Skip to content

feat(evasion): Indirect syscall evasion scanner #538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rabbitstack merged 5 commits into from
Dec 23, 2025
Merged

feat(evasion): Indirect syscall evasion scanner #538

rabbitstack merged 5 commits into from
Dec 23, 2025

Conversation

@rabbitstack
Copy link
Owner

@rabbitstack rabbitstack commented Dec 19, 2025

What is the purpose of this PR / why it is needed?

Indirect syscall evasion refers to executing the syscall instruction by diverting the execution flow into a legitimate, clean ntdll stub that performs the syscall on process behalf. This achieves code origin legitimacy, since the execution lands in .text of a signed Microsoft module (ntdll.dll). Stack frames look identical to a normal API call, which achieves call stack normalization.

This PR adds a new scanner to detect indirect syscall evasion, along with the corresponding filter fields that can be evaluated in the rules.

What type of change does this PR introduce?

Uncomment one or more /kind <> lines:

/kind feature (non-breaking change which adds functionality)

/kind bug-fix (non-breaking change which fixes an issue)

/kind refactor (non-breaking change that restructures the code, while not changing the original functionality)

/kind breaking (fix or feature that would cause existing functionality to not work as expected

/kind cleanup

/kind improvement

/kind design

/kind documentation

/kind other (change that doesn't pertain to any of the above categories)

Any specific area of the project related to this PR?

Uncomment one or more /area <> lines:

/area instrumentation

/area telemetry

/area rule-engine

/area filters

/area yara

/area event

/area captures

/area alertsenders

/area outputs

/area rules

/area filaments

/area config

/area cli

/area tests

/area ci

/area build

/area docs

/area deps

/area evasion

/area other

Special notes for the reviewer

Does this PR introduce a user-facing change?

@rabbitstack rabbitstack force-pushed the indirect-syscall-evasion branch 5 times, most recently from e3ee95c to 94b0c68 Compare December 23, 2025 19:49
@rabbitstack
feat(evasion): Implement indirect syscall evasion scanner
9bafdd4 
Indirect syscall evasion refers to executing the syscall instruction by
diverting the execution flow into a legitimate, clean ntdll stub that
performs the syscall on process behalf. This achieves code origin
legitimacy, since the execution lands in .text of a signed Microsoft
module (ntdll.dll). Stack frames look identical to a normal API call,
which achieves call stack normalization.
@rabbitstack
fix(symbolizer): Include module address in cached symbol information
7feb4e1
@rabbitstack
chore(sys): Declare GetModuleHandleEx API flag constant
e433622
@rabbitstack
feat(filter): Add evt.is_direct_syscall and evt.is_indirect_syscall f…
94b0c68 
…ields
@rabbitstack rabbitstack merged commit 78d8b87 into master Dec 23, 2025
13 of 15 checks passed
@rabbitstack rabbitstack deleted the indirect-syscall-evasion branch December 23, 2025 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rabbitstack