Wizardcalls is a code generation utility for C/C++ based implants targeting windows. Using wizardcalls, developers can quickly create a template containing desired syscalls for use in an implant via wizardcalls command line or scripting interfaces.
At this time, wizardcalls is only intended for use in Windows development environments. Linux is not currently supported but this feature is not off the table in the future.
Wizardcalls only supports x64 based implants at this time. x86 support could be added in the future.
Wizardcalls can be installed manually from this repository or from PyPi.
git clone https://github.com/wizardy0ga/wizardcalls
pip install .\wizardcalls
pip install wizardcalls
Feel free to open an issue for an issue for things like bugs & feature requests.
Using wizardcalls from the command line
Using wizardcalls in a script
Using the wizardcalls source code in your implant
Writing an injector with wizardcalls
Writing a compilation script for the injector with wizardcalls
This section describes how wizardcalls can be used by developers. Wizardcalls offers two interfaces for developer usage, in a script & on the command line. The sections below provide a brief overview of both interfaces. See the linked documentation above for more inforamtion.
After installation, developers can interact with wizardcalls from the commandline via the wizardcalls command. The image below shows the current options available for building the template. Wizardcalls only requires the --syscalls argument for usage. See the command line documentation for more information.
Hashycalls offers an interface for developers to automate their implant's build routine via the WizardCalls object. More information can be found in the scipting documentation.
WizardCalls(
syscalls = [ 'NtAllocateVirtualMemory','NtFreeVirtualMemory','NtWriteVirtualMemory','NtCreateThreadEx','NtWaitForSingleObject' ]
, syscall_list_name = 'pSyscallz'
, hash_seed = 10000
, globals = True
, hash_algo = 'djb2'
, randomize_jump_address = True
, debug = True
)