├── README.md └── sw_randomizer.py /README.md: -------------------------------------------------------------------------------- 1 | # SysWhispers-FunctionRandomizer 2 | Quick python script to replace the NtAPI functions within SysWhispers' generated assembly and header files with random strings. 3 | 4 | Usage: python3 sw_randomizer.py syscalls.h syscalls.asm 5 | 6 | ``` 7 | C:\Temp>python3 sw_randomizer.py sys.h sys-asm.x64.asm 8 | [+] sys-modified.h Completed! 9 | [+] sys-asm.x64-modified.asm Completed! 10 | [+] NtAPIs and their corresponding value can be found in: changed_log.txt 11 | --- 12 | NtWriteVirtualMemory : PHheJHzJrZ 13 | NtProtectVirtualMemory : rFbdzYHSFU 14 | NtOpenProcess : vJpFlKupTc 15 | NtCreateSection : bVFATECoIS 16 | NtMapViewOfSection : vCMJaXuVru 17 | NtQueueApcThread : qaTMRgrBbN 18 | NtResumeThread : mFkJbnVvaU 19 | NtClose : ZgnJFpasBE 20 | NtCreateFile : aBdUnQEcsG 21 | NtUnmapViewOfSection : DiJrtjFaCv 22 | --- 23 | [+] NOTE! You must change the header file reference in your SysWhispers .c file to reflect the new header file name! 24 | ``` 25 | -------------------------------------------------------------------------------- /sw_randomizer.py: -------------------------------------------------------------------------------- 1 | import sys, string, random 2 | 3 | try: 4 | input_file1 = sys.argv[1] 5 | input_file2 = sys.argv[2] 6 | except: 7 | print("--\nYou must specify both the header (.h) and assembly (.asm) files as input!") 8 | print("Example Usage: python3 sw_randomizer.py sys.h sys.x64.asm\n---") 9 | sys.exit() 10 | 11 | 12 | # Initialize output names 13 | if input_file1.__contains__(".h"): 14 | filename = input_file1.split(".h") 15 | output_file1 = filename[0]+"-modified.h" 16 | elif input_file1.__contains__(".asm"): 17 | filename = input_file1.split(".asm") 18 | output_file1 = filename[0]+"-modified.asm" 19 | else: 20 | output_file1 = input_file1 + "-modified" 21 | 22 | if input_file2.__contains__(".h"): 23 | filename = input_file2.split(".h") 24 | output_file2 = filename[0]+"-modified.h" 25 | elif input_file2.__contains__(".asm"): 26 | filename = input_file2.split(".asm") 27 | output_file2 = filename[0]+"-modified.asm" 28 | else: 29 | output_file2 = input_file2 + "-modified" 30 | 31 | 32 | # Sorted Z-A so that NtAPI's ending in "Ex" will always be checked first 33 | list_of_APIs = ['NtAccessCheck', 34 | 'NtYieldExecution', 35 | 'NtWriteVirtualMemory', 36 | 'NtWriteRequestData', 37 | 'NtWriteFileGather', 38 | 'NtWriteFile', 39 | 'NtWorkerFactoryWorkerReady', 40 | 'NtWaitLowEventPair', 41 | 'NtWaitHighEventPair', 42 | 'NtWaitForWorkViaWorkerFactory', 43 | 'NtWaitForWnfNotifications', 44 | 'NtWaitForSingleObject', 45 | 'NtWaitForMultipleObjects32', 46 | 'NtWaitForMultipleObjects', 47 | 'NtWaitForKeyedEvent', 