I added syscalls using the same method as in version 0.6 (really cool syscall implementation btw, very elegant approach)
I also added a small fix in bypass, where the memory regions were not first changed to RWX and also made sure that EtwEventWrite and AmsiOpenSession exist (mainly for older systems support).
Lastly, a very very small change to getRdllBase. The instructions:
xor rbx, rbx
mov ebx, 0x5A4D
were called on a loop while searching for the base of the DLL (with around 20k iterations), that is now "fixed".
S4ntiagoP
commented
2 years ago
Hello again 😄
I added syscalls using the same method as in version 0.6 (really cool syscall implementation btw, very elegant approach) I also added a small fix in
bypass, where the memory regions were not first changed to RWX and also made sure that EtwEventWrite and AmsiOpenSession exist (mainly for older systems support). Lastly, a very very small change togetRdllBase. The instructions:were called on a loop while searching for the base of the DLL (with around 20k iterations), that is now "fixed".
Cheers!