I wrote a header-only indirect syscall library for Windows x64 — zero CRT, zero IAT, 19KB standalone

Been working on a syscall library that takes a different approach from the usual implementations floating around.

The idea was simple — what if the binary has literally nothing in its import table? No GetProcAddress, no GetModuleHandle, no VirtualProtect, nothing. Everything resolved through PEB walking at runtime.

What it does:

• Indirect syscalls — stubs jump into ntdll's own syscall;ret gadget so RIP is always inside ntdll
• Every call generates a fresh stub with random junk instructions and XOR'd syscall number, wiped right after
• W^X memory — pages go RW → RX → RW, never RWX
• VEH-based breakpoint bypass — if someone puts a 0xCC on a function, the exception handler restores the byte, single-steps past it, puts it back. Zero timing window
• AMSI/ETW patching through syscalls
• All strings XOR-encrypted at compile time, decrypted on stack, wiped after use
• Custom hash algorithm for API resolution (no FNV-1a fingerprints)
• No CRT, no STL, custom entry point, the whole binary is ~19KB

Header-only, just drop the folder into your project. MIT license.

https://github.com/Share-devn/stealth_call

submitted by /u/Anxious_Curve_5987
[link] [comments]

from hacking: security in practice https://ift.tt/pVSDPqN