Advanced evasion techniques
Let’s look at a more advanced bypass method: system calls (syscalls).
Syscalls
Windows syscalls let programs talk to the operating system and ask for specific services, such as reading or writing to a file, starting a new process, or assigning memory. Remember that when you call a WinAPI function, syscalls are the APIs that run the tasks. For example, when the VirtualAlloc
or VirtualAllocEx
WinAPI calls are called, NtAllocateVirtualMemory
starts running. Then, this syscall sends the user-supplied arguments from the previous function call to the Windows kernel, does what was asked of it, and then sends the result back to the program.
The error code is shown in the NTSTATUS
value that all syscalls return. If the syscall is successful, it returns a status code of 0
, which means that the action was successful.
Microsoft hasn’t written documentation for most syscalls, so syscall modules will use the following reference from ReactOS NTDLL...