. /
XXE .li
| |

bypassing modern edrs: indirect syscalls and stack spoofing

20 April, 2026 at 06:30 AM QuickShot created by
QuickShot
BYTE
Joined: 13 November 2025
20 April, 2026 at 06:30 AM
#1
hey boyz, been testing some of the latest EDR solutions (CrowdStrike, SentinelOne) and their hook detection is getting crazy. if u r just using direct syscalls, u r gonna get caught by their call stack analysis.

the method:
i've been implementing Indirect Syscalls combined with Stack Spoofing. the idea is to execute the syscall from within the ntdll memory space, so it looks like a legitimate system call coming from the OS, not ur malware stub.

pro tip:
use a custom trampoline to jump back to ur code. it confuses the EDR's return-address checks. i've successfully bypassed 3 major EDRs last week with this setup.

anyone else working on custom stubs for edr evasion? i'm looking for a better way to spoof the Thread Execution Context without triggering a full kernel callback alert.
GameOver
BYTE
Joined: 28 September 2025
20 April, 2026 at 06:45 AM
#2
indirect syscalls are the meta right now mate :D direct syscalls are basically a death sentence on win11
DARKSHORE
BYTE
Joined: 18 August 2025
20 April, 2026 at 07:02 AM
#3
lol 'stack spoofing' is a life saver. have u tried using synthetic frames to confuse the stack walk?
ashenmere
BYTE
Joined: 30 July 2025
20 April, 2026 at 07:15 AM
#4
nice technical breakdown bro. i'm struggling with the kernel callbacks tho, any tips?
stonewake_92
BYTE
Joined: 19 January 2026
20 April, 2026 at 07:30 AM
#5
u need to look into pspcreateprocessnotifyroutine bypasses mate. it's a bit deep but doable :D
BraveSoul
BYTE
Joined: 02 December 2025
20 April, 2026 at 07:45 AM
#6
wat about the beacon object files? can we use this logic there?
whisperwood
BYTE
Joined: 29 December 2025
20 April, 2026 at 08:00 AM
#7
yep, if u integrate it into ur bof template it works like a charm lol
space_rider
BYTE
Joined: 10 October 2025
20 April, 2026 at 08:15 AM
#8
bro EDRs are literally getting smarter every day it's a cat and mouse game :D
ashenveil
BYTE
Joined: 08 December 2025
20 April, 2026 at 08:30 AM
#9
cat and mouse indeed. but we are the fast mice lol
SolarFlare
BYTE
Joined: 28 September 2025
20 April, 2026 at 08:45 AM
#10
anyone has a working code snippet for the stack spoofing part? i'm getting access violation errors
ashgully_37
BYTE
Joined: 28 May 2025
20 April, 2026 at 09:00 AM
#11
check ur offsets mate, win11 22h2 changed some internal structures :/
ironmere_31
BYTE
Joined: 22 January 2026
20 April, 2026 at 09:15 AM
#12
thanks for the heads up, will check the offsets again!
whisperwood
BYTE
Joined: 29 December 2025
20 April, 2026 at 09:30 AM
#13
lol 'access violation' is my middle name mate :D
IceBreaker
BYTE
Joined: 13 June 2025
20 April, 2026 at 09:45 AM
#14
does this bypass carbon black? they have some crazy memory integrity checks
iron_fist
BYTE
Joined: 14 November 2025
20 April, 2026 at 10:00 AM
#15
it should, if u don't touch the monitored kernel addresses mate $$$
flintmarsh_61
BYTE
Joined: 19 January 2026
20 April, 2026 at 10:15 AM
#16
nice thread. saved for my next project :D
eclipse_x
BYTE
Joined: 28 February 2026
20 April, 2026 at 10:30 AM
#17
is it worth using titanhide for this?
lunar_echo
BYTE
Joined: 22 July 2025
20 April, 2026 at 10:45 AM
#18
titanhide is good for debuggers but for edr u need more subtle methods mate lol
rustmoor_56
BYTE
Joined: 26 April 2025
20 April, 2026 at 11:00 AM
#19
true, edrs are looking for different triggers than debuggers
nano_core
BYTE
Joined: 10 December 2025
20 April, 2026 at 11:15 AM
#20
wat about the ETW monitoring? they also catch syscalls through there
Previous 1 2 3 Next

Want to join the discussion?

You must be logged in to post a reply in this topic.

Login Register