2. Direct syscalls intro
BLUF:
Direct syscalls bypass user-mode API layers by calling the syscall instruction directly.
Direct syscalls offer stealth but leave a suspicious call stack.
Direct Syscall Workflow:
- Load
ntdll.dlland resolve the syscall number for the target function. - Execute the
syscallinstruction directly without calling the user-mode API. - Transfer execution to kernel mode, bypassing hooks in
ntdll.dll. - Return the result to user-mode.
Mermaid Diagram - Direct vs Indirect Syscall
graph TD;
A[User Application] -->|Direct Call| B[Syscall Instruction]
B -->|Kernel Mode| C[ntoskrnl.exe]
C --> D[Return to User Mode]
A2[User Application] -->|Indirect Call| E[ntdll.dll]
E -->|Jump to Syscall Stub| F[Syscall Instruction]
F -->|Kernel Mode| C