledda-r7 marked this pull request as ready for review October 16, 2025 15:11
@dledda-r7 dledda-r7 changed the title WIP: Direct Syscall in Windows Meterpreter Direct Syscall in Windows Meterpreter Oct 16, 2025
@msutovsky-r7 msutovsky-r7 self-assigned this Oct 17, 2025
dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
c/meterpreter/source/metsrv/libloader.c
ViewUnmap = 2
} SECTION_INHERIT;

#ifndef _METERPRETER_COMMON_WINAPI_H
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be removed, we are declaring it up there.

dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
c/meterpreter/source/metsrv/pool_party_ext.h
#ifndef POOL_PARTY_H
#define POOL_PARTY_H
typedef struct IUnknown IUnknown;
#include <winsock2.h>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not required by pool-party, but since we need this to be included before "common.h" to avoid cyclic-inclusion, i need to include it on top here otherwise the compiler complains because winsock2.h needs to be included first... compilers 😥

dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
c/meterpreter/source/metsrv/thread.c
Comment on lines +8 to +24
typedef struct __OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
_PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} _OBJECT_ATTRIBUTES, * _POBJECT_ATTRIBUTES;

typedef struct __CLIENT_ID
{
PVOID UniqueProcess;
PVOID UniqueThread;
} _CLIENT_ID, * _PCLIENT_ID;
typedef DWORD (WINAPI * NTOPENTHREAD)( PHANDLE, ACCESS_MASK, _POBJECT_ATTRIBUTES, _PCLIENT_ID ); // ntdll!NtOpenThread

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I move this from thread.h because it was creating issue while moving around all the common_metapi.h stuff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@msutovsky-r7 msutovsky-r7

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dledda-r7 @msutovsky-r7