48 | 'NtWaitForDebugEvent', 49 | 'NtWaitForAlertByThreadId', 50 | 'NtVdmControl', 51 | 'NtUpdateWnfStateData', 52 | 'NtUnsubscribeWnfStateChange', 53 | 'NtUnmapViewOfSectionEx', 54 | 'NtUnmapViewOfSection', 55 | 'NtUnlockVirtualMemory', 56 | 'NtUnlockFile', 57 | 'NtUnloadKeyEx', 58 | 'NtUnloadKey2', 59 | 'NtUnloadKey', 60 | 'NtUnloadDriver', 61 | 'NtUmsThreadYield', 62 | 'NtTranslateFilePath', 63 | 'NtTraceEvent', 64 | 'NtTraceControl', 65 | 'NtThawTransactions', 66 | 'NtThawRegistry', 67 | 'NtTestAlert', 68 | 'NtTerminateThread', 69 | 'NtTerminateProcess', 70 | 'NtTerminateJobObject', 71 | 'NtTerminateEnclave', 72 | 'NtSystemDebugControl', 73 | 'NtSuspendThread', 74 | 'NtSuspendProcess', 75 | 'NtSubscribeWnfStateChange', 76 | 'NtStopProfile', 77 | 'NtStartTm', 78 | 'NtStartProfile', 79 | 'NtSinglePhaseReject', 80 | 'NtSignalAndWaitForSingleObject', 81 | 'NtShutdownWorkerFactory', 82 | 'NtShutdownSystem', 83 | 'NtSetWnfProcessNotificationEvent', 84 | 'NtSetVolumeInformationFile', 85 | 'NtSetValueKey', 86 | 'NtSetUuidSeed', 87 | 'NtSetTimerResolution', 88 | 'NtSetTimerEx', 89 | 'NtSetTimer2', 90 | 'NtSetTimer', 91 | 'NtSetThreadExecutionState', 92 | 'NtSetSystemTime', 93 | 'NtSetSystemPowerState', 94 | 'NtSetSystemInformation', 95 | 'NtSetSystemEnvironmentValueEx', 96 | 'NtSetSystemEnvironmentValue', 97 | 'NtSetSecurityObject', 98 | 'NtSetQuotaInformationFile', 99 | 'NtSetLowWaitHighEventPair', 100 | 'NtSetLowEventPair', 101 | 'NtSetLdtEntries', 102 | 'NtSetIRTimer', 103 | 'NtSetIoCompletionEx', 104 | 'NtSetIoCompletion', 105 | 'NtSetIntervalProfile', 106 | 'NtSetInformationWorkerFactory', 107 | 'NtSetInformationVirtualMemory', 108 | 'NtSetInformationTransactionManager', 109 | 'NtSetInformationTransaction', 110 | 'NtSetInformationToken', 111 | 'NtSetInformationThread', 112 | 'NtSetInformationSymbolicLink', 113 | 'NtSetInformationResourceManager', 114 | 'NtSetInformationProcess', 115 | 'NtSetInformationObject', 116 | 'NtSetInformationKey', 117 | 'NtSetInformationJobObject', 118 | 'NtSetInformationFile', 119 | 'NtSetInformationEnlistment', 120 | 'NtSetInformationDebugObject', 121 | 'NtSetHighWaitLowEventPair', 122 | 'NtSetHighEventPair', 123 | 'NtSetEventBoostPriority', 124 | 'NtSetEvent', 125 | 'NtSetEaFile', 126 | 'NtSetDriverEntryOrder', 127 | 'NtSetDefaultUILanguage', 128 | 'NtSetDefaultLocale', 129 | 'NtSetDefaultHardErrorPort', 130 | 'NtSetDebugFilterState', 131 | 'NtSetContextThread', 132 | 'NtSetCachedSigningLevel2', 133 | 'NtSetCachedSigningLevel', 134 | 'NtSetBootOptions', 135 | 'NtSetBootEntryOrder', 136 | 'NtSerializeBoot', 137 | 'NtSecureConnectPort', 138 | 'NtSavepointTransaction', 139 | 'NtSavepointComplete', 140 | 'NtSaveMergedKeys', 141 | 'NtSaveKeyEx', 142 | 'NtSaveKey', 143 | 'NtRollforwardTransactionManager', 