13: Chapter 7 | Indirect Syscalls

What is an Indirect System Call?

The indirect syscall technique is an evolution of the direct syscall technique. By using indirect syscalls we can execute the syscall instruction and return instruction from the memory of ntdll.dll instead of the memory of the assembly itself as with direct syscalls. Compared to direct syscalls, indirect syscalls can solve the following EDR evasion problems

Firstly, the execution of the syscall instruction takes place within the memory of the ntdll.dll and is therefore (more) legitimate for the EDR compared to direct syscalls.
On the other hand, the execution of the return statement takes place within the memory of the ntdll.dll and points from the memory of the ntdll.dll to the memory of the indirect syscall assembly, which is also (more) legitimate for the EDR compared to direct syscalls.

As we will see later, compared to the direct syscall POC, simplified, only a part of the stub from the Native API is implemented and executed directly in the indirect syscall assembly itself, while the syscall statement and return are executed in the ntdll.dll memory. More on this later. The following diagram should help you to understand the concept of indirect syscalls, bearing in mind that it is a simplified representation.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

13: Chapter 7 | Indirect Syscalls

What is an Indirect System Call?

Clone this wiki locally