Kuba Gretzky · Jan 10, 2023 · 4:09 PM UTC

Kuba Gretzky · Jan 10, 2023 · 4:09 PM UTC

Kuba Gretzky

Kuba Gretzky @mrgretzky

Jan 10

After continuing to see new tools emerging, which rely on extracting the NTDLL syscall IDs from "mov eax, X" instruction, I wanted to remind everyone that syscall IDs can easily be calculated by sorting the addresses of Nt*/Zw* functions in NTDLL from lowest to highest. 🍻

Jan 10, 2023 · 4:09 PM UTC

276

@XC3LL@mastodon.social · Jan 10, 2023 · 5:37 PM UTC

@XC3LL@mastodon.social @TheXC3LL

Jan 10

Replying to @mrgretzky

Is not this the most used method ? I believe since @ElephantSe4l's freshycalls publication it was the default method people was using.

Kuba Gretzky · Jan 10, 2023 · 5:55 PM UTC

Kuba Gretzky @mrgretzky

Jan 10

I'd think so, but every recently released tool relies on grabbing the ID from "mov eax, X" gadget, instead.

more replies

f1zm0 · Jan 11, 2023 · 5:41 PM UTC

f1zm0 @f1zm0

Jan 11

Replying to @mrgretzky

I implemented the Zw calls sorting trick in Go a few months ago, after reading @modexpblog blog post on user-mode hooking bypass. github.com/f1zm0/hades

GitHub - f1zm0/hades: Evasive shellcode loader that combines SSNs sorting and syscalls for AV/EDR...

Evasive shellcode loader that combines SSNs sorting and syscalls for AV/EDR evasion in Go and Go ASM - GitHub - f1zm0/hades: Evasive shellcode loader that combines SSNs sorting and syscalls for AV/...

github.com

Kuba Gretzky · Jan 12, 2023 · 10:08 AM UTC

Kuba Gretzky @mrgretzky

Jan 12

Great stuff! 🔥

sixtyvividtails · Jan 10, 2023 · 11:11 PM UTC

sixtyvividtails @sixtyvividtails

Jan 10

Replying to @mrgretzky

It's neat property, but some people just don't feel safe relying on it. "Today linker sorts 'em, but tomorrow it won't; and one day PGO may move deprecated stuff far away (e.g. eventpair syscalls)" - it's that kind of thinking. So they opt for more mundane/defensive methods.

ElephantSe4l · Jan 11, 2023 · 1:58 AM UTC

ElephantSe4l @ElephantSe4l

Jan 11

This property is not “set” by the linker. It is not a coincidence. Windows use syscall numbers to get real kernel addresses of the services. Then, to build NTDLL stubs, Windows get all the numbers in order to build an ASM file including all stubs.

more replies

KermitFan · Jan 10, 2023 · 6:39 PM UTC

KermitFan @RealKermitFan

Jan 10

Replying to @mrgretzky

Computation of grabbing all functions and sorting vs a simple xor is astronomical. Syscalls can be done pretty rapidly and you’ll have ALOT of cpu time if you don’t store it somewhere sorting all the addresses. You also have to watch out for possible ordinals.

This tweet is unavailable

Kuba Gretzky · Jan 10, 2023 · 9:24 PM UTC

Kuba Gretzky @mrgretzky

Jan 10

Sounds like it may be much less complicated 😛

Hồng Thất Công · Jan 10, 2023 · 11:57 PM UTC

Hồng Thất Công @BangChuHongThat

Jan 10

Replying to @mrgretzky

CobaltStrike author already uses this technique in KoboldLoader CobaltStrike Beacon v4.x