Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

Shellcode loader written in C and Assembly utilizing direct or indirect syscalls to evade UM EDR hooks

load arbitrary dlls, call any exported function, calls execute inside g0 as normal syscalls do from the traditional route, no syscall or windows imports, exposes many convenience functions for winapi interaction :3

Extracting clean syscall numbers from a suspended process before injecting shellcode into it using indirect syscalls.

Pure assembly red team framework for Win11 25H2. Position-independent code, runtime API hashing, polymorphic engine, indirect syscalls, C2 beacon. 18KB total. Educational COAL lab project.

PoC for stealthy indirect Windows syscall invocation to bypass API hooks

Bypassing all EDR hooks while maintaining the cleanest callstack of all time with proxy calls and an exception handler.

Invoke Shellcode through Indirect Syscalls inside PowerShell

a c implementation for native syscall resolution and execution on windows x64

Implementation and documentation of establishing a reverse shell using only indirect syscalls

ChaCha20-Poly1305 encrypted reverse shell and process injector in pure x86_64 NASM assembly — Hell's Gate syscalls, zero dependencies

This is stands as a research blog and exercise in payload development. The exact technique talked through is via Remote Thread.