Skip to content
/ SysCook64 Public

Indirect Syscall invocation via thread hijacking

License

MIT license
22 stars 3 forks Branches Tags Activity
Star

x0reaxeax/SysCook64

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
SysCook64
SysCook64
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE.txt
LICENSE.txt
 
 
README.md
README.md
 
 
SysCook64.sln
SysCook64.sln
 
 

Repository files navigation

SysCook64 - Cooking thread contexts for fun and profit

What is this?

This is a PoC technique for indirect syscall execution, by suspending, altering and resuming a thread.
The target thread's context is modified in order to land on a syscall instruction in NTDLL (we're doing NtAllocateVirtualMemory), with registers and stack prepared for syscall execution.
There's no need for syscall stubs, since all the arguments are written directly to the target's thread context, while it's suspended.

Demo

YouTube

About

Indirect Syscall invocation via thread hijacking

Topics

redteam thread-context edr-bypass edr-evasion detection-evasion hook-bypass indirect-syscall

Resources

Readme

License

MIT license
Activity

Stars

22 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Languages