I am trying to understand the concept of indirect syscalls, but at the moment I am not sure if I understand it correctly and am not sure about all the advantages and disadvantages.
Compared to direct syscalls, when using indirect syscalls we do not execute the syscall… Show more
Conversation
The jmp does not go to the start of the ntdll function but instead to the direct syscall instruction which is never hooked so hooks are not applicable for indirect syscalls.
Also fake ntdll functions are not relevant because they have a different name. And for the first reason.
1
13
The syscall instruction itself cannot be hooked. I’m not talking about ntdll functions but about that single instruction. If we jump there, there’s no userland hook 💯 %
1
4
But isn't the syscall or syscall number itself a part of the syscall instruction? I think that is what I miss, I am not sure what is meant by the syscall instruction, is it the whole syscall stub or the syscall itself etc.?
2
