Merge pull request #2 from micREsoft/development

Merge 'development' branch with 'master' branch

Author: WindowsAPI

.github/workflows/build.yml

@@ -0,0 +1,172 @@
+name: "Build Allycs v2.0.0"
+
+permissions:
+  contents: write
+  packages: write
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: windows-latest
+
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+
+    - name: Setup MSBuild
+      uses: microsoft/setup-msbuild@v1.3
+
+    - name: Setup vcpkg
+      uses: lukka/run-vcpkg@v11
+      with:
+        vcpkgDirectory: '${{ github.workspace }}/vcpkg'
+        vcpkgGitCommitId: '7e19f3c64cb636ee21f41bfe8558a6dfaae6236f'
+        vcpkgJsonGlob: 'vcpkg.json'
+        runVcpkgInstall: '--triplet=x64-windows-static --x-wait-for-lock'
+
+    - name: Set Vcpkg Environment
+      run: |
+        echo "VCPKG_ROOT=${{ github.workspace }}/vcpkg" >> $env:GITHUB_ENV
+        echo "VcpkgRoot=${{ github.workspace }}/vcpkg" >> $env:GITHUB_ENV
+        echo "VCPKG_DEFAULT_TRIPLET=x64-windows-static" >> $env:GITHUB_ENV
+        echo "CMAKE_WARN_UNUSED_CLI_VARS=OFF" >> $env:GITHUB_ENV
+        echo "VCPKG_CMAKE_CONFIGURE_OPTIONS=-DCMAKE_WARN_UNUSED_CLI_VARS=OFF" >> $env:GITHUB_ENV
+
+    - name: Setup Vcpkg Binary Caching
+      uses: actions/cache@v4
+      with:
+        path: |
+          ${{ github.workspace }}/vcpkg/installed
+          ${{ github.workspace }}/vcpkg/packages
+        key: vcpkg-${{ hashFiles('**/vcpkg.json') }}-${{ runner.os }}-x64-windows-static
+        restore-keys: |
+          vcpkg-${{ hashFiles('**/vcpkg.json') }}-${{ runner.os }}-
+          vcpkg-${{ runner.os }}-
+
+    - name: Integrate Vcpkg with MSBuild
+      run: |
+        & "${{ github.workspace }}/vcpkg/vcpkg.exe" integrate install
+
+    - name: Verify SysCaller Dependencies
+      run: |
+        Write-Host "Checking SysCaller dependencies..."
+        
+        # Check if SysCaller.lib exists
+        if (Test-Path "sdk\SysCaller\lib\SysCaller.lib") {
+          Write-Host "SysCaller.lib found!"
+          Get-Item "sdk\SysCaller\lib\SysCaller.lib" | Select-Object Name, Length, LastWriteTime
+        } else {
+          Write-Host "SysCaller.lib not found!"
+          exit 1
+        }
+        
+        # Check if SysCaller headers exist
+        if (Test-Path "sdk\SysCaller\include\syscaller.h") {
+          Write-Host "SysCaller headers found!"
+        } else {
+          Write-Host "SysCaller headers not found!"
+          exit 1
+        }
+        
+        # Check if SysCaller.dll exists (for runtime)
+        if (Test-Path "sdk\SysCaller\lib\SysCaller.dll") {
+          Write-Host "SysCaller.dll found!"
+        } else {
+          Write-Host "SysCaller.dll not found, this is needed at runtime!"
+        }
+
+    - name: Build Solution (Release x64)
+      run: |
+        Write-Host "Building Release x64..."
+        Write-Host "VcpkgRoot: $env:VcpkgRoot"
+        Write-Host "VCPKG_ROOT: $env:VCPKG_ROOT"
+
+        msbuild "Allycs.sln" /p:Configuration=Release /p:Platform=x64 /p:VcpkgEnabled=true /p:VcpkgEnableManifest=true /p:VcpkgUseStatic=true /p:VcpkgTriplet=x64-windows-static /p:VcpkgRoot="$env:VcpkgRoot"
+
+    - name: Copy SysCaller DLL (Release)
+      run: |
+        Write-Host "Copying SysCaller.dll for Release build..."
+        $outputDir = "build\x64\Release"
+        
+        if (Test-Path "sdk\SysCaller\lib\SysCaller.dll") {
+          Copy-Item "sdk\SysCaller\lib\SysCaller.dll" $outputDir
+          Write-Host "Copied SysCaller.dll to Release build"
+        } else {
+          Write-Host "SysCaller.dll not found. Allycs will not run properly!"
+        }
+
+    - name: Verify Executables Exist
+      run: |
+        $releaseExists = Test-Path "build\x64\Release\Allycs.exe"
+
+        if ($releaseExists) {
+          Write-Host "Allycs.exe (Release) Built Successfully!"
+          Get-Item "build\x64\Release\Allycs.exe" | Select-Object Name, Length, LastWriteTime
+        } else {
+          Write-Host "Allycs.exe (Release) not found!"
+          Get-ChildItem -Recurse -Name "*.exe" | ForEach-Object { Write-Host "Found: $_" }
+          exit 1
+        }
+
+    - name: List Build Directory Contents
+      run: |
+        Write-Host "Build Directory Contents:"
+        if (Test-Path "build\x64\Release") {
+          Write-Host "Release Directory:"
+          Get-ChildItem "build\x64\Release" | Select-Object Name, Length, LastWriteTime
+        }
+
+    - name: Upload Build Artifacts (Release)
+      uses: actions/upload-artifact@v4
+      with:
+        name: "Allycs-v2.0.0"
+        path: build/x64/Release/
+        retention-days: 30
+
+    - name: Create Release Package
+      if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
+      run: |
+        $version = "v2.0.0"
+        $zipName = "Allycs-$version.zip"
+
+        New-Item -ItemType Directory -Path "release-package" -Force
+
+        # Copy Release files
+        Copy-Item "build\x64\Release\Allycs.exe" "release-package\"
+        Copy-Item "build\x64\Release\SysCaller.dll" "release-package\"
+
+        # Create the zip file
+        Compress-Archive -Path "release-package\*" -DestinationPath $zipName -Force
+
+        Write-Host "Created Release Package: $zipName"
+        Get-Item $zipName | Select-Object Name, Length
+
+    - name: Upload Release Package
+      if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
+      uses: actions/upload-artifact@v4
+      with:
+        name: "Release v2.0.0"
+        path: Allycs-v2.0.0.zip
+        retention-days: 90
+
+    - name: Create GitHub Release
+      if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
+      uses: softprops/action-gh-release@v1
+      with:
+        tag_name: v2.0.0
+        name: "Allycs v2.0.0"
+        body: |
+          ## Allycs v2.0.0
+
+          **Build Date:** ${{ github.event.head_commit.timestamp }}
+          **Commit:** ${{ github.sha }}
+          **Platform:** Windows x64 (64-bit)
+        files: Allycs-v2.0.0.zip
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Allycs.vcxproj

