NullGate: A Modern Approach to Indirect Syscalls with Defender Bypass
This project implements a comfortable and modern way to use the NTAPI functions using indirect syscalls, coupled with the FreshyCalls method with a little twist for dynamic syscall number retrieval. It also uses a technique that I haven’t seen being metioned to bypass windows defender’s memory scanning. It also implements a classic PoC process injector.
Windows defender memory scan bypass
The core of the issue is that when we call NtCreateRemoteThreadEx or NtCreateProcess, a memory scan gets triggered and our signatured as hell msfvenom payload gets detected.
How to bypass that?
A known solution is to first when calling NtAllocateVirtualMemory set the page permissions as PAGE_NOACCESS, then create the thread in a suspended state. When windows defender will scan the memory of our process it will fail to do that. We can then resume the execution of our thread with NtResumeThread. This works, but what if a more competent security solution is being used? What would it do? It would of course just use VirtualProtect to change the permissions of our page and detect msfvenom. To bypass that I changed the strategy a bit. Instead of setting the page as PAGE_NOACCESS, during our first write to the memory of the process we can just put some junk data into the process(Yes it is required, or I’m just too stupid to find a way to get it working wihout this). Then we create a thread in suspended state. After that we write to the process our desired shellcode and finally we resume the thread using NtResumeThread. With this technique we don’t have to worry about our memory being accessed after the call to NtCreateThreadEx because there is nothing in there. Only after the fact the decrypted shellcode is written and the execution is resumed.
