Tarek Abdelmotaleb & Dr. Bramwell Brizendine - Weaponizing Windows Syscalls as Modern, 32-bit Shellcode

Tarek Abdelmotaleb, VERONA Labs, He/Him
Dr. Bramwell Brizendine, He, Him, His

Presentation Title: Weaponizing Windows Syscalls as Modern, 32-bit Shellcode
Length of presentation: 20 minutes

Windows syscalls, while increasingly trendy in red team efforts, have only been very rarely used as pure shellcode, outside of being used for Egghunters. Typically, they are used as part of red team malware, utilizing projects like SysWhispers2. An Internet search, in fact, reveals only one non-Egghunter use of syscalls, from a Windows XP-era shellcode. This is hardly surprising though, as many Windows syscalls can be extremely difficult to use and set up in as position-independent shellcode, which is a far cry from red team malware. Often syscalls require significant additional set up not required for performing equivalent actions done by calling WinAPI functions via PEB-walking.

While much knowledge exists on using syscalls for red team efforts, information on writing original shellcode with syscalls so in modern x86 is sparse and lacking. Our reverse engineering efforts, however, have revealed the necessary steps to take to successfully perform syscalls in shellcode, both for Windows 7 and 10, as there are some significant differences.

In this talk, we will embark upon a journey that will show the process of reverse engineering how Windows syscalls work in both Windows 7 and 10, while focusing predominately on the latter. With this necessary foundation, we will explore the process of effectively utilizing syscalls inside shellcode. We will explore the special steps that must be taken to set up syscalls – steps that may not be required to do equivalent actions with WinAPI functions.

This talk will feature various demonstrations of syscalls in x86 shellcode.


Tarek Abdelmotaleb is a security researcher at VERONA Labs, and he is a graduate student at Dakota State University, who will soon graduate with a MS in Computer Science. Tarek specializes in malware development, software exploitation, reverse engineering, and malware analysis. Tarek recently published an IEEE paper that provides a new way for finding the base address of kernel32, making it possible to do shellcode without needing to make use of walking the Process Environment Block (PEB).

Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations recently, where he did his dissertation on Jump-Oriented Programming, a hitherto, seldom-studied and poorly understood subset of code-reused attacks. Bramwell developed a fully featured tool that helps facilitate JOP exploit development, the JOP ROCKET. Bramwell is the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab), specializing in vulnerability research, software exploitation, software security assessments, and the development of new, cutting-edge tools and techniques with respect to software exploitation and malware analysis. Bramwell also teaches undergraduate, graduate, and doctoral level courses in software exploitation, reverse engineering, malware analysis, and offensive security. Bramwell teaches the development of modern Windows shellcode from scratch in various courses. Bramwell is a PI on an NSA grant to develop a shellcode analysis framework. Bramwell has been a speaker at many top security conferences, such as DEF CON, Black Hat Asia, Hack in the Box Amsterdam, Hack, and more.


jthuraisamy. SysWhispers. https://github.com/jthuraisamy/SysWhispers

Cornelis de Plaa. (2019). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. https://outflank.nl/blog/2019/06/19/...bypass-av-edr/

Cornelis de Plaa. Dumpert, an LSASS memory dumper using direct system calls and API unhooking. https://github.com/outflanknl/Dumpert

Winter-Smith, Peter. (2020). FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking. https://www.mdsec.co.uk/2020/08/fire...e-edr-hooking/

Mateusz "j00ru" Jurczyk . Windows X86-64 System Call Table (XP/2003/Vista/2008/7/2012/8/10). https://j00ru.vexillium.org/syscalls/nt/64/

crummie5. (2020). FreshyCalls: Syscalls Freshly Squeezed! https://github.com/crummie5/FreshyCalls

Stephen Eckels. (2020). WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques. https://www.mandiant.com/resources/w...ing-techniques

@modexpblog. (2020). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. https://www.mdsec.co.uk/2020/12/bypa...for-red-teams/

Peter Van Eeckhoutte. (2019). Windows 10 egghunter (wow64) and more. https://www.corelan.be/index.php/201...-10-egghunter/