Indirect syscalls
Referenced from: https://www.cobaltstrike.com/blog/writing-beacon-object-files-flexible-stealthy-and-compatible/
Last updated
Referenced from: https://www.cobaltstrike.com/blog/writing-beacon-object-files-flexible-stealthy-and-compatible/
Last updated
WORK IN PROGRESS
Currently, the techniques of detecting syscalls are as follows:
Search the binary or memory for the syscall, ret; instructions
Find code used to perform direct syscalls
Monitor for syscall instructions not originating from the memory range of NTDLL
Detect the use of direct syscalls
To evade these detections, we need to avoid 2 things:
Containing the syscall, ret; instructions
Calling them from outside the memory space of NTDLL
There is a way to perform our syscalls while "playing by" these detection rules, without the need to spoof or hide anything.
We can call the syscall, ret; combination from NTDLL itself!
Locate an unhooked syscall, ret; in NTDLL memory range
Jump to it
No source code will be provided for this technique, but if/when I do produce a working PoC I will do a short demo on this page. (maybe video comparison with traditional syscalls?)
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ <-- this blogpost is good if you want to understand syscall techniques in more depth
