Listen to this Post
Introduction:
Modern endpoint detection and response (EDR) solutions rely heavily on user‑mode API hooking to monitor malicious behavior. By placing hooks inside critical Windows APIs (e.g., `NtCreateProcess`, `NtAllocateVirtualMemory`), EDRs intercept and analyze every call before it reaches the kernel. However, offensive security researchers have developed a stealthier approach: direct syscalls. This technique bypasses user‑mode hooks entirely by invoking system calls from unmanaged code, leaving no trace for hooked APIs. In this article, we dissect the “no‑hooks” methodology demonstrated by Daniel Scheidt (Offensive Security @Vorwerk / @Cerberus‑Security) and provide a step‑by‑step guide to implement, detect, and mitigate syscall‑based evasion.
Learning Objectives:
– Understand how Windows system calls (syscalls) work and why they bypass user‑mode EDR hooks.
– Implement a direct syscall in C++/Assembly to execute shellcode without triggering API monitors.
– Apply Linux and Windows detection techniques (eBPF, ETW, kernel callbacks) to identify syscall abuse.
– Harden cloud and on‑prem workloads against unhooked execution paths.
You Should Know:
1. Direct Syscalls – The Theory Behind “No Hooks”
When a Windows application calls `CreateFile()`, the call flows through `kernel32.dll` → `ntdll.dll` → `syscall` instruction. EDRs typically hook `ntdll.dll` functions (e.g., `NtCreateFile`) to inspect arguments. Direct syscalls re‑implement the syscall stub in your own code, never touching the hooked `ntdll` functions. This technique is widely used in modern red team tooling (e.g., Hell’s Gate, Halos Gate, Syswhispers2).
Why it works: The `syscall` instruction transitions directly from user mode to kernel mode using the System Service Dispatch Table (SSDT). If you supply the correct SSN (System Service Number) and arguments, the kernel executes the request without ever passing through the monitored user‑mode layer.
Step‑by‑step guide to implement a direct syscall (Windows):
1. Extract SSNs – Retrieve syscall numbers for target functions (e.g., `NtAllocateVirtualMemory`, `NtWriteVirtualMemory`) by parsing `ntdll.dll` at runtime or using a hardcoded database (OS‑version dependent).
2. Write assembly stub – Create a function that moves the SSN into `eax` and executes `syscall`. For x64, a minimal stub:
; syscall_stub.asm (MASM) .code SyscallStub PROC mov r10, rcx mov eax, ssn ; Replace with actual SSN syscall ret SyscallStub ENDP end
3. Call the stub from C/C++ – Use function pointers to invoke the stub with the required arguments (same as original NT API).
4. Allocate and run shellcode – Combine `NtAllocateVirtualMemory` (RWX), `NtWriteVirtualMemory` (write shellcode), and `NtCreateThreadEx` (execute). No hooked API is ever called.
Linux equivalent – Using `syscall()` function: On Linux, the glibc `syscall()` wrapper is not hooked by typical EDRs, but advanced monitoring (eBPF, LSM hooks) can still detect abnormal syscall patterns. To mimic “no hooks” on Linux, you can inline assembly or use `syscall()` with raw numbers.
Example: `syscall(__NR_execve, “/bin/sh”, NULL, NULL);`
Detection command (Linux): Monitor for unexpected syscall sequences using `strace -e trace=file,process -p
2. Evading EDR Hooks via Syscall Unhooking
Direct syscalls are powerful, but some EDRs also hook the kernel callbacks (e.g., `PsSetCreateProcessNotifyRoutine`). To achieve full stealth, combine direct syscalls with:
– Indirect syscalls – Use a trampoline that jumps to the `syscall` instruction inside the original `ntdll` (avoids inline hooks while still using the unmodified syscall instruction).
– Dynamic SSN retrieval – Instead of hardcoding SSNs (which break after Windows updates), parse `ntdll` in memory to locate the stub and extract the SSN on the fly. This is known as Hell’s Gate (by @am0nsec and @Cneelis).
Step‑by‑step guide to dynamic SSN retrieval (Hell’s Gate):
1. Enumerate all exported functions in `ntdll.dll` by walking the PE header.
2. For a target function (e.g., `NtCreateThreadEx`), locate its byte signature (`0x4c 0x8b 0xd1 0xb8 …`).
3. Read the SSN as the byte immediately following the `mov eax, imm32` opcode (`0xb8`).
4. Store the SSN in a global table and use it in your assembly stub.
Linux/Windows command to verify syscall activity (Red Team check):
Linux – count syscalls per process to spot anomalies sudo perf stat -e 'syscalls:sys_enter_' -p <PID> sleep 5 Windows – use ETW (Event Tracing for Windows) to log syscalls logman start SyscallTrace -p "Microsoft-Windows-Kernel-Process" 0x10 -o syscalls.etl -ets logman stop SyscallTrace -ets Then parse with: tracerpt syscalls.etl
3. Mitigating Syscall‑Based Attacks – Blue Team Hardening
Defenders are not powerless. While you cannot easily remove the `syscall` instruction, you can enforce kernel‑mode monitoring and application control.
Key mitigations:
– Enable Kernel‑Mode Callbacks – Use `PsSetCreateProcessNotifyRoutineEx` with a callback that inspects the process image. For advanced monitoring, deploy Microsoft Defender for Endpoint with kernel‑level sensors or an eBPF‑based agent (on Linux).
– Restrict VirtualMemory operations – Implement a minifilter driver that monitors `NtAllocateVirtualMemory` with `PAGE_EXECUTE_READWRITE` and flags suspicious allocations.
