An evasion framework demonstrating how malware could decouple syscalls and use PEB gadget scanning to bypass call-stack telemetry
▲ 8 r/ExploitDev+1 crossposts

An evasion framework demonstrating how malware could decouple syscalls and use PEB gadget scanning to bypass call-stack telemetry

Hi. I’m the dev behind SindriKit, an open-source C framework built around Dependency Injection for windows exploitation.

So, direct syscalls are burned. EDRs inspect the call stack during the kernel transition. If the syscall instruction originates from a payload heap instead of legitimate ntdll.dll memory, it gets flagged.

Most public exploits couple SSN resolution with a hardcoded execution assembly code. If you need to switch execution profiles, you have to rewrite the core logic.

SindriKit v1.2.0 separates finding the SSN from actually executing it via independent interface tables.

// How do we find the SSN?
snd_syscall_set_resolver(snd_syscall_resolve_ssn_scan);

// How do we execute the syscall?
snd_syscall_set_invoker(snd_syscall_indirect_invoke_asm);
snd_syscall_set_gadget_finder(snd_syscall_find_gadget_scan);

If indirect syscalls start causing stability issues, you swap one pointer (snd_syscall_set_invoker(snd_syscall_direct_invoke_asm);) to drop back to direct execution.

Under the hood, snd_syscall_find_gadget_scan walks the PEB to find the natively loaded ntdll.dll and dynamically scans for a legitimate syscall; ret gadget, avoiding disk-read.

The project is Open Source, and heavily documented. It could be a great reference for some of you here.

sibouzitoun.tech
u/Important_Map6928 — 5 days ago

Defeating EDR call-stack telemetry by fully decoupling syscall invocation and SSN resoultion

Hi. I’m the dev behind SindriKit, an open-source C framework built around Dependency Injection for windows exploitation.

So, direct syscalls are burned. EDRs inspect the call stack during the kernel transition. If the syscall instruction originates from a payload heap instead of legitimate ntdll.dll memory, it gets flagged.

Most public exploits couple SSN resolution with a hardcoded execution assembly code. If you need to switch execution profiles, you have to rewrite the core logic.

SindriKit v1.2.0 separates finding the SSN from actually executing it via independent interface tables.

// How do we find the SSN?
snd_syscall_set_resolver(snd_syscall_resolve_ssn_scan);

// How do we execute the syscall?
snd_syscall_set_invoker(snd_syscall_indirect_invoke_asm);
snd_syscall_set_gadget_finder(snd_syscall_find_gadget_scan);

If indirect syscalls start causing stability issues, you swap one pointer (snd_syscall_set_invoker(snd_syscall_direct_invoke_asm);) to drop back to direct execution.

Under the hood, snd_syscall_find_gadget_scan walks the PEB to find the natively loaded ntdll.dll and dynamically scans for a legitimate syscall; ret gadget, avoiding disk-read.

The project is Open Source, and heavily documented. Feedback is appreciated.

github.com
u/Important_Map6928 — 5 days ago

Defeating call-stack telemetry by decoupling syscall invocation

Hi. I’m the dev behind SindriKit, an open-source C framework built around Dependency Injection for windows exploitation.

So, direct syscalls are burned. EDRs inspect the call stack during the kernel transition. If the syscall instruction originates from a payload heap instead of legitimate ntdll.dll memory, it gets flagged.

Most public exploits couple SSN resolution with a hardcoded execution assembly code. If you need to switch execution profiles, you have to rewrite the core logic.

SindriKit v1.2.0 separates finding the SSN from actually executing it via independent interface tables.

// How do we find the SSN?
snd_syscall_set_resolver(snd_syscall_resolve_ssn_scan);

// How do we execute the syscall?
snd_syscall_set_invoker(snd_syscall_indirect_invoke_asm);
snd_syscall_set_gadget_finder(snd_syscall_find_gadget_scan);

If indirect syscalls start causing stability issues, you swap one pointer (snd_syscall_set_invoker(snd_syscall_direct_invoke_asm);) to drop back to direct execution.

Under the hood, snd_syscall_find_gadget_scan walks the PEB to find the natively loaded ntdll.dll and dynamically scans for a legitimate syscall; ret gadget, avoiding disk-read.

The project is Open Source, and heavily documented. It could be a great learning resource for some of you here.

reddit.com
u/Important_Map6928 — 5 days ago
▲ 16 r/ExploitDev+2 crossposts

Applying DI in C to decouple Windows exploitation from the execution mechanics

Wrote a tech breakdown on solving the coupling problem in Windows exploit as execution techniques are usually hardcoded.

sibouzitoun.tech
u/Important_Map6928 — 7 days ago

hello everyone,

So for some context my daily language is "Tunisian derja", and my media diet is almost exclusively french and english. I literally haven't studied, read, or written in standard Arabic since BAC exam (High school) about 4 years ago (and I actually hated it).

The other day I was incredibly bored and my brain just randomly came up with this first short piece of poetry/wordplay. I ended up writing a second one right after just to see if the first was a total fluke.

Quick disclaimer: The concepts, words, and wordplay are 100% mine. I only ran the text through an AI to add the Tashkeel so it looks right and reads properly

I'd love to hear what you guys think.

Piece 1:

دَرَيْتُ أَنَّ لِلدِّرَايَةِ دَرْبًا، فَمَا لِي لَا أَدْرِي مِنْ دَرْبِي غَيْرَ الدِّرَايَةِ؟

فَلَعَلَّ الدَّرْبَ لَا يُفْضِي إِلَى درَايَةِ، بَلِ الدِّرَايَةُ أَنْ تُدْرِكَ أَنَّكَ الدَّرْبُ.

