{"id":19456722,"url":"https://github.com/x0reaxeax/syscallhookbypass","last_synced_at":"2026-03-16T06:32:37.790Z","repository":{"id":161837576,"uuid":"621987227","full_name":"x0reaxeax/SyscallHookBypass","owner":"x0reaxeax","description":"NTAPI hook bypass with (semi) legit stack trace","archived":false,"fork":false,"pushed_at":"2023-05-09T15:10:55.000Z","size":9,"stargazers_count":14,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-05T11:39:53.225Z","etag":null,"topics":["antihooking","av-bypass","av-evasion","detection-evasion","edr-bypass","hook-bypass","indirect-syscall","redteam","windows","x86"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x0reaxeax.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-31T20:37:29.000Z","updated_at":"2024-12-23T06:07:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"86b2b63c-8857-4e13-b612-40d4ddf62dfc","html_url":"https://github.com/x0reaxeax/SyscallHookBypass","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2FSyscallHookBypass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2FSyscallHookBypass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2FSyscallHookBypass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x0reaxeax%2FSyscallHookBypass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x0reaxeax","download_url":"https://codeload.github.com/x0reaxeax/SyscallHookBypass/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248985122,"owners_count":21193881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antihooking","av-bypass","av-evasion","detection-evasion","edr-bypass","hook-bypass","indirect-syscall","redteam","windows","x86"],"created_at":"2024-11-10T17:18:16.836Z","updated_at":"2026-03-16T06:32:32.758Z","avatar_url":"https://github.com/x0reaxeax.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SyscallHookBypass\n\n### NtAllocateVirtualMemory\nPatches the `call` instruction at `kernelbase!VirtualAlloc+0x41` by placing legitimate NTAPI stub at the same address and moving the rest of the function down 8 bytes (stub size).  \nThe `RIP` relative offset for `call QWORD PTR ds:[\u0026ZwAllocateVirtualMemory]` is recalculated and the pointer to the NTAPI call is patched to always land at `syscall` instruction, effectively skipping over installed trampolines.  \nStack trace of patched call:\n```\n[0x0]   ntdll!NtAllocateVirtualMemory + 0x12   \n[0x1]   KERNELBASE!VirtualAlloc + 0x4f   [non-standard offset could be potentially a detection vector]\n[0x2]   NtAllocateVirtualMemory!main + 0x24e   \n[0x3]   NtAllocateVirtualMemory!invoke_main + 0x22   \n[0x4]   NtAllocateVirtualMemory!__scrt_common_main_seh + 0x10c   \n[0x5]   KERNEL32!BaseThreadInitThunk + 0x14   \n[0x6]   ntdll!RtlUserThreadStart + 0x21   \n```\n\nTested on Win10 x64 21H2 (19044.2728)\n\n### NtSetInformationProcess\n\nPatches the `call` instruction at `kernelbase!SetProcessInformation+0xDB`, ... blah, blah, same thing over and over again, you get the picture... in order to set current process as **critical**.  \nI took a lazy route with this one, because `SetProcessInformation` rejects `ProcessBreakOnTermination` flag, so in this one we're langing straight on top of the fugazi stub in `KernelBase`.  \nSince we're skipping all the meal prep that `SetProcessInformation` does before calling the NTCALL `NtSetInformationProcess`, we're gonna segfault very soon after returning from `NTDLL`, which will of course result in a BSOD with stopcode `CRITICAL_PROCESS_DIED`. The way around this is to patch all the conditional jumps inside `SetProcessInformation`, before the `call` takes place, but since the purpose of this is to BSOD anyway, it is literally pointless for me to bother with this.  \n\nTested on Win10 x64 22H2 (19045.2728)  \nKernelBase.dll version 10.0.19041.2728\n\n### NtWriteVirtualMemory\n\nSelf-explanatory. Offset is `KERNELBASE.DLL!WriteProcessMemory+0xB7`.  \nUsage: `NtWriteVirtualMemory.exe \u003cpid\u003e \u003caddress\u003e`  \n\nTested on Win10 x64 21H2 (19044.2846) \nKernelBase.dll version 10.0.19041.2788\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx0reaxeax%2Fsyscallhookbypass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fx0reaxeax%2Fsyscallhookbypass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fx0reaxeax%2Fsyscallhookbypass/lists"}