Single stub direct and indirect syscalling with runtime SSN resolving for windows.
Included writeup PDF link: https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
- Single stub
- One single line for all your syscalls
- Direct or Indirect sycalls
- x86_64, WOW64 and x86 native support
- Call
Syscall(<function>, <args>)NTSTATUS status = Syscall(NT_CLOSE, handle);
- Reimplementation of the ssn fetching method used here is recommended, the one showed in this repo is really simple and can present problems with certains AV/EDRs, more complex methods has been showed before, and implementing them is out of scope in this project.
- For doing this, modifications to the GetSsn() function is needed, maintining its definition.
Thanks to SysWhispers3 for being a strong pilar on the development of this library, and Foliage for the implementation of the dbj2 hash, module/function addr resolving implementation and types definitions