Piece 2:

فِي بِحَارِكَ أَبْحَرْتُ، وَبِحِبْرِي أَخْبَرْتُ.

فَمَالِ أَمْوَاجِكَ تُحَارِبُنِي، وَمَا لِي فِي بِحَارِكَ مَا رُحِّبْتُ؟

reddit.com
u/Important_Map6928 — 2 months ago

hello everyone,

So for some context my daily language is derja (no shit), and my media diet is almost exclusively french and english. I literally haven't studied, read, or written in standard Arabic since BAC about 4 years ago (and I actually hated it).

The other day I was incredibly bored and my brain just randomly came up with this first short piece of poetry/wordplay. I ended up writing a second one right after just to see if the first was a total fluke.

Quick disclaimer: The concepts, words, and wordplay are 100% mine. I only ran the text through an AI to add the Tashkeel so it looks right and reads properly

I'd love to hear what you guys think.

Piece 1:

دَرَيْتُ أَنَّ لِلدِّرَايَةِ دَرْبًا، فَمَا لِي لَا أَدْرِي مِنْ دَرْبِي غَيْرَ الدِّرَايَةِ؟

فَلَعَلَّ الدَّرْبَ لَا يُفْضِي إِلَى درَايَةِ، بَلِ الدِّرَايَةُ أَنْ تُدْرِكَ أَنَّكَ الدَّرْبُ.

Piece 2:

فِي بِحَارِكَ أَبْحَرْتُ، وَبِحِبْرِي أَخْبَرْتُ.

فَمَالِ أَمْوَاجِكَ تُحَارِبُنِي، وَمَا لِي فِي بِحَارِكَ مَا رُحِّبْتُ؟

reddit.com
u/Important_Map6928 — 2 months ago
▲ 2 r/arabic

مرحباً جميعاً،

للتوضيح فقط: أنا تونسي، وكما تعلمون لغتنا اليومية هي الدارجة. معظم استهلاكي للميديا بالفرنسية أو الإنجليزية، وعلاقتي بالفصحى شبه منقطعة منذ أيام المعهد (الثانوية) قبل 4 سنوات تقريباً.

منذ أيام كنت أشعر بملل وكتبت الخاطرة الأولى بشكل عشوائي كمجرد تلاعب بالكلمات. ثم كتبت الثانية لأختبر إن كان الأمر في المقطع الأول مجرد صدفة أو ضربة حظ.

ملاحظة مهمة: الكلمات، الأفكار، والتلاعب اللفظي هي مجهودي الشخصي 100%. استعنت بالذكاء الاصطناعي فقط لوضع التشكيل الصحيح وتصحيح بعض الهمزات لتُقرأ بشكل سليم!

هذا ما خرجت به، وأريد رأيكم الصريح:

المقطع الأول:

دَرَيْتُ أَنَّ لِلدِّرَايَةِ دَرْبًا، فَمَا لِي لَا أَدْرِي مِنْ دَرْبِي غَيْرَ الدِّرَايَةِ؟

فَلَعَلَّ الدَّرْبَ لَا يُفْضِي إِلَى الدِّرَايَةِ، بَلِ الدِّرَايَةُ أَنْ تُدْرِكَ أَنَّكَ الدَّرْبُ.

المقطع الثاني:

فِي بِحَارِكَ أَبْحَرْتُ، وَبِحِبْرِي أَخْبَرْتُ.

فَمَالِ أَمْوَاجِكَ تُحَارِبُنِي، وَمَا لِي فِي بِحَارِكَ مَا رُحِّبْتُ؟

شكراً مسبقاً على وقتكم ورأيكم!

reddit.com
u/Important_Map6928 — 2 months ago
▲ 1 r/arabs

مرحباً جميعاً،

للتوضيح فقط: أنا تونسي، وكما تعلمون لغتنا اليومية هي الدارجة. معظم استهلاكي للميديا بالفرنسية أو الإنجليزية، وعلاقتي بالفصحى شبه منقطعة منذ أيام المعهد (الثانوية) قبل 4 سنوات تقريباً.

منذ أيام كنت أشعر بملل وكتبت الخاطرة الأولى بشكل عشوائي كمجرد تلاعب بالكلمات. ثم كتبت الثانية لأختبر إن كان الأمر في المقطع الأول مجرد صدفة أو ضربة حظ.

ملاحظة مهمة: الكلمات، الأفكار، والتلاعب اللفظي هي مجهودي الشخصي 100%. استعنت بالذكاء الاصطناعي فقط لوضع التشكيل الصحيح وتصحيح بعض الهمزات لتُقرأ بشكل سليم!

هذا ما خرجت به، وأريد رأيكم الصريح:

المقطع الأول:

دَرَيْتُ أَنَّ لِلدِّرَايَةِ دَرْبًا، فَمَا لِي لَا أَدْرِي مِنْ دَرْبِي غَيْرَ الدِّرَايَةِ؟

فَلَعَلَّ الدَّرْبَ لَا يُفْضِي إِلَى الدِّرَايَةِ، بَلِ الدِّرَايَةُ أَنْ تُدْرِكَ أَنَّكَ الدَّرْبُ.

المقطع الثاني:

فِي بِحَارِكَ أَبْحَرْتُ، وَبِحِبْرِي أَخْبَرْتُ.

فَمَالِ أَمْوَاجِكَ تُحَارِبُنِي، وَمَا لِي فِي بِحَارِكَ مَا رُحِّبْتُ؟

شكراً مسبقاً على وقتكم ورأيكم!

reddit.com
u/Important_Map6928 — 2 months ago