{"id":17383445,"url":"https://github.com/virtualalllocex/defcon-31-syscalls-workshop","last_synced_at":"2025-04-04T16:13:23.949Z","repository":{"id":187799430,"uuid":"634448739","full_name":"VirtualAlllocEx/DEFCON-31-Syscalls-Workshop","owner":"VirtualAlllocEx","description":"Contains all the material from the DEF CON 31 workshop \"(In)direct Syscalls: A Journey from High to Low\". ","archived":false,"fork":false,"pushed_at":"2024-01-19T13:39:46.000Z","size":17066,"stargazers_count":654,"open_issues_count":0,"forks_count":94,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-04-02T22:36:04.226Z","etag":null,"topics":["antivirus-bypass","antivirus-evasion","direct-syscalls","edr-bypass","edr-evasion","indirect-syscalls","malware-analysis","malware-development","malware-development-guide","shellcode","shellcode-loader","syscalls","windows-internals","workshop"],"latest_commit_sha":null,"homepage":"https://redops.at/en/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/VirtualAlllocEx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"VirtualAlllocEx","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-04-30T06:37:23.000Z","updated_at":"2025-03-24T18:26:37.000Z","dependencies_parsed_at":"2023-08-12T06:57:44.913Z","dependency_job_id":"3f9ba58d-8da8-4757-bb11-e7d824a51f8c","html_url":"https://github.com/VirtualAlllocEx/DEFCON-31-Syscalls-Workshop","commit_stats":null,"previous_names":["virtualalllocex/defcon-31-syscalls-workshop"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FDEFCON-31-Syscalls-Workshop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FDEFCON-31-Syscalls-Workshop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FDEFCON-31-Syscalls-Workshop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/VirtualAlllocEx%2FDEFCON-31-Syscalls-Workshop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/VirtualAlllocEx","download_url":"https://codeload.github.com/VirtualAlllocEx/DEFCON-31-Syscalls-Workshop/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247208139,"owners_count":20901570,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-bypass","antivirus-evasion","direct-syscalls","edr-bypass","edr-evasion","indirect-syscalls","malware-analysis","malware-development","malware-development-guide","shellcode","shellcode-loader","syscalls","windows-internals","workshop"],"created_at":"2024-10-16T07:41:48.569Z","updated_at":"2025-04-04T16:13:23.926Z","avatar_url":"https://github.com/VirtualAlllocEx.png","language":"C","funding_links":["https://github.com/sponsors/VirtualAlllocEx"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n\u003cimg width=\"700\" alt=\"image\" src=\"https://github.com/VirtualAlllocEx/DEFCON-31-Syscalls-Workshop/assets/50073731/8bdac03d-74ad-4f58-88b9-7380ff25fa97\"\u003e\n\u003c/p\u003e\n\n# (In)direct Syscalls: A journey from high to low  \n## RedOps | Red Team Village | DEF CON 31\n\n## Getting Started\nAll the **theory** and **playbooks for the exercises** can be found in the [**wiki**](https://github.com/VirtualAlllocEx/DEFCON-31-Syscalls-Workshop/wiki), which together with the prepared POCs is the heart of this project. The **POCs** for the **exercises** can be found here on the **main page**. \n\n**Happy Learning!**\n\nDaniel Feichter \n\n## Disclaimer \nFirst of all, **many thanks** to my girlfriend, who has supported me in everything I do for over 10 years now! Without her support and backing none of my projects in the last 10 years would have been possible. \n\nThanks also to my good friend Andreas Clementi of [**AV-Comparatives**](https://www.av-comparatives.org/), who has been supporting me since we first met. Also thanks to my friend Jonas Kemmner (who is an excellent Red Teamer) for supporting me and reading all my blog posts in advance. I am very grateful to have crossed paths with all these amazing people.\n\nThe content and all code examples in this repository are for educational and research purposes only and should only be used in an ethical context! The code examples are not new and I do not claim them to be. Most of the code or the basis  comes, as so often, from [**ired.team**](https://www.ired.team/), thank you [**@spotheplanet**](https://twitter.com/spotheplanet) for your brilliant work and sharing it with us all. Also many thanks to [**@mrexodia**](https://twitter.com/mrexodia) for your awesome tool [**x64dbg**](https://twitter.com/x64dbg).\n\nFurthermore, and very importantly, this workshop is **not a silver bullet** in the context of EDR evasion, but it **should help to understand** the basics of ``Win32 APIs``, ``Native APIs``, ``direct syscalls`` and ``indirect syscalls`` and a bit about ``call stacks`` in context of shellcode execution and EDR evasion, no more and no less. The aim of this workshop is not to show the most stealthy options or the most complex POCs for direct and indirect syscalls, instead I will focus on teaching the basics.This means using as few tools as possible and doing as much work manually as possible.