Skip to content

Latest commit

 

History

History
23 lines (17 loc) · 1.46 KB

README.md

File metadata and controls

23 lines (17 loc) · 1.46 KB

SyscallMeMaybe?

Implementation of Indirect Syscall technique to pop an innocent calc.exe

What this is all about?

Had this code for a while and only now decided to open-source it. It's nothing new, no bleeding-edge technique whatsoever, but my C++ implementation of an Indirect Syscall poc to bypass Userland hooks implemented by way too curious EDR products.

Indirect Syscall what?

As mentioned above Indirect Syscall is a technique used to avoid that EDRs sniff around the Win32 API that we need to run our very benevolent shellcode. Haven't ranted on a blog about this technique because there are a lot of resources online about it, same reason I won't be ranting about it here but just giving you this (and verbose comments in the code):

  1. Direct Syscalls VS Indirect Syscalls
  2. SysWhisper3
  3. Dumpert from Outflank
  4. Beautiful blog by Alice Climent-Pommeret
  5. FreshyCalls
  6. Hell's Gate paper

Also few references to learn about malware development:

  1. MaldevAcademy
  2. Sektor7

Do not do nasty stuff with this code please. Chee(e)rs