TheWover
commented
3 years ago Looks like there is a version of SysWhispers2 for x86/WOW64 processes: https://github.com/mai1zhi2/SysWhispers2_x86
Open TheWover opened 3 years ago
TheWover
commented
3 years ago Looks like there is a version of SysWhispers2 for x86/WOW64 processes: https://github.com/mai1zhi2/SysWhispers2_x86
Use the technique described by modexp in https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ and implemented in SysWhispers2 to derive syscall IDs by sorting the addresses of Zw* exports in ntdll.