This repository showcases a malware model that uses Direct Syscalls to evade Endpoint Detection and Response (EDR) systems. The malware is developed using C and Assembly, focusing on bypassing traditional security mechanisms that detect Native API or standard system calls.
- Direct Syscalls: Bypasses traditional EDR detections by avoiding the standard Native API or system call methods, which are commonly monitored.
- EDR Evasion: Utilizes Direct Syscalls to execute system functions without triggering common security detections, enhancing stealth.
- Syscall Invocation: The malware directly invokes syscalls using Assembly to bypass the standard API layers.
- Bypassing EDR: By not relying on the usual API, the malware avoids detection mechanisms that monitor Native API calls.
- C and Assembly: The malware is developed using a combination of C for higher-level logic and Assembly for low-level syscall invocation.
- Syscall Table: Utilizes a custom syscall table to map and invoke specific system functions directly.
-
Clone the Repository: Download the project from GitHub.
-
Compile the Code: Use Visual Studio or a compatible compiler to build the executable.
-
Run the Malware: Execute the compiled binary, optionally specifying a process ID (PID) and thread ID (TID) for injection.
DirectSyscall.exe <PID> <TID>
- Disable Windows Defender: Ensure Just-In-Time (JIT) Windows Defender is disabled to avoid interference during execution.
- Administrator Privileges: Running the malware may require administrator rights depending on the target system and operations performed.
This project is for educational purposes only. Misuse of this code can lead to severe consequences, and it should only be used in a controlled, legal environment.
All rights reserved.