Implementation of Indirect Syscall technique to pop an innocent calc.exe
Had this code for a while and only now decided to open-source it. It's nothing new, no bleeding-edge technique whatsoever, but my C++ implementation of an Indirect Syscall poc to bypass Userland hooks implemented by way too curious EDR products.
As mentioned above Indirect Syscall is a technique used to avoid that EDRs sniff around the Win32 API that we need to run our very benevolent shellcode. Haven't ranted on a blog about this technique because there are a lot of resources online about it, same reason I won't be ranting about it here but just giving you this (and verbose comments in the code):
- Direct Syscalls VS Indirect Syscalls
- SysWhisper3
- Dumpert from Outflank
- Beautiful blog by Alice Climent-Pommeret
- FreshyCalls
- Hell's Gate paper
Also few references to learn about malware development:
Do not do nasty stuff with this code please. Chee(e)rs