Jan 10, 2025, 08:27 PM
The general idea is to generate a legitimate call stack before performing the indirect syscallwhile switching modes to the kernel land and also to support up to 12 arguments.Additionally, the call stack could be of the user’s choice, with the assumption that one of thestack frames satisfies the size requirement for the number of arguments of the intended Nt* syscall. The implemented concept could also allow the user to produce not only thelegitimate call stack but also the indirect syscall in between the user’s chosen Windows API,if needed.
Vectored Exception Handler (VEH) is used to provide us with control over the context of theCPU without the need to raise any alarms. As exception handlers are not widely attributed asmalicious behavior, they provide us with access to hardware breakpoints, which will beabused to act as a hook.
To note, the call stack generation mentioned here is not constructed by the tool or by theuser, but rather performed by the system, without the need to perform unwinding operationsof our own or separate allocations in memory. This means the call stack could be changed bysimply calling another Windows API if detections for one are present.
Since constructing our stack in a program can usually get corrupted ifnot developed carefully, this tool allows the operating system to generate the necessary callstack without much hassle, adding to the fact that any Windows API could potentially beused. Also, this is not to say that the bypass method would work for every EDR out theresince it requires more thorough testing against many other EDRs and detection techniquesto call it a global bypass.
Link to the tool: https://github.com/WKL-Sec/LayeredSyscall
Vectored Exception Handler (VEH) is used to provide us with control over the context of theCPU without the need to raise any alarms. As exception handlers are not widely attributed asmalicious behavior, they provide us with access to hardware breakpoints, which will beabused to act as a hook.
To note, the call stack generation mentioned here is not constructed by the tool or by theuser, but rather performed by the system, without the need to perform unwinding operationsof our own or separate allocations in memory. This means the call stack could be changed bysimply calling another Windows API if detections for one are present.
Since constructing our stack in a program can usually get corrupted ifnot developed carefully, this tool allows the operating system to generate the necessary callstack without much hassle, adding to the fact that any Windows API could potentially beused. Also, this is not to say that the bypass method would work for every EDR out theresince it requires more thorough testing against many other EDRs and detection techniquesto call it a global bypass.
Link to the tool: https://github.com/WKL-Sec/LayeredSyscall