https://github.com/x0reaxeax/syscook64

Indirect Syscall invocation via thread hijacking
https://github.com/x0reaxeax/syscook64

detection-evasion edr-bypass edr-evasion hook-bypass indirect-syscall redteam thread-context

Last synced: 2 months ago
JSON representation

Indirect Syscall invocation via thread hijacking

• Host: GitHub
• URL: https://github.com/x0reaxeax/syscook64
• Owner: x0reaxeax
• License: mit
• Created: 2023-05-05T19:50:59.000Z (about 2 years ago)
• Default Branch: master
• Last Pushed: 2023-05-05T20:09:33.000Z (about 2 years ago)
• Last Synced: 2025-04-05T11:39:53.207Z (2 months ago)
• Topics: detection-evasion, edr-bypass, edr-evasion, hook-bypass, indirect-syscall, redteam, thread-context
• Language: C
• Homepage:
• Size: 12.7 KB
• Stars: 14
• Watchers: 2
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

        
# SysCook64 - Cooking thread contexts for fun and profit

## What is this?

This is a PoC technique for indirect syscall execution, by suspending, altering and resuming a thread.  

The target thread's context is modified in order to land on a `syscall` instruction in `NTDLL` (we're doing `NtAllocateVirtualMemory`), with registers and stack prepared for syscall execution.  

There's no need for syscall stubs, since all the arguments are written directly to the target's thread context, while it's suspended.  

## Demo

[YouTube](https://youtu.be/HU47BmJJw98)