144 | 'NtRollbackTransaction', 145 | 'NtRollbackSavepointTransaction', 146 | 'NtRollbackRegistryTransaction', 147 | 'NtRollbackEnlistment', 148 | 'NtRollbackComplete', 149 | 'NtRevertContainerImpersonation', 150 | 'NtResumeThread', 151 | 'NtResumeProcess', 152 | 'NtRestoreKey', 153 | 'NtResetWriteWatch', 154 | 'NtResetEvent', 155 | 'NtRequestWakeupLatency', 156 | 'NtRequestWaitReplyPort', 157 | 'NtRequestPort', 158 | 'NtRequestDeviceWakeup', 159 | 'NtReplyWaitReplyPort', 160 | 'NtReplyWaitReceivePortEx', 161 | 'NtReplyWaitReceivePort', 162 | 'NtReplyPort', 163 | 'NtReplacePartitionUnit', 164 | 'NtReplaceKey', 165 | 'NtRenameTransactionManager', 166 | 'NtRenameKey', 167 | 'NtRemoveProcessDebug', 168 | 'NtRemoveIoCompletionEx', 169 | 'NtRemoveIoCompletion', 170 | 'NtReleaseWorkerFactoryWorker', 171 | 'NtReleaseSemaphore', 172 | 'NtReleaseMutant', 173 | 'NtReleaseKeyedEvent', 174 | 'NtReleaseCMFViewOwnership', 175 | 'NtRegisterThreadTerminatePort', 176 | 'NtRegisterProtocolAddressInformation', 177 | 'NtRecoverTransactionManager', 178 | 'NtRecoverResourceManager', 179 | 'NtRecoverEnlistment', 180 | 'NtReadVirtualMemory', 181 | 'NtReadRequestData', 182 | 'NtReadOnlyEnlistment', 183 | 'NtReadFileScatter', 184 | 'NtReadFile', 185 | 'NtRaiseHardError', 186 | 'NtRaiseException', 187 | 'NtQueueApcThreadEx', 188 | 'NtQueueApcThread', 189 | 'NtQueryWnfStateNameInformation', 190 | 'NtQueryWnfStateData', 191 | 'NtQueryVolumeInformationFile', 192 | 'NtQueryVirtualMemory', 193 | 'NtQueryValueKey', 194 | 'NtQueryTimerResolution', 195 | 'NtQueryTimer', 196 | 'NtQuerySystemTime', 197 | 'NtQuerySystemInformationEx', 198 | 'NtQuerySystemInformation', 199 | 'NtQuerySystemEnvironmentValueEx', 200 | 'NtQuerySystemEnvironmentValue', 201 | 'NtQuerySymbolicLinkObject', 202 | 'NtQuerySemaphore', 203 | 'NtQuerySecurityPolicy', 204 | 'NtQuerySecurityObject', 205 | 'NtQuerySecurityAttributesToken', 206 | 'NtQuerySection', 207 | 'NtQueryQuotaInformationFile', 208 | 'NtQueryPortInformationProcess', 209 | 'NtQueryPerformanceCounter', 210 | 'NtQueryOpenSubKeysEx', 211 | 'NtQueryOpenSubKeys', 212 | 'NtQueryObject', 213 | 'NtQueryMutant', 214 | 'NtQueryMultipleValueKey', 215 | 'NtQueryLicenseValue', 216 | 'NtQueryKey', 217 | 'NtQueryIoCompletion', 218 | 'NtQueryIntervalProfile', 219 | 'NtQueryInstallUILanguage', 220 | 'NtQueryInformationWorkerFactory', 221 | 'NtQueryInformationTransactionManager', 222 | 'NtQueryInformationTransaction', 223 | 'NtQueryInformationToken', 224 | 'NtQueryInformationThread', 225 | 'NtQueryInformationResourceManager', 226 | 'NtQueryInformationProcess', 227 | 'NtQueryInformationPort', 228 | 'NtQueryInformationJobObject', 229 | 'NtQueryInformationFile', 230 | 'NtQueryInformationEnlistment', 231 | 'NtQueryInformationByName', 232 | 'NtQueryInformationAtom', 