{"id":22243134,"url":"https://github.com/x42en/sysplant","last_synced_at":"2025-04-04T13:11:03.747Z","repository":{"id":180962945,"uuid":"664276607","full_name":"x42en/sysplant","owner":"x42en","description":"Your syscall factory","archived":false,"fork":false,"pushed_at":"2025-03-06T03:37:48.000Z","size":2663,"stargazers_count":121,"open_issues_count":2,"forks_count":12,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-28T12:09:21.472Z","etag":null,"topics":["code-generation","edr-evasion","hacking-tool","offensive-security","syscall-hooking","syscalls","windows"],"latest_commit_sha":null,"homepage":"http://sysplant.readthedocs.io/","language":"Nim","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x42en.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-09T13:24:45.000Z","updated_at":"2025-03-18T10:42:29.000Z","dependencies_parsed_at":"2024-01-03T15:52:58.376Z","dependency_job_id":"a65b1b5c-f83f-4fc0-a34d-b169b5b103fe","html_url":"https://github.com/x42en/sysplant","commit_stats":null,"previous_names":["x42en/sysplant"],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x42en%2Fsysplant","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x42en%2Fsysplant/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x42en%2Fsysplant/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x42en%2Fsysplant/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x42en","download_url":"https://codeload.github.com/x42en/sysplant/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247182399,"owners_count":20897381,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["code-generation","edr-evasion","hacking-tool","offensive-security","syscall-hooking","syscalls","windows"],"created_at":"2024-12-03T04:20:56.684Z","updated_at":"2025-04-04T13:11:03.731Z","avatar_url":"https://github.com/x42en.png","language":"Nim","readme":"\u003c!-- markdownlint-disable MD033 MD041 --\u003e\n\u003ch1 align=\"center\"\u003e\n..:: SysPlant ::..\n\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eYour Syscall Factory\u003c/strong\u003e \u003ci\u003e(feat. Canterlot's Gate)\u003c/i\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"http://sysplant.readthedocs.io/en/main/assets/canterlot.jpeg\" alt=\"Canterlot's Gate\"/\u003e\n\u003c/p\u003e\n\n[![PyPI version](https://img.shields.io/pypi/v/sysplant.svg?logo=pypi\u0026logoColor=FFE873)](https://pypi.org/project/sysplant/)\n[![Supported Python versions](https://img.shields.io/pypi/pyversions/sysplant.svg?logo=python\u0026logoColor=FFE873)](https://pypi.org/project/sysplant/)\n[![Build Status](https://github.com/x42en/sysplant/actions/workflows/build.yml/badge.svg)](https://github.com/x42en/sysplant)\n[![Project Licence](https://img.shields.io/github/license/x42en/sysplant.svg)](https://github.com/x42en/sysplant/blob/main/LICENSE)\n[![PyPI downloads](https://img.shields.io/pypi/dm/sysplant.svg)](https://pypistats.org/packages/sysplant)\n[![Code Quality](https://www.codefactor.io/repository/github/x42en/sysplant/badge)](https://www.codefactor.io/repository/github/x42en/sysplant)\n[![Code Coverage](https://codecov.io/gh/x42en/sysplant/branch/main/graph/badge.svg)](https://codecov.io/gh/x42en/sysplant)\n[![Code style: Black](https://img.shields.io/badge/code%20style-Black-000000.svg)](https://github.com/psf/black)\n[![Documentation Status](https://readthedocs.org/projects/sysplant/badge/?version=latest)](https://sysplant.readthedocs.io/en/latest/?badge=latest)\n\n\nSysPlant is a python generation tool of the currently known syscall hooking methods. It currently supports following gates (aka: iterators):\n  - [Hell's Gate](https://github.com/am0nsec/HellsGate) : Lookup syscall by first opcodes\n  - [Halos's Gate](https://blog.sektor7.net/#!res/2021/halosgate.md) : Lookup syscall by first opcodes and search nearby if first instruction is a JMP\n  - [Tartarus' Gate](https://github.com/trickster0/TartarusGate) : Lookup syscall by first opcodes and search nearby if first or third instruction is a JMP\n  - [FreshyCalls](https://github.com/crummie5/FreshyCalls) : Lookup syscall by name (start with Nt and not Ntdll), sort addresses to retrieve syscall number\n  - [SysWhispers2](https://github.com/jthuraisamy/SysWhispers2) : Lookup syscall by name (start with Zw), sort addresses to retrieve syscall number\n  - [SysWhispers3](https://github.com/klezVirus/SysWhispers3) : SysWhispers2 style but introduce direct/indirect/random jump with static offset\n  - **Canterlot's Gate ! :unicorn: :rainbow:** *(from an initial idea of [MDSEC article](https://www.mdsec.co.uk/2022/04/resolving-system-service-numbers-using-the-exception-directory/)) but who was missing a pony name* : Lookup syscall using Runtime Exception Table (sorted by syscall number) and detect offset to syscall instruction for random jumps.