syscall_api.asm block is used for dynamically finding the syscall number (SN) inside a function body and performing a manual syscall with the found SN. If SN could not be found inside the given function body, R10 register will be equal to -1. Check here for example code.
Block searches for the following common instruction sequence during syscalls.
mov r10, rcx
mov eax, ??? ; <-- two byte SN here
; ...
syscall
ret
- https://conference.hitb.org/hitbsecconf2023ams/session/windows-syscalls-in-shellcode-advanced-techniques-for-malicious-functionality/
- https://github.com/klezVirus/SysWhispers3
- https://github.com/jthuraisamy/SysWhispers2
- https://github.com/jthuraisamy/SysWhispers
- https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
- https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/