This is a PoC technique for indirect syscall execution, by suspending, altering and resuming a thread.
The target thread's context is modified in order to land on a syscall
instruction in NTDLL
(we're doing NtAllocateVirtualMemory
), with registers and stack prepared for syscall execution.
There's no need for syscall stubs, since all the arguments are written directly to the target's thread context, while it's suspended.
x0reaxeax / syscook64 Goto Github PK
View Code? Open in Web Editor NEWIndirect Syscall invocation via thread hijacking
License: MIT License