Legacy Instructions

Secondary Categories: 02-Malware

Description:

When using syscalls that are generated from Syswhispers2 the typical syscall stub looks like the following:

mov r10, rcx
syscall             ; Issue Syscall to be replaced
ret

Instead you can use int 2Eh in place of the assembly syscall to avoid on disk detection

Another way to bypass on disk detection is using the nop instructions between the instructions to place the values in the proper registries and the syscall instruction.

mov r15, rcx
mov r14, r15
mov r13, r14
mov r10, r13
nop
nop
nop
nop
nop
syscall            ; Invoking the syscall
ret

This can help if a scanner is looking to some registry changes then a syscall command directly after.

Resources:

Title	URL
On Disk Detection Bypass with Legacy Instructions	https://medium.com/@merasor07/on-disk-detection-bypass-avs-edr-s-using-syscalls-with-legacy-instruction-series-of-instructions-5c1f31d1af7d

Also Check Out:

Placeholder

The Void 🌌

Explorer

Legacy Instructions

Description:

Resources:

Also Check Out:

Graph View

Backlinks

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer

Explorer

Table of Contents

Recent Blog Posts

No More Network Bottlenecks

Unmasking Secrets - Deciphering Encrypted Passwords through Reverse Engineering

Conquering Goliath as a CCDC Blue Teamer