Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

Overview

hiding-your-syscalls

What is this?

This repository contains all of the source code from my blog post about avoiding direct syscall detections, which you can find here.

The original detection that I wrote focused around locating a syscall instruction and determining whether or not it came from within the loaded copy of NTDLL. If it did not, then it may indicate direct syscall use. To bypass this detection, I patch the syscall stub with a jmp instruction to a legitimate syscall instruction inside of NTDLL. This means that the syscall comes from within NTDLL and then returns control to our code like normal.

Normal

This project contains the source code to patch a "normal" syscall stub with a jmp instruction. It will parse the loaded NTDLL to find the address of the first Nt function (NtAcceptConnectPort) and patch a jump to that address + 18 bytes (the address of the syscall instruction).

With Syswhispers

This project is a slightly modified version of Normal. Instead of a plain syscall stub it will instead use the Syscall stubs generated by Syswhispers. Pretty much the same thing but it will modify the stub in-place rather than making a copy. Also changes the number of bytes read since Syswhispers stubs are longer. Note that each Syswhispers stub also needs to include an extra 11 bytes to accomodate the jmp instruction that we're patching in since it's done in-place. You can see an example of this in SyscallsStubs.asm.

Jumping without reading from NTDLL

This project contains an enum of offsets for all of the Nt functions in NTDLL. Instead of parsing NTDLL for a syscall stub, we can instead grab an offset from that table. This helps us avoid the scenario where an EDR has hooked the relevant ReadProcessMemory functions and may flag an RPM call to within NTDLL, and we can't use a direct syscall to do it since that would come from outside NTDLL and trigger the detection that I mentioned earlier.

Build_19041_Ntdll_Offsets.txt contains a dump of the NTDLL offsets from my machine, which is build 19041. I'm not sure how this will vary across Windows versions, as syscall numbers change across versions. To that end, I've also included a snippet of C in GetNTDLLOffsets.c that you can run to get the NTDLL offsets for a different version of Windows.

frida_stalker_syscalls.js

This file contains some Frida bindings that will use Frida's code tracing engine, Stalker, to inspect every instruction in a process for syscalls. If a syscall is found, it will verify whether or not that syscall came from within the bounds of the loaded copy of NTDLL's address space. If it didn't then it may be an indicator of a direct syscall.

You might also like...
General repository for all code (games, BIOS, etc) that runs within the Vircon32 console itself

Vircon32: Console software This is a general repository containing all Vircon32 sources for any software running on the console itself. This includes:

Demonstrate ability to read memfd_secret() data from the kernel

nosecmem This project demonstrates the newly-added memfd_secret Linux system call, and a kernel module which can dump the contents of these so-called

C#-like properties for C++20. This was made to demonstrate a bug in ClangFormat.

cpp20-property C#-like properties for C++20. Example usage #include iostream #include Propery.hpp class ProperyTest { public: zsl::Property

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

RISCAL is a 32-bit reduced instruction-set computer (RISC) designed for learning and research purposes. It is named after my dog, Rascal.

RISCAL CPU RISCAL is a 32-bit custom instruction set architecture virtual machine. It is intended to be used for learning/research purposes. In a nuts

A program that allows you to hide certain windows when sharing your full screen
A program that allows you to hide certain windows when sharing your full screen

Invisiwind Invisiwind (short for Invisible Window) is an application that allows you to hide certain windows when sharing your full screen.

rdtsc x86 instruction to detect virtual machines
rdtsc x86 instruction to detect virtual machines

rdtsc_detector rdtsc x86 instruction to detect virtual machines What is rdtsc? The Time Stamp Counter (TSC) is a 64-bit register present on all x86 pr

ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.
ContactGot is an offline desktop app, where clients can leave their info, while an administrator can manage which information they need to gather on certain projects.

ContactGot Contents Description How to use Requirements Engineering Installation Documentation Design Architecture Demonstration 1. Description During

This program try to recreate bash --posix comportement in certain limite

minishell : petitcoquillage This program try to recreate bash --posix comportement in certain limite Execution : To execute this Program you have to b

Owner
Red teamer/mediocre developer
null
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

Alisa Esage 32 Nov 19, 2022
raincoat is a shellcode injector that uses direct syscall invoking.

raincoat is a shellcode injector that uses direct syscall invoking. by liz @realhaxorleet & ellyysium @ellyysium opening the code may cause brain dama

null 5 Jan 29, 2022
The largest possible square on a board while avoiding obstacles.

BiggestSquare The largest possible square on a board while avoiding obstacles. Resume This project is a little remake of the Epitech's bsq project Thi

Facia Femi 3 Dec 6, 2021
Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll

RecycledGate This is just another implementation of Hellsgate + Halosgate/Tartarusgate. However, this implementation makes sure that all system calls

null 296 Dec 14, 2022
This repository contains toy ImPlot applications that demonstrate some of the library's functionality

ImPlot Demos This repository contains toy ImPlot applications that demonstrate some of the library's functionality.

Evan Pezent 83 Dec 28, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 846 Jan 2, 2023
Sysmon event simulation utility which can be used to simulate the attacks to generate the Sysmon Event logs for testing the EDR detections and correlation rules by Blue teams.

SysmonSimulator SysmonSimulator is an Open source Windows event simulation utility created in C language, that can be used to simulate most of the att

Scarred Monk 744 Dec 25, 2022
This repository contains the source-code for the Robothon 24h series of workshops and competition within ENSTA Borj Cedria.

Robothon: The 24h long zero to hero robotics bootcamp What is Robothon? Robothon by Electronix ENSTABC is a 24h long event held within the walls of EN

Radhi SGHAIER 5 Mar 23, 2022
The FLIP Fluids addon is a tool that helps you set up, run, and render high quality liquid fluid effects all within Blender, the free and open source 3D creation suite.

FLIP Fluids The FLIP Fluids addon is a tool that helps you set up, run, and render liquid simulation effects. Our custom built fluid engine is based a

Ryan Guy 1.4k Dec 22, 2022
A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows

WindowsPermsPoC A simple PoC to demonstrate that is possible to write Non writable memory and execute Non executable memory on Windows You can build i

Lorenzo Maffia 55 Jul 21, 2022