Change Syscall Stub Generation to sort by system call address

Question

Opened this issue 4 years ago · 1 comments

Use the technique described by modexp in https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ and implemented in SysWhispers2 to derive syscall IDs by sorting the addresses of Zw* exports in ntdll.

Answer 1 · 2021-02-26T18:14:22.000Z

Looks like there is a version of SysWhispers2 for x86/WOW64 processes: https://github.com/mai1zhi2/SysWhispers2_x86