# Indirect syscalls

WORK IN PROGRESS

### Detecting Direct Syscalls

Currently, the techniques of detecting syscalls are as follows:

* Search the binary or memory for the syscall, ret; instructions
  * Find code used to perform direct syscalls
* Monitor for syscall instructions not originating from the memory range of NTDLL
  * Detect the use of direct syscalls

### Evading these detections

To evade these detections, we need to avoid 2 things:

* Containing the syscall, ret; instructions
* Calling them from outside the memory space of NTDLL

![](https://3005128937-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7fGnUKow1kUWdcf20IE0%2Fuploads%2FRLeLQ1VGCtSP6JvAai1M%2Fimage.png?alt=media\&token=618a803c-657f-438d-a0cd-5ffece3627ee)

There is a way to perform our syscalls while "playing by" these detection rules, without the need to spoof or hide anything.

We can call the syscall, ret; combination from NTDLL itself!

* Locate an unhooked syscall, ret; in NTDLL memory range
* Jump to it

![](https://3005128937-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F7fGnUKow1kUWdcf20IE0%2Fuploads%2F0kXIRZ82e3WLKyKA0vgQ%2Fimage.png?alt=media\&token=e81dc636-30f6-4bf2-8bfa-45493278d1fa)

No source code will be provided for this technique, but if/when I do produce a working PoC I will do a short demo on this page. (maybe video comparison with traditional syscalls?)

### Related blogposts

<https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/> <-- this blogpost is good if you want to understand syscall techniques in more depth