– Deploy Microsoft Defender Application Control (WDAC) – Only allow signed, known binaries to run. Most direct syscall injectors execute from unsigned memory, which WDAC blocks.
– Cloud Hardening (Azure/AWS) – For virtual machines, enable Guest Attestation and Secure Boot. Combine with Azure Policy to enforce that VMs run with Defender for Cloud’s “adaptive application controls”.
Step‑by‑step guide to detect direct syscall abuse using Sysmon (Windows):
1. Install Sysmon with a configuration that logs raw syscalls (limited – Sysmon does not log every syscall, but you can log process creation and memory operations).
2. Focus on Event ID 10 (ProcessAccess) and Event ID 8 (CreateRemoteThread) – anomalous patterns often follow unhooked injection.
3. Use a PowerShell script to hunt for processes that have no loaded EDR DLLs but exhibit suspicious memory behavior:
Get-Process | Where-Object {$_.Modules.FileName -1otlike "edr" -and $_.WorkingSet64 -gt 100MB}
4. API Security & Cloud Hardening – Extending “No Hooks” to the Web
The “no hooks” concept also applies to API security. Just as EDRs hook system calls, API gateways and WAFs hook HTTP requests. Attackers bypass these by using non‑standard protocols, encrypted payloads inside legitimate channels, or direct backend calls.
Example technique: Cloud metadata API abuse – If an attacker gains code execution on a cloud VM, they can query the IMDS (Instance Metadata Service) without going through the corporate proxy. AWS IMDSv2 requires a PUT token, but misconfigurations allow IMDSv1 (no token).
Hardening cloud metadata:
AWS – Disable IMDSv1 on EC2 aws ec2 modify-instance-metadata-options --instance-id i-12345 --http-tokens required --http-endpoint enabled Azure – Disable IMDS on specific VMs via Azure Policy Linux: block 169.254.169.254 using iptables iptables -A OUTPUT -d 169.254.169.254 -j DROP
Step‑by‑step API injection using syscall mentality: Instead of calling the `curl` command (which may be hooked by an eBPF sensor), use raw socket syscalls (`socket()`, `sendto()`, `recvfrom()`) from a custom binary. This bypasses user‑space API monitoring tools like Falco’s libsinsp.
5. Training & Offensive Security Labs – Master the Art
To practice “no‑hooks” techniques safely, use dedicated training platforms:
– Cerberus Security Labs (referenced in the post) – Offers practical courses on direct syscall injection, EDR evasion, and kernel exploitation.
– Sektor7 RTO – Advanced Windows malware development with syscall stubs.
– TryHackMe Room: “Syscall Evasion” – Free lab to experiment with Hell’s Gate and Halos Gate.
Recommended lab setup:
– Windows 10/11 VM with EDR (e.g., free trial of Elastic Defend or Microsoft Defender)
– Attacker VM running Kali Linux or CommandoVM
– Tools: `Syswhispers2`, `SharpHalosGate`, `Visual Studio 2022` with MASM
Command to generate syscall stubs using Syswhispers2 (on Windows):
git clone https://github.com/jthuraisamy/Syswhispers2 python syswhispers2.py -f NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx -o syscalls Outputs syscalls.asm, syscalls.h, syscalls.c
Then compile with `cl.exe /FA .\syscalls.c .\main.c`
What Undercode Say:
– Key Takeaway 1: Direct syscalls are not a silver bullet – modern EDRs are moving to kernel‑level telemetry (e.g., ETW Ti, Kernel‑mode Callbacks). Red teams must combine indirect syscalls, dynamic SSN retrieval, and sleep obfuscation.
– Key Takeaway 2: Defenders should prioritize kernel‑based monitoring (eBPF on Linux, minifilter drivers on Windows) and enforce WDAC/AppLocker to break the execution chain before syscalls are invoked. No single mitigation stops all attacks, but layered hardening reduces the success rate of “no‑hooks” techniques to near zero in well‑managed environments.
Analysis (10 lines): The shift toward unhooked execution reflects a fundamental arms race between attackers and EDRs. While syscall‑based malware is more complex, it is now commoditized via tools like Syswhispers2, lowering the bar for entry. Blue teams must accept that user‑mode hooks are insufficient; investing in kernel‑level sensors and runtime behavior analysis (e.g., detecting anomalous syscall sequences rather than single calls) is critical. Cloud environments add another dimension – metadata service abuse and container breakout via direct syscalls (e.g., `unshare` syscall) are rising threats. Training courses like those from Cerberus‑Security are essential to build hands-on skills. Ultimately, “no hooks” is a reminder that detection must evolve beyond static API monitoring.
Prediction:
– -1 Over the next 12‑24 months, Microsoft will deprecate or heavily restrict user‑mode hooking in Windows native EDRs, pushing all monitoring into Secure Kernel and Hypervisor‑based protections (like Hyper‑V Code Integrity). This will force red teams to abandon direct syscalls and pivot to firmware‑level or hardware‑based exploitation.
– -P The rise of eBPF on Windows (through eBPF for Windows) will democratize kernel‑level monitoring, allowing third‑party EDRs to detect syscall abuse without expensive kernel drivers. This will level the playing field for smaller security vendors.
– -1 Cloud providers (AWS, Azure, GCP) will implement mandatory metadata service authentication (IMDSv2 only) and syscall filtering for container runtimes, breaking many “no‑hooks” attack chains used in cryptojacking and lateral movement.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Daniel Scheidt](https://www.linkedin.com/posts/daniel-scheidt-1421281aa_httpslnkdinde5vrfw3-no-hooks-this-time-share-7468331492654374913-Y3n-/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
