Skip to content

x0reaxeax/SysCook64

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

SysCook64

SysCook64

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

LICENSE.txt

LICENSE.txt

 
 

README.md

README.md

 
 

SysCook64.sln

SysCook64.sln

 
 

Repository files navigation

SysCook64 - Cooking thread contexts for fun and profit

What is this?

This is a PoC technique for indirect syscall execution, by suspending, altering and resuming a thread.
The target thread's context is modified in order to land on a syscall instruction in NTDLL (we're doing NtAllocateVirtualMemory), with registers and stack prepared for syscall execution.
There's no need for syscall stubs, since all the arguments are written directly to the target's thread context, while it's suspended.

Demo

YouTube

About

Indirect Syscall invocation via thread hijacking

Topics

redteam thread-context edr-bypass edr-evasion detection-evasion hook-bypass indirect-syscall

Resources

Readme

License

MIT license
Activity

Stars

12 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Languages