You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In chapter4-demo3 you say: // Code below is adapted from @modexpblog. Read linked article for more details. // https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams
However, what you do is just getting syscall addresses from the ntdll.dll that has been already loaded into the process. Most likely, they would have been hooked by EDR. Whereas the author's idea was to get syscalls from LdrpThunkSignature structure and load a new copy of ntdll.dll into the process space.
Also, direct syscall for NtCreateThreadEx does not work for some reason...
UPD re Syscall Numbers: for some reason the syscall numbers returned by SW3_GetSyscallNumber are incorrect. In my case, the discrepancy between returned value and correct one is 4.
The text was updated successfully, but these errors were encountered:
In chapter4-demo3 you say:
// Code below is adapted from @modexpblog. Read linked article for more details. // https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teamsHowever, what you do is just getting syscall addresses from the ntdll.dll that has been already loaded into the process. Most likely, they would have been hooked by EDR. Whereas the author's idea was to get syscalls from LdrpThunkSignature structure and load a new copy of ntdll.dll into the process space.
Also, direct syscall for NtCreateThreadEx does not work for some reason...
UPD re Syscall Numbers: for some reason the syscall numbers returned by SW3_GetSyscallNumber are incorrect. In my case, the discrepancy between returned value and correct one is 4.
The text was updated successfully, but these errors were encountered: