
An evasion framework demonstrating how malware could decouple syscalls and use PEB gadget scanning to bypass call-stack telemetry
Hi. I’m the dev behind SindriKit, an open-source C framework built around Dependency Injection for windows exploitation.
So, direct syscalls are burned. EDRs inspect the call stack during the kernel transition. If the syscall instruction originates from a payload heap instead of legitimate ntdll.dll memory, it gets flagged.
Most public exploits couple SSN resolution with a hardcoded execution assembly code. If you need to switch execution profiles, you have to rewrite the core logic.
SindriKit v1.2.0 separates finding the SSN from actually executing it via independent interface tables.
// How do we find the SSN?
snd_syscall_set_resolver(snd_syscall_resolve_ssn_scan);
// How do we execute the syscall?
snd_syscall_set_invoker(snd_syscall_indirect_invoke_asm);
snd_syscall_set_gadget_finder(snd_syscall_find_gadget_scan);
If indirect syscalls start causing stability issues, you swap one pointer (snd_syscall_set_invoker(snd_syscall_direct_invoke_asm);) to drop back to direct execution.
Under the hood, snd_syscall_find_gadget_scan walks the PEB to find the natively loaded ntdll.dll and dynamically scans for a legitimate syscall; ret gadget, avoiding disk-read.
The project is Open Source, and heavily documented. It could be a great reference for some of you here.