@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Debug|Win32">
@@ -126,18 +126,19 @@
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
-      <AdditionalIncludeDirectories>GeneratedFiles\$(ConfigurationName);GeneratedFiles;C:\Users\devil\source\repos\Allycs\sdk\SysCaller\include;C:\Users\devil\source\repos\Allycs\src\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(PROJECTDIR)sdk\SysCaller\include;$(PROJECTDIR)src\include;$(VCPKG_ROOT)\installed\x64-windows-static\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <MultiProcessorCompilation>true</MultiProcessorCompilation>
       <LanguageStandard>stdcpp20</LanguageStandard>
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <WholeProgramOptimization>false</WholeProgramOptimization>
+      <DisableSpecificWarnings>4005</DisableSpecificWarnings>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
       <GenerateDebugInformation>true</GenerateDebugInformation>
-      <AdditionalDependencies>SysCaller.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>SysCaller.lib;distorm.lib;tinyxml2.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <AdditionalManifestDependencies>type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' </AdditionalManifestDependencies>
-      <AdditionalLibraryDirectories>C:\Users\devil\source\repos\Allycs\sdk\SysCaller\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalLibraryDirectories>$(PROJECTDIR)sdk\SysCaller\lib;$(VCPKG_ROOT)\installed\x64-windows-static\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
     </Link>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
@@ -179,23 +180,24 @@
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
-      <AdditionalIncludeDirectories>GeneratedFiles\$(ConfigurationName);GeneratedFiles;C:\Users\devil\source\repos\Allycs\sdk\SysCaller\include;C:\Users\devil\source\repos\Allycs\src\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(PROJECTDIR)sdk\SysCaller\include;$(PROJECTDIR)src\include;$(VCPKG_ROOT)\installed\x64-windows-static\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <MinimalRebuild>false</MinimalRebuild>
       <LanguageStandard>stdcpp20</LanguageStandard>
       <MultiProcessorCompilation>true</MultiProcessorCompilation>
+      <DisableSpecificWarnings>4005</DisableSpecificWarnings>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
-      <AdditionalDependencies>SysCaller.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>SysCaller.lib;distorm.lib;tinyxml2.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <AdditionalManifestDependencies>type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' </AdditionalManifestDependencies>
       <EntryPointSymbol>
       </EntryPointSymbol>
       <ModuleDefinitionFile>
       </ModuleDefinitionFile>
       <GenerateMapFile>false</GenerateMapFile>
-      <AdditionalLibraryDirectories>C:\Users\devil\source\repos\Allycs\sdk\SysCaller\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <AdditionalLibraryDirectories>$(PROJECTDIR)sdk\SysCaller\lib;$(VCPKG_ROOT)\installed\x64-windows-static\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <GenerateDebugInformation>false</GenerateDebugInformation>
     </Link>
   </ItemDefinitionGroup>
@@ -234,6 +236,10 @@
     <ClCompile Include="src\core\TreeImportExport.cpp" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="sdk\SysCaller\include\Resolver\PebUtils.h" />
+    <ClInclude Include="sdk\SysCaller\include\Resolver\Resolver.h" />
+    <ClInclude Include="sdk\SysCaller\include\Resolver\ResolverBase.h" />
+    <ClInclude Include="sdk\SysCaller\include\syscaller_config.h" />
     <ClInclude Include="src\app\resource.h" />
     <ClInclude Include="src\include\gui\AboutGui.h" />
     <ClInclude Include="src\include\core\ApiReader.h" />
@@ -300,4 +306,4 @@
       <UserProperties RESOURCE_FILE="MainGui.rc" />
     </VisualStudio>
   </ProjectExtensions>
-</Project>
+</Project>

