SyscallMeMaybe?

Implementation of Indirect Syscall technique to pop an innocent calc.exe

What this is all about?

Had this code for a while and only now decided to open-source it. It's nothing new, no bleeding-edge technique whatsoever, but my C++ implementation of an Indirect Syscall poc to bypass Userland hooks implemented by way too curious EDR products.

Indirect Syscall what?

As mentioned above Indirect Syscall is a technique used to avoid that EDRs sniff around the Win32 API that we need to run our very benevolent shellcode. Haven't ranted on a blog about this technique because there are a lot of resources online about it, same reason I won't be ranting about it here but just giving you this (and verbose comments in the code):

1. Direct Syscalls VS Indirect Syscalls
2. SysWhisper3
3. Dumpert from Outflank
4. Beautiful blog by Alice Climent-Pommeret
5. FreshyCalls
6. Hell's Gate paper

Also few references to learn about malware development:

1. MaldevAcademy
2. Sektor7

Do not do nasty stuff with this code please. Chee(e)rs