Secondary Categories: 02-Malware


Description:

When using syscalls that are generated from Syswhispers2 the typical syscall stub looks like the following:

mov r10, rcx
syscall             ; Issue Syscall to be replaced
ret

Instead you can use int 2Eh in place of the assembly syscall to avoid on disk detection

Another way to bypass on disk detection is using the nop instructions between the instructions to place the values in the proper registries and the syscall instruction.

mov r15, rcx
mov r14, r15
mov r13, r14
mov r10, r13
nop
nop
nop
nop
nop
syscall            ; Invoking the syscall
ret

This can help if a scanner is looking to some registry changes then a syscall command directly after.


Resources:

Also Check Out:

  • Placeholder