README.md

@@ -5,15 +5,15 @@
 
 ## About
 
-**Allycs** is a modernized Scylla rebuild using [SysCaller](https://github.com/SysCallerSDK/SysCaller) for native syscall powered PE import reconstruction. It avoids traditional API hooks by directly invoking syscalls, making it useful for stealthy dumping.
+**Allycs** is a modernized Scylla rebuild using [SysCaller](https://github.com/SysCallerSDK/SysCaller) for native syscall powered PE import reconstruction. It avoids traditional API hooks by invoking syscalls through indirect calls, making it useful for stealthy dumping.
 
 ---
 
 ## Features
 
 Whats new: 
 - (SysCaller only supports x64)
-- Native syscall usage (WinAPI-less execution)
+- Native syscall usage via indirect calls (WinAPI-less execution)
 - Added "Dont Compact Raw Data"
 - Removed alot of bloat
 - Powered by [SysCaller SDK](https://github.com/SysCallerSDK/SysCaller)
@@ -41,51 +41,51 @@ vcpkg install distorm:x64-windows-static tinyxml2:x64-windows-static wtl:x64-win
 
 ### Step 1. Build Requires Syscalls via SysCaller
 
-1. Download and open the [Bind.exe](https://github.com/micREsoft/SysCaller/releases) (PY BuildTools are deprecated) 
+1. Download and open the [Bind.exe](https://github.com/micREsoft/SysCaller/releases) (PY BuildTools are deprecated)
 
