{"id":25247069,"url":"https://github.com/oldboy21/syscallmemaybe","last_synced_at":"2025-10-13T02:39:06.257Z","repository":{"id":219140340,"uuid":"748226159","full_name":"oldboy21/SyscallMeMaybe","owner":"oldboy21","description":"Implementation of Indirect Syscall technique to pop a calc.exe","archived":false,"fork":false,"pushed_at":"2024-01-25T15:42:27.000Z","size":16,"stargazers_count":101,"open_issues_count":0,"forks_count":15,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-05T21:43:11.553Z","etag":null,"topics":["cplusplus","edr-evasion","security-tools","syscalls"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oldboy21.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2024-01-25T14:40:54.000Z","updated_at":"2025-03-27T14:50:23.000Z","dependencies_parsed_at":"2024-01-25T18:05:59.807Z","dependency_job_id":null,"html_url":"https://github.com/oldboy21/SyscallMeMaybe","commit_stats":null,"previous_names":["oldboy21/syscallmemaybe"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/oldboy21/SyscallMeMaybe","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oldboy21%2FSyscallMeMaybe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oldboy21%2FSyscallMeMaybe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oldboy21%2FSyscallMeMaybe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oldboy21%2FSyscallMeMaybe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oldboy21","download_url":"https://codeload.github.com/oldboy21/SyscallMeMaybe/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oldboy21%2FSyscallMeMaybe/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259768509,"owners_count":22908228,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cplusplus","edr-evasion","security-tools","syscalls"],"created_at":"2025-02-12T02:57:01.658Z","updated_at":"2025-10-13T02:39:01.220Z","avatar_url":"https://github.com/oldboy21.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SyscallMeMaybe?\nImplementation of Indirect Syscall technique to pop an innocent calc.exe\n\n## What this is all about? \nHad this code for a while and only now decided to open-source it. It's nothing new, no bleeding-edge technique whatsoever, but my C++ implementation of an Indirect Syscall poc to bypass Userland hooks implemented by way too curious EDR products. \n\n## Indirect Syscall what? \nAs mentioned above Indirect Syscall is a technique used to avoid that EDRs sniff around the Win32 API that we need to run our very benevolent shellcode. Haven't ranted on a blog about this technique because there are a lot of resources online about it, same reason I won't be ranting about it here but just giving you this (and verbose comments in the code): \n\n1. [Direct Syscalls VS Indirect Syscalls](https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls)\n2. [SysWhisper3](https://github.com/klezVirus/SysWhispers3)\n3. [Dumpert from Outflank](https://github.com/outflanknl/Dumpert)\n4. [Beautiful blog by Alice Climent-Pommeret](https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/#direct-syscall-you-say-)\n5. [FreshyCalls](https://github.com/crummie5/FreshyCalls)\n6. [Hell's Gate paper](https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf)\n\nAlso few references to learn about malware development: \n\n1. [MaldevAcademy](https://maldevacademy.com)\n2. [Sektor7](https://institute.sektor7.net/)\n\nDo not do nasty stuff with this code please. \nChee(e)rs","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foldboy21%2Fsyscallmemaybe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foldboy21%2Fsyscallmemaybe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foldboy21%2Fsyscallmemaybe/lists"}