11: Chapter 6 | Direct Syscalls
This is a technique that allows an attacker (red team) to execute malicious code, e.g. shell code, in such a way that the system call or syscall stub is not obtained via ntdll.dll, but is implemented directly as an assembly instruction, e.g. in the .text region of the malware or shellcode loader. Hence the name direct system calls.
You can see that the user mode process malware.exe does not get the system call, or more precisely the instructions from the sycall stub, from the native API NtCreateFile via ntdll.dll, as would normally be the case, but instead has implemented the necessary instructions for the system call itself.
For more information, see Chapter 3, which explains the concept of direct syscalls in more detail.
