Exploring Antivirus and EDR evasion techniques step-by-step. Part 3

Reading into Direct Syscalls with Syswhispers.

Now that we have a better understanding of syscalls and know the chain from application ==> Windows Api ==> Native Windows Api. It is time to really implement the bypass by making use of Direct Syscalls.

But first, let's dive a tiny bit deeper into the code we already created in Part 1. We gonna use WinDBG to investigate the code of the native Windows API. We will focus specifically on the NtAllocateVirtualMemory native Windows function And what these instructions look like in assembly!
I am interested if this changes after our use of Syswhispers!

Understanding the Assembly Code for NtAllocateVirtualMemory in WinDBG

Assembly code can be intimidating at first, but with some guidance, we can break it down step by step to understand what’s happening. First, we want to use Windbg.

WinDbg is a kernel-mode and user-mode debugger that’s included in Debugging Tools for Windows

So we gonna use that tool to debug and view the code steps our native Windows API makes especially focusing on one instruction. The ntAllocateVirtual memory function. This can be performed by executing the following command:

u ntdll!NtAllocateVirtualMemory. Let's analyze the code line by line.