D3FC0N 30 release: Obj callbacks, firewalling, symbols w/ internet, and more

Co-authored-by: Maxime Meignan <maxime.meignan@wavestone.com>
2026-06-11 01:41:20 +00:00 · 2022-08-13 09:23:48 -07:00
parent 2e037a379b
commit 48a75a7029
91 changed files with 10503 additions and 4414 deletions
@@ -0,0 +1,71 @@
+.data
+currentHash DWORD 0
+
+.code
+EXTERN SW2_GetSyscallNumber: PROC
+
+WhisperMain PROC
+    pop rax
+    mov [rsp+ 8], rcx              ; Save registers.
+    mov [rsp+16], rdx
+    mov [rsp+24], r8
+    mov [rsp+32], r9
+    sub rsp, 28h
+    mov ecx, currentHash
+    call SW2_GetSyscallNumber
+    add rsp, 28h
+    mov rcx, [rsp+ 8]              ; Restore registers.
+    mov rdx, [rsp+16]
+    mov r8, [rsp+24]
+    mov r9, [rsp+32]
+    mov r10, rcx
+    syscall                        ; Issue syscall
+    ret
+WhisperMain ENDP
+
+NtGetNextProcess PROC
+    mov currentHash, 0CD50C4CCh    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtGetNextProcess ENDP
+
+NtQueryInformationProcess PROC
+    mov currentHash, 055A17810h    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtQueryInformationProcess ENDP
+
+NtClose PROC
+    mov currentHash, 054DEA057h    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtClose ENDP
+
+NtAllocateVirtualMemory PROC
+    mov currentHash, 08708BDBBh    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtAllocateVirtualMemory ENDP
+
+NtOpenProcess PROC
+    mov currentHash, 0FDBCE430h    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtOpenProcess ENDP
+
+NtQueryVirtualMemory PROC
+    mov currentHash, 083906983h    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtQueryVirtualMemory ENDP
+
+NtReadVirtualMemory PROC
+    mov currentHash, 0309A0DDEh    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtReadVirtualMemory ENDP
+
+NtCreateFile PROC
+    mov currentHash, 086A15898h    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtCreateFile ENDP
+
+NtWriteFile PROC
+    mov currentHash, 0B224DCF0h    ; Load function hash into global variable.
+    call WhisperMain               ; Resolve function hash into syscall number and make the call
+NtWriteFile ENDP
+
+end