\n\nI would like to **thank all those members** of the infosec community who have researched, shaped and continue to research the topic of syscalls, direct system calls and indirect syscalls etc.\n\n## Creds and References\n| Twitter Handle                             \t\t\t\t\t | Contribution and Research |\n| :---:                                         \t\t\t | :---: |\n| [@Cneelis](https://twitter.com/Cneelis)    \t\t\t\t\t | https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ \u003cbr /\u003e https://github.com/outflanknl/Dumpert | \n| [@spotheplanet](https://twitter.com/spotheplanet)    | His whole awesome blog and research \u003cbr /\u003e https://www.ired.team/\t|         \n| [@NinjaParanoid](https://twitter.com/NinjaParanoid)  | For his blogs, research, courses and always answering my questions. \u003cbr /\u003e https://0xdarkvortex.dev/hiding-in-plainsight/ \u003cbr /\u003e https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/   | \n| [@ShitSecure](https://twitter.com/ShitSecure) \t\t\t | For his research, his blog https://s3cur3th1ssh1t.github.io/ and for the great discussion about EDRs, syscalls, etc. |         \n| [@AliceCliment](https://twitter.com/alicecliment?lang=de) | For her blog, research and the discussions about EDRs, syscalls etc. \u003cbr /\u003e https://alice.climent-pommeret.red/posts/how-and-why-to-unhook-the-import-address-table/ \u003cbr /\u003e https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/ \u003cbr /\u003e https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/ | \n| [@0xBoku](https://twitter.com/0xBoku)\t\t\t\t\t\t\t\t | For his overall research, and contributions to infosec, helping new community members, and the continued advancement of infosec \u003cbr /\u003e https://0xboku.com/ \u003cbr /\u003e https://github.com/boku7/AsmHalosGate \u003cbr /\u003e https://github.com/boku7/HellsGatePPID \u003cbr /\u003e https://github.com/boku7/halosgate-ps| \n| [@Jackson_T](https://twitter.com/Jackson_T)\t\t\t\t\t | For his research and tools SysWhispers and SysWhispers2 \u003cbr /\u003e https://github.com/jthuraisamy/SysWhispers) \u003cbr /\u003e https://github.com/jthuraisamy/SysWhispers2 | \n| [@KlezVirus](https://twitter.com/KlezVirus)\t\t\t\t\t | For his blog, research, great discussions about EDRs, syscalls, etc. and SysWhispers3 \u003cbr /\u003e https://github.com/klezVirus/SysWhispers3 \u003cbr /\u003e https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ \u003cbr /\u003e https://github.com/klezVirus/SilentMoonwalk\t\t\t\t\t\t\t|      \n| [@j00ru](https://twitter.com/j00ru)\t\t\t\t\t\t\t\t   | https://j00ru.vexillium.org/syscalls/nt/64/ |   \n| [@modexpblog](https://twitter.com/modexpblog)\t\t\t\t | https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/  | \n| [@netero_1010](https://twitter.com/netero_1010)\t\t\t | https://www.netero1010-securitylab.com/evasion/indirect-syscall-in-csharp)  |        \n| [@CaptMeelo](https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html) | https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html\t | \t \n| Paul Laîné [@am0nsec](https://twitter.com/am0nsec) and smelly__vx @RtlMateusz |https://github.com/am0nsec/HellsGate/tree/master |\n| [@mrd0x](https://twitter.com/mrd0x)                  | https://github.com/Maldev-Academy/HellHall |\n| [@SEKTOR7net](https://twitter.com/SEKTOR7net)        | https://blog.sektor7.net/#!res/2021/halosgate.md |\n| [@D1rkMtr](https://twitter.com/D1rkMtr)              | https://github.com/TheD1rkMtr/D1rkLdr |  \n| [@trickster012](https://twitter.com/trickster012)    | https://github.com/trickster0/TartarusGate |\n| [@thefLinkk](https://twitter.com/thefLinkk)          | https://github.com/thefLink/RecycledGate |\n| [@ElephantSe4l](https://twitter.com/ElephantSe4l) and MarioBartolome  | https://github.com/crummie5/FreshyCalls |\n\n## Further resources\n- Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (7th Edition) by Pavel Yosifovich, David A. Solomon, and Alex Ionescu\n- Windows Internals, Part 2 (7th Edition) by Pavel Yosifovich, David A. Solomon, and Alex Ionescu\n- https://offensivecraft.wordpress.com/2022/12/08/the-stack-series-return-address-spoofing-on-x64/\n- https://offensivecraft.wordpress.com/2023/02/11/the-stack-series-the-x64-stack/ \n- https://winternl.com/detecting-manual-syscalls-from-user-mode/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvirtualalllocex%2Fdefcon-31-syscalls-workshop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvirtualalllocex%2Fdefcon-31-syscalls-workshop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvirtualalllocex%2Fdefcon-31-syscalls-workshop/lists"}