These last months I've been familiarizing myself with Windows syscalls: how they work, their offensive usage and potential detections from the blue side. Although the theory was quite interesting, I had to get my hands on it.
I started with the basics: static syscalls for my version of Windows.
As I'm not a pentester - I'm a programmer - I found it too uncomfortable to have to define each syscall each time. That's why I made a list with all the syscall numbers and a template that mapped each syscall with each number in a global variable.
It was something like this:
EXTERN syscall_no:DWORD .code call_syscall PROC mov r10, rcx mov eax, syscall_no syscall ret call_syscall ENDP END
extern "C" DWORD syscall_no = 0; extern "C" void* call_syscall(...); [...] DWORD syscall_no = syscalls.find("NtReadVirtualMemory"); call_syscall(h_process, mem_addr, &buf, mem_size, nullptr);Read more... »