233 | 'NtQueryFullAttributesFile', 234 | 'NtQueryEvent', 235 | 'NtQueryEaFile', 236 | 'NtQueryDriverEntryOrder', 237 | 'NtQueryDirectoryObject', 238 | 'NtQueryDirectoryFileEx', 239 | 'NtQueryDirectoryFile', 240 | 'NtQueryDefaultUILanguage', 241 | 'NtQueryDefaultLocale', 242 | 'NtQueryDebugFilterState', 243 | 'NtQueryBootOptions', 244 | 'NtQueryBootEntryOrder', 245 | 'NtQueryAuxiliaryCounterFrequency', 246 | 'NtQueryAttributesFile', 247 | 'NtPulseEvent', 248 | 'NtPullTransaction', 249 | 'NtProtectVirtualMemory', 250 | 'NtPropagationFailed', 251 | 'NtPropagationComplete', 252 | 'NtPrivilegeObjectAuditAlarm', 253 | 'NtPrivilegedServiceAuditAlarm', 254 | 'NtPrivilegeCheck', 255 | 'NtPrePrepareEnlistment', 256 | 'NtPrePrepareComplete', 257 | 'NtPrepareEnlistment', 258 | 'NtPrepareComplete', 259 | 'NtPowerInformation', 260 | 'NtPlugPlayControl', 261 | 'NtOpenTransactionManager', 262 | 'NtOpenTransaction', 263 | 'NtOpenTimer', 264 | 'NtOpenThreadTokenEx', 265 | 'NtOpenThreadToken', 266 | 'NtOpenThread', 267 | 'NtOpenSymbolicLinkObject', 268 | 'NtOpenSession', 269 | 'NtOpenSemaphore', 270 | 'NtOpenSection', 271 | 'NtOpenResourceManager', 272 | 'NtOpenRegistryTransaction', 273 | 'NtOpenProcessTokenEx', 274 | 'NtOpenProcessToken', 275 | 'NtOpenProcess', 276 | 'NtOpenPrivateNamespace', 277 | 'NtOpenPartition', 278 | 'NtOpenObjectAuditAlarm', 279 | 'NtOpenMutant', 280 | 'NtOpenKeyTransactedEx', 281 | 'NtOpenKeyTransacted', 282 | 'NtOpenKeyEx', 283 | 'NtOpenKeyedEvent', 284 | 'NtOpenKey', 285 | 'NtOpenJobObject', 286 | 'NtOpenIoCompletion', 287 | 'NtOpenFile', 288 | 'NtOpenEventPair', 289 | 'NtOpenEvent', 290 | 'NtOpenEnlistment', 291 | 'NtOpenDirectoryObject', 292 | 'NtNotifyChangeSession', 293 | 'NtNotifyChangeMultipleKeys', 294 | 'NtNotifyChangeKey', 295 | 'NtNotifyChangeDirectoryFileEx', 296 | 'NtNotifyChangeDirectoryFile', 297 | 'NtModifyDriverEntry', 298 | 'NtModifyBootEntry', 299 | 'NtMarshallTransaction', 300 | 'NtMapViewOfSectionEx', 301 | 'NtMapViewOfSection', 302 | 'NtMapUserPhysicalPagesScatter', 303 | 'NtMapUserPhysicalPages', 304 | 'NtMapCMFModule', 305 | 'NtManagePartition', 306 | 'NtManageHotPatch', 307 | 'NtMakeTemporaryObject', 308 | 'NtMakePermanentObject', 309 | 'NtLockVirtualMemory', 310 | 'NtLockRegistryKey', 311 | 'NtLockProductActivationKeys', 312 | 'NtLockFile', 313 | 'NtLoadKeyEx', 314 | 'NtLoadKey2', 315 | 'NtLoadKey', 316 | 'NtLoadHotPatch', 317 | 'NtLoadEnclaveData', 318 | 'NtLoadDriver', 319 | 'NtListTransactions', 320 | 'NtListenPort', 321 | 'NtIsUILanguageComitted', 322 | 'NtIsSystemResumeAutomatic', 323 | 'NtIsProcessInJob', 324 | 'NtInitiatePowerAction', 325 | 'NtInitializeRegistry', 326 | 'NtInitializeNlsFiles', 327 | 'NtInitializeEnclave', 328 | 'NtImpersonateThread', 329 | 'NtImpersonateClientOfPort', 330 | 'NtImpersonateAnonymousToken', 331 | 'NtGetWriteWatch', 332 | 'NtGetPlugPlayEvent', 333 | 'NtGetNotificationResourceManager', 334 | 'NtGetNlsSectionPtr', 335 | 'NtGetNextThread', 336 | 'NtGetNextProcess', 337 | 'NtGetMUIRegistryInfo', 338 | 'NtGetDevicePowerState', 339 | 'NtGetCurrentProcessorNumberEx', 340 | 'NtGetCurrentProcessorNumber', 341 | 'NtGetContextThread', 342 | 'NtGetCompleteWnfStateSubscription', 343 | 'NtGetCachedSigningLevel', 344 | 'NtFsControlFile', 345 | 'NtFreezeTransactions', 346 | 'NtFreezeRegistry', 347 | 'NtFreeVirtualMemory', 348 | 'NtFreeUserPhysicalPages', 349 | 'NtFlushWriteBuffer', 350 | 'NtFlushVirtualMemory', 351 | 'NtFlushProcessWriteBuffers', 352 | 'NtFlushKey', 353 | 'NtFlushInstructionCache', 354 | 'NtFlushInstallUILanguage', 355 | 'NtFlushBuffersFileEx', 356 | 'NtFlushBuffersFile', 357 | 'NtFindAtom', 358 | 'NtFilterTokenEx', 359 | 'NtFilterToken', 360 | 'NtFilterBootOption', 361 | 'NtExtendSection', 362 | 'NtEnumerateValueKey', 363 | 'NtEnumerateTransactionObject', 364 | 'NtEnumerateSystemEnvironmentValuesEx', 365 | 'NtEnumerateKey', 366 | 'NtEnumerateDriverEntries', 367 | 'NtEnumerateBootEntries', 368 | 'NtEnableLastKnownGood', 369 | 'NtDuplicateToken', 370 | 'NtDuplicateObject', 371 | 'NtDrawText', 372 | 'NtDisplayString', 373 | 'NtDisableLastKnownGood', 374 | 'NtDeviceIoControlFile', 375 | 'NtDeleteWnfStateName', 376 | 'NtDeleteWnfStateData', 377 | 'NtDeleteValueKey', 378 | 'NtDeletePrivateNamespace', 379 | 'NtDeleteObjectAuditAlarm', 380 | 'NtDeleteKey', 381 | 'NtDeleteFile', 382 | 'NtDeleteDriverEntry', 383 | 'NtDeleteBootEntry', 384 | 'NtDeleteAtom', 385 | 'NtDelayExecution', 386 | 'NtDebugContinue', 387 | 'NtDebugActiveProcess', 388 | 'NtCreateWorkerFactory', 389 | 'NtCreateWnfStateName', 390 | 'NtCreateWaitCompletionPacket', 391 | 'NtCreateWaitablePort', 392 | 'NtCreateUserProcess', 393 | 'NtCreateTransactionManager', 394 | 'NtCreateTransaction', 395 | 'NtCreateTokenEx', 396 | 'NtCreateToken', 397 | 'NtCreateTimer2', 398 | 'NtCreateTimer', 399 | 'NtCreateThreadEx', 400 | 'NtCreateThread', 401 | 'NtCreateSymbolicLinkObject', 402 | 'NtCreateSemaphore', 403 | 'NtCreateSectionEx', 404 | 'NtCreateSection', 405 | 'NtCreateResourceManager', 406 | 'NtCreateRegistryTransaction', 407 | 'NtCreateProfileEx', 408 | 'NtCreateProfile', 409 | 'NtCreateProcessEx', 410 | 'NtCreateProcess', 411 | 'NtCreatePrivateNamespace', 412 | 'NtCreatePort', 413 | 'NtCreatePartition', 414 | 'NtCreatePagingFile', 415 | 'NtCreateNamedPipeFile', 416 | 'NtCreateMutant', 417 | 'NtCreateMailslotFile', 418 | 'NtCreateLowBoxToken', 419 | 'NtCreateKeyTransacted', 420 | 'NtCreateKeyedEvent', 421 | 'NtCreateKey', 422 | 'NtCreateJobSet', 423 | 'NtCreateJobObject', 424 | 'NtCreateIRTimer', 425 | 'NtCreateIoCompletion', 426 | 