Skip to content
/ SyscallMeMaybe Public

Implementation of Indirect Syscall technique to pop a calc.exe

License

MIT license
92 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

oldboy21/SyscallMeMaybe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
SyscallMeMaybe
SyscallMeMaybe
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

SyscallMeMaybe?

Implementation of Indirect Syscall technique to pop an innocent calc.exe

What this is all about?

Had this code for a while and only now decided to open-source it. It's nothing new, no bleeding-edge technique whatsoever, but my C++ implementation of an Indirect Syscall poc to bypass Userland hooks implemented by way too curious EDR products.

Indirect Syscall what?

As mentioned above Indirect Syscall is a technique used to avoid that EDRs sniff around the Win32 API that we need to run our very benevolent shellcode. Haven't ranted on a blog about this technique because there are a lot of resources online about it, same reason I won't be ranting about it here but just giving you this (and verbose comments in the code):

  1. Direct Syscalls VS Indirect Syscalls
  2. SysWhisper3
  3. Dumpert from Outflank
  4. Beautiful blog by Alice Climent-Pommeret
  5. FreshyCalls
  6. Hell's Gate paper

Also few references to learn about malware development:

  1. MaldevAcademy
  2. Sektor7

Do not do nasty stuff with this code please. Chee(e)rs

About

Implementation of Indirect Syscall technique to pop a calc.exe

Topics

cplusplus syscalls security-tools edr-evasion

Resources

Readme

License

MIT license
Activity

Stars

92 stars

Watchers

3 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages