Direct and indirect syscalls for red team operations
Learn what are direct and indirect syscalls and their differences for red team tradecraft.
Syscalls (system calls) are the gateway between user-mode applications and the operating system's kernel and understanding how to use them stealthily can go a long way for successful red team operations.
Imagine you're entering a building through the main entrance, where security guards check your ID, scan your belongings, and log your entry—this is like using direct syscalls. Everyone sees you entering, and your visit is recorded. Now, imagine sneaking in through a side door used by employees, bypassing security checks entirely—that’s similar to using indirect syscalls. The end result is the same—you’re inside the building—but one method is highly visible while the other remains unnoticed.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Direct syscalls involve calling system functions by directly invoking the syscall number and executing it in the expected manner. This is akin to following official procedures at a security checkpoint. The process for direct syscalls involves placing the required parameters in the correct registers, using the syscall or int 0x2E instruction to transition to kernel mode, and receiving the kernel’s response. While direct syscalls offer faster execution with minimal overhead, they are easily detectable by security solutions like EDRs, which monitor API calls and kernel interactions.
On the other hand, indirect syscalls attempt to bypass detection by obfuscating or rerouting the execution flow. There are different ways to achieve this, including syscall stubbing, where syscall addresses are resolved at runtime instead of relying on ntdll.dll exports, and stack spoofing, which manipulates return addresses to make execution appear legitimate. Other techniques, such as Heaven’s Gate, allow 32-bit processes to transition to 64-bit execution to evade user-mode hooks. Indirect syscalls help reduce detection risk by bypassing API hooks, making them a preferred choice for stealthy operations. However, they require more complex implementation and can still be detected through behavioral analysis by advanced security solutions.
A popular tool for implementing indirect syscalls is SysWhispers3 by KlezVirus, which allows red team operators to generate syscall stubs dynamically, bypassing user-mode hooks set by EDRs. It obfuscates system calls by generating indirect syscall wrappers that mimic legitimate calls but execute syscalls without being intercepted.
Red Team Notes
- Direct system calls are invoked explicitly using the syscall instruction.
- Indirect system calls are executed through obfuscation techniques like syscall stubbing.Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Further reading