01: Introduction and Abstract
In recent years, more and more EDR vendors have implemented the technique of user-mode hooking, which, simply put, allows an EDR to redirect code executed in the context of APIs to its own hooking.dll for analysis at runtime. If the code executed does not appear to be malicious to the EDR, the correlated system call will be executed, otherwise the EDR will prevent execution. User-mode hooking makes malware execution more difficult, so attackers (red teams) use various techniques such as API unhooking, direct system calls or indirect system calls to bypass EDRs.
This workshop is designed for new community members or members who want to understand and learn about system calls in general and the Red Teaming techniques of direct system calls and indirect system calls on Windows OS. All the content for this workshop, slides, exercises, playbooks etc. can be found in this repository. I hope you enjoy it and it can help you get a fundamental understanding of system calls in general and also about the techniques of direct syscalls and indirect syscalls.
Important note! This workshop only covers syscalls in the context of x64, x86 syscalls work a bit differently and are not covered here.
| Chapter Nr. | Chapter Name | Chapter Description |
|---|---|---|
| Chapter 1 | Windows NT Basics | We take a look at the basics of Windows NT architecture that are necessary for this workshop. |
| Chapter 2 | Windows OS System Calls | What are system calls in general and why are the neccessary in Windows OS? |
| Chapter 3 | Concept of Direct Syscalls | What are direct syscalls, how do they work and why have they been used by red teamers? |
| Chapter 4 | Win32-APIs | We will create a shellcode loader based on the Win32 APIs (high level APIs) and we will also analyse it. |
| Chapter 5 | Native-APIs | We will create a shellcode loader based on the Native APIs (medium level APIs) and we will also analyse it. |
| Chapter 6 | Direct Syscalls | We will create a shellcode loader based on the direct syscalls (low Level APIs) and we will also analyse it. |
| Chapter 7 | Indirect Syscalls | We will create a shellcode loader based on the indirect syscalls (low Level APIs) and we will also analyse it. |
| Chapter 8 | Call Stack Analysis | We will analyse and compare the call stacks of all loaders. |
| Chapter 9 | Summary | Workshop summary and closing |
