jack51706/DEFCON-31-Syscalls-Workshop

Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

(In)direct Syscalls: A journey from high to low

RedOps | Red Team Village | DEF CON 31

Getting Started

Ready to rock! The last few months have definitely been a journey from high to low for me. I have challenged myself once again by creating this workshop or project for the Red Team Village at DEF CON 31 and presenting or sharing my biggest project yet to the infosec community. I hope it is useful and a good reference/source of mostly free material for community members to learn or teach others about syscalls, direct syscalls, indirect syscalls.

All the theory and playbooks for the exercises can be found in the wiki, which together with the prepared POCs is the heart of this project. The POCs for the exercises can be found here on the main page.

Happy Learning!

Daniel Feichter @VirtualAllocEx, Founder @RedOps Information Security

Disclaimer

First of all, many thanks to my girlfriend, who has supported me in everything I do for over 10 years now! Without her support and backing none of my projects in the last 10 years would have been possible.

Thanks also to my good friend Andreas Clementi of AV-Comparatives, who has been supporting me since we first met. Also thanks to my friend Jonas Kemmner (who is an excellent Red Teamer) for supporting me and reading all my blog posts in advance. I am very grateful to have crossed paths with all these amazing people.

The content and all code examples in this repository are for educational and research purposes only and should only be used in an ethical context! The code examples are not new and I do not claim them to be. Most of the code or the basis comes, as so often, from ired.team, thank you @spotheplanet for your brilliant work and sharing it with us all. Also many thanks to @mrexodia for your awesome tool x64dbg.

Furthermore, and very importantly, this workshop is not a silver bullet in the context of EDR evasion, but it should help to understand the basics of Win32 APIs, Native APIs, direct syscalls and indirect syscalls and a bit about call stacks in context of shellcode execution and EDR evasion, no more and no less. The aim of this workshop is not to show the most stealthy options or the most complex POCs for direct and indirect syscalls, instead I will focus on teaching the basics.This means using as few tools as possible and doing as much work manually as possible.

I would like to thank all those members of the infosec community who have researched, shaped and continue to research the topic of syscalls, direct system calls and indirect syscalls etc.

Special thanks to Cornelis de Plaa (@Cneelis) from Outflank for his blog post "Combining Direct System Calls and sRDI to bypass AV/EDR" in 2019, which sparked my interest in system calls, direct syscalls, etc., and also marked the starting point of my journey to learn about the Windows Internals.

Creds and References

Twitter Handle	Contribution and Research
@Cneelis	https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ https://github.com/outflanknl/Dumpert
@spotheplanet	His whole awesome blog and research https://www.ired.team/
@NinjaParanoid	For his blogs, research, courses and always answering my questions. https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
@ShitSecure	For his research, his blog https://s3cur3th1ssh1t.github.io/ and for the great discussion about EDRs, syscalls, etc.
@AliceCliment	For her blog, research and the discussions about EDRs, syscalls etc. https://alice.climent-pommeret.red/posts/how-and-why-to-unhook-the-import-address-table/ https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/ https://alice.climent-pommeret.red/posts/direct-syscalls-hells-halos-syswhispers2/
@0xBoku	For his overall research, and contributions to infosec, helping new community members, and the continued advancement of infosec https://0xboku.com/ https://github.com/boku7/AsmHalosGate https://github.com/boku7/HellsGatePPID https://github.com/boku7/halosgate-ps
@Jackson_T	For his research and tools SysWhispers and SysWhispers2 https://github.com/jthuraisamy/SysWhispers) https://github.com/jthuraisamy/SysWhispers2
@KlezVirus	For his blog, research, great discussions about EDRs, syscalls, etc. and SysWhispers3 https://github.com/klezVirus/SysWhispers3 https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/ https://github.com/klezVirus/SilentMoonwalk
@j00ru	https://j00ru.vexillium.org/syscalls/nt/64/
@modexpblog	https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
@netero_1010	https://www.netero1010-securitylab.com/evasion/indirect-syscall-in-csharp)
@CaptMeelo	https://captmeelo.com/redteam/maldev/2021/11/18/av-evasion-syswhisper.html
Paul Laîné @am0nsec and smelly__vx @RtlMateusz	https://github.com/am0nsec/HellsGate/tree/master
@mrd0x	https://github.com/Maldev-Academy/HellHall
@SEKTOR7net	https://blog.sektor7.net/#!res/2021/halosgate.md
@D1rkMtr	https://github.com/TheD1rkMtr/D1rkLdr
@trickster012	https://github.com/trickster0/TartarusGate
@thefLinkk	https://github.com/thefLink/RecycledGate
@ElephantSe4l and MarioBartolome	https://github.com/crummie5/FreshyCalls

Further resources

• Windows Internals, Part 1: System architecture, processes, threads, memory management, and more (7th Edition) by Pavel Yosifovich, David A. Solomon, and Alex Ionescu
• Windows Internals, Part 2 (7th Edition) by Pavel Yosifovich, David A. Solomon, and Alex Ionescu
• https://offensivecraft.wordpress.com/2022/12/08/the-stack-series-return-address-spoofing-on-x64/
• https://offensivecraft.wordpress.com/2023/02/11/the-stack-series-the-x64-stack/
• https://winternl.com/detecting-manual-syscalls-from-user-mode/

Sponsorship

If you are interested in supporting my work in general and/or would like to learn more about how to improve your indirect syscalls shellcode loader step by step, and would like access to the learning materials or playbooks from the three bonus chapters, you can get access via a one-time GitHub sponsorship (Individual student or Corporate students).

Chapter Nr.	Chapter Name	Chapter Description
Bonus Chapter 1	Dynamic SSN retrieval via APIs	We want to improve our indirect syscall shellcode loader and implement dynamic SSN retrieval via the GetModuleHandleA and GetProcAddress APIs.
Bonus Chapter 2	Dynamically Retrieving SSN via PEB/EAT	We want to further improve our indirect syscall shellcode loader and implement dynamic SSN retrieval via the PEB walk and EAT parsing
Bonus Chapter 3	Indirect Syscalls and hooked APIs	We want to further improve our indirect syscall loader and implement the Halos Gate approach to dynamically retrieve SSNs via PEB/EAT parsing, even if the four used APIs in our loader are hooked by an EDR.