'NtCreateFile', 427 | 'NtCreateEventPair', 428 | 'NtCreateEvent', 429 | 'NtCreateEnlistment', 430 | 'NtCreateEnclave', 431 | 'NtCreateDirectoryObjectEx', 432 | 'NtCreateDirectoryObject', 433 | 'NtCreateDebugObject', 434 | 'NtCreateCrossVmEvent', 435 | 'NtConvertBetweenAuxiliaryCounterAndPerformanceCounter', 436 | 'NtContinueEx', 437 | 'NtContinue', 438 | 'NtConnectPort', 439 | 'NtCompressKey', 440 | 'NtCompleteConnectPort', 441 | 'NtCompareTokens', 442 | 'NtCompareSigningLevels', 443 | 'NtCompareObjects', 444 | 'NtCompactKeys', 445 | 'NtCommitTransaction', 446 | 'NtCommitRegistryTransaction', 447 | 'NtCommitEnlistment', 448 | 'NtCommitComplete', 449 | 'NtCloseObjectAuditAlarm', 450 | 'NtClose', 451 | 'NtClearSavepointTransaction', 452 | 'NtClearEvent', 453 | 'NtClearAllSavepointsTransaction', 454 | 'NtCancelWaitCompletionPacket', 455 | 'NtCancelTimer2', 456 | 'NtCancelTimer', 457 | 'NtCancelSynchronousIoFile', 458 | 'NtCancelIoFileEx', 459 | 'NtCancelIoFile', 460 | 'NtCancelDeviceWakeupRequest', 461 | 'NtCallEnclave', 462 | 'NtCallbackReturn', 463 | 'NtAssociateWaitCompletionPacket', 464 | 'NtAssignProcessToJobObject', 465 | 'NtAreMappedFilesTheSame', 466 | 'NtApphelpCacheControl', 467 | 'NtAlpcSetInformation', 468 | 'NtAlpcSendWaitReceivePort', 469 | 'NtAlpcRevokeSecurityContext', 470 | 'NtAlpcQueryInformationMessage', 471 | 'NtAlpcQueryInformation', 472 | 'NtAlpcOpenSenderThread', 473 | 'NtAlpcOpenSenderProcess', 474 | 'NtAlpcImpersonateClientOfPort', 475 | 'NtAlpcImpersonateClientContainerOfPort', 476 | 'NtAlpcDisconnectPort', 477 | 'NtAlpcDeleteSecurityContext', 478 | 'NtAlpcDeleteSectionView', 479 | 'NtAlpcDeleteResourceReserve', 480 | 'NtAlpcDeletePortSection', 481 | 'NtAlpcCreateSecurityContext', 482 | 'NtAlpcCreateSectionView', 483 | 'NtAlpcCreateResourceReserve', 484 | 'NtAlpcCreatePortSection', 485 | 'NtAlpcCreatePort', 486 | 'NtAlpcConnectPortEx', 487 | 'NtAlpcConnectPort', 488 | 'NtAlpcCancelMessage', 489 | 'NtAlpcAcceptConnectPort', 490 | 'NtAllocateVirtualMemoryEx', 491 | 'NtAllocateVirtualMemory', 492 | 'NtAllocateUuids', 493 | 'NtAllocateUserPhysicalPages', 494 | 'NtAllocateReserveObject', 495 | 'NtAllocateLocallyUniqueId', 496 | 'NtAlertThreadByThreadId', 497 | 'NtAlertThread', 498 | 'NtAlertResumeThread', 499 | 'NtAdjustTokenClaimsAndDeviceGroups', 500 | 'NtAdjustPrivilegesToken', 501 | 'NtAdjustGroupsToken', 502 | 'NtAddDriverEntry', 503 | 'NtAddBootEntry', 504 | 'NtAddAtomEx', 505 | 'NtAddAtom', 506 | 'NtAcquireProcessActivityReference', 507 | 'NtAcquireCMFViewOwnership', 508 | 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', 509 | 'NtAccessCheckByTypeResultListAndAuditAlarm', 510 | 'NtAccessCheckByTypeResultList', 511 | 'NtAccessCheckByTypeAndAuditAlarm', 512 | 'NtAccessCheckByType', 513 | 'NtAccessCheckAndAuditAlarm', 