SHELLSILO: Simplifying Syscall Assembly and Shellcode Creation
SHELLSILO
SHELLSILO is a cutting-edge tool that translates C syntax into syscall assembly and its corresponding shellcode. It streamlines the process of constructing and utilizing structures, assigning variables, and making system calls. With this tool, integrating strings into your shellcode and initializing Unicode strings has never been easier.
SHELLSILO has been tested on two different Windows 10 models, and Windows 11.
How does SHELLSILO obtain syscall number?
- SHELLSILO imported the syscall number table from https://j00ru.vexillium.org/syscalls/nt/64/ and converted each Windows version to its corresponding model number. By examining the PEB (Process Environment Block), SHELLSILO can easily obtain the model number of the system and compare it to its own model from the ‘syscallslist.txt’ table.
- SHELLSILO only compares the syscall APIs used in the code.
SHELLSILO supports the following:
- Reading and parsing structures
- Structres instances
- Structres member assignments
- Infinite while loop
- If statements
- Variables definition and assignments
- Function calls
- Initializing unicode string
- Some C constants such as MEM_COMMIT and MEM_RESERVE
Practical Example:
The most practical template of the files provided is the ntwrt.c file.
What’s happening in the ntwrt.c file ?
- The code starts by looping through two syscall apis NtAllocateVirtualMemory, and NtQuerySystemInformation to find a specific running process that you will define in the code. Change the name of the process in the code from “Calculator.exe” to whatever process you want, Example: ‘CalculatorApp.exe’ (Windows 10). The process name you change will automatically be initialzed as unicode string using ShellSilo’s built in function InitUnicodeStr, you don’t need to worry about that part.
- The next step is to allocate enough memory in that process using NtOpenProcess followed by NtAllocateVirtualMemory
- Next is to copy the buffer on line 108 which is “h” works as a place holder, to the remote process. this is a place holder, after you generate the assembly change this line with your actual payload buffer line, please refer to my Defcon example https://github.com/nixpal/ProcInjectSyscall/blob/main/shellcode.c#L222
- Finally, the code will create a new thread of that copied buffer using NtCreateThreadEx.
