hey boyz, been testing some of the latest EDR solutions (CrowdStrike, SentinelOne) and their hook detection is getting crazy. if u r just using direct syscalls, u r gonna get caught by their call stack analysis.
the method:
i've been implementing Indirect Syscalls combined with Stack Spoofing. the idea is to execute the syscall from within the ntdll memory space, so it looks like a legitimate system call coming from the OS, not ur malware stub.
pro tip:
use a custom trampoline to jump back to ur code. it confuses the EDR's return-address checks. i've successfully bypassed 3 major EDRs last week with this setup.
anyone else working on custom stubs for edr evasion? i'm looking for a better way to spoof the Thread Execution Context without triggering a full kernel callback alert.
bypassing modern edrs: indirect syscalls and stack spoofing
Joined:
Nov 2025
Messages:
17
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 06:30 AM
#1
Joined:
Sep 2025
Messages:
26
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 06:45 AM
#2
indirect syscalls are the meta right now mate :D direct syscalls are basically a death sentence on win11
Joined:
Aug 2025
Messages:
9
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 07:02 AM
#3
lol 'stack spoofing' is a life saver. have u tried using synthetic frames to confuse the stack walk?
Joined:
Jul 2025
Messages:
8
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 07:15 AM
#4
nice technical breakdown bro. i'm struggling with the kernel callbacks tho, any tips?
Joined:
Jan 2026
Messages:
12
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 07:30 AM
#5
u need to look into pspcreateprocessnotifyroutine bypasses mate. it's a bit deep but doable :D
Joined:
Dec 2025
Messages:
12
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 07:45 AM
#6
wat about the beacon object files? can we use this logic there?
Joined:
Dec 2025
Messages:
8
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 08:00 AM
#7
yep, if u integrate it into ur bof template it works like a charm lol
Joined:
Oct 2025
Messages:
16
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 08:15 AM
#8
bro EDRs are literally getting smarter every day it's a cat and mouse game :D
Joined:
Dec 2025
Messages:
13
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 08:30 AM
#9
cat and mouse indeed. but we are the fast mice lol
Joined:
Sep 2025
Messages:
21
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 08:45 AM
#10
anyone has a working code snippet for the stack spoofing part? i'm getting access violation errors
Joined:
May 2025
Messages:
17
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 09:00 AM
#11
check ur offsets mate, win11 22h2 changed some internal structures :/
Joined:
Jan 2026
Messages:
10
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 09:15 AM
#12
thanks for the heads up, will check the offsets again!
Joined:
Dec 2025
Messages:
8
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 09:30 AM
#13
lol 'access violation' is my middle name mate :D
Joined:
Jun 2025
Messages:
14
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 09:45 AM
#14
does this bypass carbon black? they have some crazy memory integrity checks
Joined:
Nov 2025
Messages:
23
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 10:00 AM
#15
it should, if u don't touch the monitored kernel addresses mate $$$
Joined:
Jan 2026
Messages:
15
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 10:15 AM
#16
nice thread. saved for my next project :D
Joined:
Feb 2026
Messages:
10
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 10:30 AM
#17
is it worth using titanhide for this?
Joined:
Jul 2025
Messages:
14
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 10:45 AM
#18
titanhide is good for debuggers but for edr u need more subtle methods mate lol
Joined:
Apr 2025
Messages:
12
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 11:00 AM
#19
true, edrs are looking for different triggers than debuggers
Joined:
Dec 2025
Messages:
19
Reputation:
0
Guarantor:
0
₿
DEPOSIT:
...
≈ $0.00
20 April, 2026 at 11:15 AM
#20
wat about the ETW monitoring? they also catch syscalls through there