A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
A full write-up of this tool and how it works can be found on my blog here.
Introduction & Thanks
This is an implementation of Nirvana Hooks (a.k.a. Instrumentation Callbacks) that Alex Ionescu presented in 2015 at RECON, titled Hooking Nirvana: Stealthy Instrumentation Hooks. (talk, slides) This code was built on Jack Ullrich's syscall-detect project. For something that I was working on, I needed a version of this technique that worked in x86 processes. To fulfill that need, I wound up doing lots of research and reverse engineering of how Nirvana Hooks work in x86 processes that lead me to write an updated version that supported x86 applications. In the sources section, is a list of some of the blog posts, documentation, and projects that I learned from to write this tool. If anyone responsible for those resources are reading this, thanks for sharing!
This project can be compiled as an EXE or a DLL depending on your needs. The EXE is useful for demonstration purposes and testing. The DLL can be loaded into another process to provide telemetry for the process it has been injected into. To compile a specific version, select the appropriate option and build the solution:
- Debug - EXE
- Debug-DLL - DLL
- Release - EXE
- Release-DLL - DLL
This project makes use of OutputDebugString to provide telemetry. This was done to provide telemetry for applications that could not open a console. To view the telemetry from this tool, you will need to run the application in a debugger, write your own tool to view the debugging messages, or I suggest using DebugViewer.