Malware Analysis: Syscalls
Great guide and overview about Syscalls and how to start diagnosing them.
https://jmpesp.me/malware-analysis-syscalls-example/
#maldev #cpp #syscall
Great guide and overview about Syscalls and how to start diagnosing them.
https://jmpesp.me/malware-analysis-syscalls-example/
#maldev #cpp #syscall
This media is not supported in your browser
VIEW IN TELEGRAM
SysWhispers is dead, long live SysWhispers!
In a journey around the fantastic tool SysWhispers, cover some of the strategies that can be adopted to detect it, both statically and dynamically.
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
#edr #evasion #syscall #redteam #blueteam
In a journey around the fantastic tool SysWhispers, cover some of the strategies that can be adopted to detect it, both statically and dynamically.
https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/
#edr #evasion #syscall #redteam #blueteam
👍1
🔔 TamperingSyscalls
This is a 2 part novel project consisting of argument spoofing and syscall retrival which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
Research:
🔗 https://fool.ish.wtf/2022/08/feeding-edrs-false-telemetry.html
Source:
🔗 https://github.com/rad9800/TamperingSyscalls
#edr #evasion #maldev #syscall #tampering
This is a 2 part novel project consisting of argument spoofing and syscall retrival which both abuse EH in order to subvert EDRs. This project consists of both of these projects in order to provide an alternative solution to direct syscalls.
Research:
🔗 https://fool.ish.wtf/2022/08/feeding-edrs-false-telemetry.html
Source:
🔗 https://github.com/rad9800/TamperingSyscalls
#edr #evasion #maldev #syscall #tampering
👍3🔥1
🛠 DynamicSyscalls
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
This is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking).
https://github.com/Shrfnt77/DynamicSyscalls
#maldev #csharp #syscall #library
GitHub
GitHub - Shrfnt77/DynamicSyscalls: DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing…
DynamicSyscalls is a library written in .net resolves the syscalls dynamically (Has nothing to do with hooking/unhooking) - Shrfnt77/DynamicSyscalls
👍2🔥1
🔀 Direct Syscalls vs Indirect Syscalls
This post discusses Indirect Syscalls as a solution to eliminate indicators of compromise and avoid detection by EDRs. Indirect Syscalls allow the execution of Syscall and Return statements in the memory of ntdll.dll, which is the usual behavior in Windows.
https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
#maldev #syscall #edr #bypass
This post discusses Indirect Syscalls as a solution to eliminate indicators of compromise and avoid detection by EDRs. Indirect Syscalls allow the execution of Syscall and Return statements in the memory of ntdll.dll, which is the usual behavior in Windows.
https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls
#maldev #syscall #edr #bypass
🔥8👍2
🐧 Linux Kernel Syscalls
Very useful website if you need a quick reference to Linux kernel syscalls (numbers and parameters for various architectures and kernel versions)
🌐 Details:
https://syscalls.mebeim.net/
#linux #kernel #syscall
Very useful website if you need a quick reference to Linux kernel syscalls (numbers and parameters for various architectures and kernel versions)
🌐 Details:
https://syscalls.mebeim.net/
#linux #kernel #syscall
🔥8❤1
😈 POSTDump
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
This is the C# / .NET implementation of the ReactOS minidump function (like nanodump), thus avoiding call to the Windows API MiniDumpWriteDump function.
🚀 Key Features:
— Usage of indirect syscall along with halo's gate technic to retrieve syscalls IDs
— No memory Allocation/Protection call is performed for indirect syscall, instead, free RWX codecave found in the current process are used
— ETW patching
— No call to MiniDumpWriteDump
🌐 Source:
https://github.com/YOLOP0wn/POSTDump
#windows #lsass #dump #syscall #reactos
🔥7👍2
LSASS memory dumper using only NTAPIs, creating a minimal minidump, built in Rust with
no_std and independent of the C runtime (CRT). It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission.🚀 Features:
— NT System Calls for Everything
— No-Std and CRT-Independent
— Position Independent Code (PIC)
— Indirect NT Syscalls
— Lean Memory Dump
— XOR Encryption
🔗 Source:
https://github.com/safedv/RustiveDump
#lsass #indirect #syscall #pic #rust
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - safedv/RustiveDump: LSASS memory dumper using only NTAPIs, creating a minimal minidump. It can be compiled as shellcode…
LSASS memory dumper using only NTAPIs, creating a minimal minidump. It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission. - safedv/RustiveDump
❤7👍4🔥3🤔3