Contains all the material from the DEF CON 31 workshop "(In)direct Syscalls: A Journey from High to Low".

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

Shellcode loader written in C and Assembly utilizing direct or indirect syscalls to evade UM EDR hooks

load arbitrary dlls, call any exported function, calls execute inside g0 as normal syscalls do from the traditional route, no syscall or windows imports, exposes many convenience functions for winapi interaction :3

Pure assembly red team framework for Win11 25H2. Position-independent code, runtime API hashing, polymorphic engine, indirect syscalls, C2 beacon. 18KB total. Educational COAL lab project.

Advanced Windows security research framework for analyzing user-mode execution and loader behavior.

PoC for stealthy indirect Windows syscall invocation to bypass API hooks

Extracting clean syscall numbers from a suspended process before injecting shellcode into it using indirect syscalls

a c implementation for native syscall resolution and execution on windows x64

ChaCha20-Poly1305 encrypted reverse shell + Hell's Gate process injector in pure x86_64 NASM assembly