Indirect syscalls
Referenced from: https://www.cobaltstrike.com/blog/writing-beacon-object-files-flexible-stealthy-and-compatible/
WORK IN PROGRESS
Detecting Direct Syscalls
Currently, the techniques of detecting syscalls are as follows:
Search the binary or memory for the syscall, ret; instructions
Find code used to perform direct syscalls
Monitor for syscall instructions not originating from the memory range of NTDLL
Detect the use of direct syscalls
Evading these detections
To evade these detections, we need to avoid 2 things:
Containing the syscall, ret; instructions
Calling them from outside the memory space of NTDLL
There is a way to perform our syscalls while "playing by" these detection rules, without the need to spoof or hide anything.
We can call the syscall, ret; combination from NTDLL itself!
Locate an unhooked syscall, ret; in NTDLL memory range
Jump to it
No source code will be provided for this technique, but if/when I do produce a working PoC I will do a short demo on this page. (maybe video comparison with traditional syscalls?)
Related blogposts
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ <-- this blogpost is good if you want to understand syscall techniques in more depth
Last updated