{"id":29906789,"url":"https://github.com/dutchpsycho/indirectsyscalls","last_synced_at":"2025-08-01T21:13:27.467Z","repository":{"id":307343125,"uuid":"1029197182","full_name":"dutchpsycho/IndirectSyscalls","owner":"dutchpsycho","description":"IndirectSyscalls - A method of invoking syscalls without creating stubs and avoiding hooks - Winx64","archived":false,"fork":false,"pushed_at":"2025-07-30T17:27:54.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-07-30T20:27:30.238Z","etag":null,"topics":["detours","indirectsyscalls","minhook","syscall-hook","syscalls"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dutchpsycho.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-30T17:04:25.000Z","updated_at":"2025-07-30T17:29:30.000Z","dependencies_parsed_at":"2025-07-30T20:37:34.689Z","dependency_job_id":null,"html_url":"https://github.com/dutchpsycho/IndirectSyscalls","commit_stats":null,"previous_names":["dutchpsycho/indirectsyscalls"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/dutchpsycho/IndirectSyscalls","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FIndirectSyscalls","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FIndirectSyscalls/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FIndirectSyscalls/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FIndirectSyscalls/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dutchpsycho","download_url":"https://codeload.github.com/dutchpsycho/IndirectSyscalls/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dutchpsycho%2FIndirectSyscalls/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268297607,"owners_count":24228127,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-01T02:00:08.611Z","response_time":67,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["detours","indirectsyscalls","minhook","syscall-hook","syscalls"],"created_at":"2025-08-01T21:13:24.163Z","updated_at":"2025-08-01T21:13:27.457Z","avatar_url":"https://github.com/dutchpsycho.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# IndirectSyscalls\n\nTired of getting flagged in every stack trace known to AV-kind because your \"next-gen\" syscall invoker runs through unbacked RWX memory?  \nTired of being one YARA scan away from dumped memory and a ruined day?\n\nI've got a solution!\n\nBoth those detection vectors are super simple, ones literally \"is this in ntdll.dll?\", the other's \"is there syscall instruction OUTSIDE of ntdll.dll\", see a pattern?\nYes ntdll.dll is special. (And the two other DLL's no one, including me talks about), because it provides the transaction layer between usermode and super-scary kernel.\nSyscalls are meant to exist only within ntdll.dll, if they exist outside its a hugee red flag for any protection software.\n\nNow if you're an actual developer here to learn something I'd reccomend going and reading the source, if you're not in the mood for reading rust here goes;\n1. Parse PEB-\u003eLdrLoadedModules-\u003e\"ntdll.dll\"\n2. Parse headers-\u003eexports\n3. Verify syscall ABI\n5. Put into global table\n6. Make public API func copying syscall firing ABI\n7. Make that use the global table to execute the relevant syscall\n8. Call your favorite syscall with your API\n\n\u003e \"But Damon hooks! Isn't that the whole reason we avoid ntdll.dll anyway?\"\n\nYes.. but this *only* executes the *syscall prologue*, I skip any surrounding silly jmps/calls\nNow that raises problems when they're forwaded hooks and now I have a headache.\nEnjoy the PoC.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdutchpsycho%2Findirectsyscalls","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdutchpsycho%2Findirectsyscalls","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdutchpsycho%2Findirectsyscalls/lists"}