EDR EVASION TECHNIQUES USING SYSCALLS

What are Windows Syscalls

syscalls are Windows internals components that provide a way for Windows programmers to interact or develop programs related to the Windows system. These programs can be used in ways such as accessing specific services, reading or writing to a file, creating a new process in userland, or allocating memory to programs, using cryptographic functions in your programs.

But syscalls are intermediatory when someone uses the Windows API using win32. These syscalls are also called native API for windows. The majority of syscalls are not officially documented by Microsoft, Thus we rely on other third-party documentation. Generally All syscalls return NTSTATUS value indicate its success or error, but It is important to note that while some NtAPIs return NTSTATUS, they are not necessarily syscalls.

eg: NtAllocateVirtualMemory is a syscall that actually runs under the hood when we access functions like VirtualAlloc or VirtualAllocEx From winapi. Here ntdll.dll File from Windows plays an important role, how? most of the native syscalls, which are called are from the ntdll.dll file.

These syscalls have more advantages over standard Winapi functions. These syscall functions from ntdll.dll provide more customizability over the parameter passed and arguments that those functions will be accepting, Thus providing a way for evading host-based security solutions.

eg: NTAllocateVirtualMemory vs VirtualAlloc in terms of arguments.

LPVOID VirtualAlloc(

[in, optional] LPVOID lpAddress,

[in]                  SIZE_T dwSize,

[in]                  DWORD  flAllocationType,

[in]                  DWORD  flProtect

);

__kernel_entry NTSYSCALLAPI NTSTATUS NtAllocateVirtualMemory(

);

NtAllocateVirtualMemory allows you to set custom memory protection flags using the AllocationType and Protect parameters. This enables you to have more control over the protection of the allocated memory.

Views: 0