Conversation

Me and

are happy to introduce HWSyscalls, a new method to execute indirect syscalls using Hardware Breakpoints without calling directly to ntdll.dll, therefore bypassing the current way to detect it. A detailed blog post will follow soon.

github.com

GitHub - Dec0ne/HWSyscalls: HWSyscalls is a new method to execute indirect syscalls using HWBP,...

HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP. - GitHub - Dec0ne/HWSyscalls: HWSyscalls is a new method to execute i...

184

458

namazso

@namazso

You could just combine github.com/klezVirus/Sile and github.com/klezVirus/SysW to get a perfect stack trace one with no VEH or debug register usage at all. Plus 99% of the code is already written.

github.com

GitHub - klezVirus/SysWhispers3: SysWhispers on Steroids - AV/EDR evasion via direct system calls.

SysWhispers on Steroids - AV/EDR evasion via direct system calls. - GitHub - klezVirus/SysWhispers3: SysWhispers on Steroids - AV/EDR evasion via direct system calls.

4:17 PM · Feb 12, 2023

1,384

Views

Bookmarks

Wouldn’t it make even more sense to set eax to whatever index you want and then do a CALL with spoofed stack directly to the syscall instruction of some innocent looking stub in ntdll?

namazso

@namazso

Feb 12

That's what this SysWhispers3 does I think, but could be I linked the wrong thing. So yes, that was my point, just modify the calling assembly to move the args and index for syscall calling convention.