-2. Ensure the following syscall stubs are selected under the Integrity Tab:
+2. Go to settings and under the "General" tab there should be the following sections "Bindings, Syscall Mode". Under those sections enable Bindings and Indirect Syscall Mode. 
+
+> Allycs now uses indirect syscalls! If you want to go back to using direct syscalls or inline syscalls you will have to modify the source code. 
+
+> Indirect syscalls provide better stability across Windows versions by dynamically resolving syscall numbers at runtime, avoiding hardcoded syscall numbers that change between Windows builds.
+
+3. Ensure the following syscall stubs are selected under the Integrity Tab:
 
 ```plaintext
-SysAllocateVirtualMemoryEx
-SysClose
-SysCreateSection
-SysCreateThreadEx
-SysDuplicateObject
-SysFreeVirtualMemory
-SysGetContextThread
-SysMapViewOfSection
-SysOpenProcess
-SysOpenSymbolicLinkObject
-SysOpenThread
-SysProtectVirtualMemory
-SysQueryInformationFile
-SysQueryInformationProcess
-SysQueryInformationThread
-SysQueryObject
-SysQuerySymbolicLinkObject
-SysQuerySystemInformation
-SysQueryVirtualMemory
-SysResumeProcess
-SysResumeThread
-SysSetContextThread
-SysSetInformationThread
-SysSuspendProcess
-SysSuspendThread
-SysTerminateProcess
-SysUnmapViewOfSection
-SysWriteVirtualMemory
+SysIndirectAllocateVirtualMemoryEx
+SysIndirectClose
+SysIndirectCreateThreadEx
+SysIndirectFreeVirtualMemory
+SysIndirectOpenProcess
+SysIndirectOpenSymbolicLinkObject
+SysIndirectProtectVirtualMemory
+SysIndirectQueryInformationProcess
+SysIndirectQuerySymbolicLinkObject
+SysIndirectQuerySystemInformation
+SysIndirectQueryVirtualMemory
+SysIndirectResumeProcess
+SysIndirectSetInformationThread
+SysIndirectSuspendProcess
+SysIndirectTerminateProcess
+SysIndirectUnmapViewOfSection
 ```
 
-3. After that run the Validation/Compatibility checks.
-
-4. **Important**: When building SysCaller use the default (non obfuscated) stubs in Release mode.
+5. **Important**: When building SysCaller use the default (non obfuscated) stubs in Release mode.
 Obfuscated stubs currently work only in Debug mode, due to unresolved configuration conflicts in Allycs.
 
-5. Now open SysCaller.sln via Visual Studio 2022
+6. Now open SysCaller.sln via Visual Studio 2022
 
-6. Set build to `Release` if using default stubs, `Debug` if using obfuscated stubs, and C++ standard to **C++20** (If not already)
+7. Set build to `Release` if using default stubs, `Debug` if using obfuscated stubs, C++ standard to **C++20**, and set the output to .dll (If not already)
+
+8. Go to syscaller_config.h and make sure the following are uncommented and set as preprocessor defs:
+
+```cpp
+#define SYSCALLER_INDIRECT
+#define SYSCALLER_BINDINGS
+#define SYSCALLER_RESOLVER_PEB_LDR
+```
 
-7. Build the project to generate `SysCaller.lib`
+9. Build the project to generate `SysCaller.dll` and `SysCaller.lib`
 
 ---
 
@@ -95,6 +95,7 @@ Obfuscated stubs currently work only in Debug mode, due to unresolved configurat
 
     ```
     SysCaller.lib     → sdk/SysCaller/lib
+    SysCaller.dll     → path/to/exe
     SysFunctions.h    → sdk/SysCaller/include/Sys
     ```
 
@@ -103,7 +104,7 @@ Obfuscated stubs currently work only in Debug mode, due to unresolved configurat
 ### Step 3. Build Allycs
 
 - Open `Allycs.sln` in Visual Studio 2022
-- Set to `x64` & `Release` Mode if not already  
+- Set to `x64` & `Release` Mode (if not using obfuscated stubs )
 - Build the `Allycs` project  
 - Output binary: `build\x64\Release\Allycs.exe`
 
@@ -179,4 +180,4 @@ The author assumes no responsibility for any misuse or damage caused by this sof
 
 <p align="center">
   <i>Built on the foundation of Scylla. Reinforced with native syscalls.</i>
-</p>
+</p>