514 | 'NtAcceptConnectPort', 515 | ] 516 | 517 | # Function to generate random value 518 | def genkey(): 519 | letters = string.ascii_letters 520 | key = "" 521 | for i in range(10): 522 | z = random.choice(letters) 523 | key = key + z 524 | return key 525 | 526 | 527 | # Populate dictionary with NtAPI and random value pair 528 | api_hash_dict = {} 529 | for i in list_of_APIs: 530 | api_hash_dict[i] = genkey() 531 | 532 | 533 | # list to keep track of what APIs we are changing and corresponding value 534 | changed_api_list = [""] 535 | 536 | 537 | # Iterate through first input file and change NtAPI to random value 538 | output1 = open(output_file1, 'w') 539 | newline = "" 540 | 541 | syscall_file1 = open(input_file1, 'r').readlines() 542 | for i in syscall_file1: 543 | for api in list_of_APIs: 544 | if api in i: 545 | 546 | newline = i.replace(api, api_hash_dict.get(api)) 547 | output1.write(newline) 548 | i = "" 549 | 550 | # If the API isn't already in the list (since .asm files will contain it 2x) append it 551 | # We only perform this on the first file as the second file should have identical NtAPIs. 552 | for append_api in changed_api_list: 553 | if api not in changed_api_list: 554 | changed_api_list.append(api) 555 | break # NtAPIs ending in "Ex" will be checked first and break to avoid duplicates 556 | 557 | if i != "": # If line doesn't have NtAPI in it write it to output file 558 | output1.write(i) 559 | 560 | output1.close() 561 | print("[+] " + output_file1 + " Completed!") 562 | 563 | 564 | # Iterate through second input file and change NtAPI to random value 565 | output2 = open(output_file2, 'w') 566 | newline = "" 567 | 568 | syscall_file2 = open(input_file2, 'r').readlines() 569 | for i in syscall_file2: 570 | for api in list_of_APIs: 571 | if api in i: 572 | 573 | newline = i.replace(api, api_hash_dict.get(api)) 574 | output2.write(newline) 575 | i = "" 576 | break # NtAPIs ending in "Ex" will be checked first and break to avoid duplicates 577 | 578 | if i != "": 579 | output2.write(i) 580 | 581 | output2.close() 582 | print("[+] " + output_file2 + " Completed!") 583 | 584 | 585 | # Write to output file what APIs we changed and the corresponding value 586 | change_log = open("changed_log.txt", 'w') 587 | print("[+] " + "NtAPIs and their corresponding value can be found in: changed_log.txt") 588 | print("---") 589 | for i in changed_api_list: 590 | try: 591 | logger = i + " : " + api_hash_dict.get(i) 592 | print(logger) 593 | change_log.write(logger) 594 | except: 595 | pass 596 | print("---") 597 | print("[+] NOTE! You must change the header file reference in your SysWhispers .c file to reflect the new header file name!") 598 | --------------------------------------------------------------------------------