Secondary Categories: 02-Malware
Description:
When using syscalls that are generated from Syswhispers2 the typical syscall stub looks like the following:
mov r10, rcx
syscall ; Issue Syscall to be replaced
ret
Instead you can use int 2Eh
in place of the assembly syscall to avoid on disk detection
Another way to bypass on disk detection is using the nop
instructions between the instructions to place the values in the proper registries and the syscall instruction.
mov r15, rcx
mov r14, r15
mov r13, r14
mov r10, r13
nop
nop
nop
nop
nop
syscall ; Invoking the syscall
ret
This can help if a scanner is looking to some registry changes then a syscall command directly after.
Resources:
Title | URL |
---|---|
On Disk Detection Bypass with Legacy Instructions | https://medium.com/@merasor07/on-disk-detection-bypass-avs-edr-s-using-syscalls-with-legacy-instruction-series-of-instructions-5c1f31d1af7d |
Also Check Out:
- Placeholder