execute syscall

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: execute syscall
    namespace: anti-analysis
    authors:
      - "@kulinacs"
      - "@mr-tz"
      - mehunhoff@google.com
      - still@teamt5.org
    description: may be used to evade hooks or hinder analysis
    scopes:
      static: basic block
      dynamic: unsupported  # requires mnemonic features
    references:
      - https://github.com/j00ru/windows-syscalls
      - https://codemachine.com/articles/system_call_instructions.html
      - https://www.felixcloutier.com/x86/sysenter
  features:
    - or:
      - and:
        - or:
          - os: linux
          - os: android
        - api: syscall # https://man7.org/linux/man-pages/man2/syscall.2.html
      - and:
        - or:
          - mnemonic: sysenter
          - mnemonic: syscall
          - instruction:
            - mnemonic: int
            - operand[0].number: 0x2e
        - or:
          - mnemonic: ret
          - mnemonic: retn
last edited: 2024-09-24 11:24:52