\n  - **Custom** Allows you to choose an iterator and a syscall stub method (direct / indirect / random) which describe the way your NtFunctions will be effectively called.\n\n\u003e :warning: **DISCLAIMER**  \n\u003e Please only use this tool on systems you have permission to access.  \n\u003e Usage is restricted to Pentesting or Education only.  \n\u003e All credits are based on my own research, please feel free to claim any method if I made mistakes...\n\n---\n\n## Introduction\nThis personal project aims to be a simple tool to better understand \u0026 generate different syscall retrieval methods, and being able to play with direct / indirect syscall stub. The first goal was to get my hands into NIM and then it overflow :wink: ...  \nSysPlant has been developped for Linux users, some stuff might be broken within Windows or Mac. PR are welcome if you found anything that does not work as expected.\n\n## What is `iterator` option ?\nSysplant is based on existing mechanisms for syscall number and addresses retrieval. I do not claim any of their discovery, I just harmonize all this methods in a single tool to be able to generate them easily using templates. These mechanisms are called `iterator`, if you look at the code you'll probably understand why :wink:  \nIf you want to go further in the explanations of *what is a syscall ?* you should check [@Alice Climent blogpost about syscalls techniques](https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/)\n\n## What is `method` option ?\nOne your `iterator` has been choosen you can then specify a `method` option based on the existing way to call syscalls. All the iterator are supported which let you select whatever you want as a final syscall stub.\n\n  1. **Direct:** the syscall is made directly in the Sysplant ASM call. You only need the syscall number but AV/EDR might see you...\n  2. **Indirect:** the Sysplant ASM call jump to the begining of Ntdll stub. You only need syscall address and no longer call syscall in your code but AV/EDR might hook these functions\n  3. **Random:** the Sysplant ASM call jump to a random syscall instruction of Ntdll stubs. You need the syscall number and 1 syscall instruction address. You then no longer call syscall in your code and can avoid hooked functions.\n\n\n[![Sysplant Stubs](http://sysplant.readthedocs.io/en/main/assets/sysplant_stubs.png)](http://sysplant.readthedocs.io/en/main/assets/sysplant_stubs.png)\n\n## Documentation\nI've tried to keep an up to date documentation, so please **[READ THE DOC](http://sysplant.readthedocs.io/en/main/)**. You will find there many information about the tool's usages and a complete description of the classes and methods.  \n\nSome specifics usages are described:\n  - [Sysplant as a CLI tool](http://sysplant.readthedocs.io/en/main/usage/cli)\n  - [Sysplant as a Python's module](http://sysplant.readthedocs.io/en/main/usage/lib)\n\n## Credits\nMassive shout-out to these useful projects that helps me during this journey, or individuals for their reviews\n  - [@alice blogpost about syscalls techniques](https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/)\n  - [@redops blogpost about direct vs indirect syscalls](https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low)\n  - [@Jackson_T \u0026 @modexpblog for Syswhispers2](https://github.com/jthuraisamy/SysWhispers2)\n  - [@klezvirus for syswhispers3](https://github.com/klezVirus/SysWhispers3)\n\n## :construction: TODO\nThis project is really in WIP state...  \nSome PR \u0026 reviews are more than welcome :tada: !\n  - [x] Add internal names randomization\n  - [x] Setup documentation\n  - [x] Setup tests\n  - [ ] Add x86 support\n  - [ ] Add WoW64 support\n  - [x] Setup NIM templates\n  - [x] Setup C templates\n  - [ ] Setup Go? / CPP? / C#? / Rust? / Whatever templates\n\n## License\nThis project is licensed under the [GPLv3 License](https://www.gnu.org/licenses/quick-guide-gplv3.en.html), for individuals only. If you want to integrate this work in your commercial project please contact me through `0x42en[at]gmail.com`\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx42en%2Fsysplant","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx42en%2Fsysplant","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx42en%2Fsysplant/lists"}