Indirect syscalls

Referenced from: https://www.cobaltstrike.com/blog/writing-beacon-object-files-flexible-stealthy-and-compatible/

WORK IN PROGRESS

Detecting Direct Syscalls

Currently, the techniques of detecting syscalls are as follows:

Search the binary or memory for the syscall, ret; instructions
- Find code used to perform direct syscalls
Monitor for syscall instructions not originating from the memory range of NTDLL
- Detect the use of direct syscalls

Evading these detections

To evade these detections, we need to avoid 2 things:

Containing the syscall, ret; instructions
Calling them from outside the memory space of NTDLL

There is a way to perform our syscalls while "playing by" these detection rules, without the need to spoof or hide anything.

We can call the syscall, ret; combination from NTDLL itself!

Locate an unhooked syscall, ret; in NTDLL memory range
Jump to it

No source code will be provided for this technique, but if/when I do produce a working PoC I will do a short demo on this page. (maybe video comparison with traditional syscalls?)

https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ <-- this blogpost is good if you want to understand syscall techniques in more depth

PreviousMimikatz vs Windows Defender NextCobalt Strike

Last updated 1 year ago

Detecting Direct Syscalls

Evading these detections

Related blogposts