r77-rootkit icon indicating copy to clipboard operation
r77-rootkit copied to clipboard

Published 20 hours ago verified publisher icon bytecode77

[QUESTION] What is purpose of the assembly code _SyscallNtCreateFile in Syscalls.asm

Open funte opened this issue 5 months ago • 1 comments

https://github.com/bytecode77/r77-rootkit/blob/3ff9fd89eafac0895e2c6ad62a67a9b1acb1ebd6/Unhook/Syscalls.asm#L17

_SyscallNtCreateFile PROC
	mov		eax, -1
	ret
_SyscallNtCreateFile ENDP

funte avatar Jun 25 '25 13:06 funte

That is for the EDR unhooking module. Because the real NtCreateFile is monitored by antivirus software, it cannot be called because it would trigger a detection. That's why unhooking uses these syscall stubs to unhook ntdll, to get rid of all EDR hooks without the unhooking routine itself triggering a detection.

And the code snippet you show is a dummy that is never actually called - I do not implement EDR unhooking in Windows x86 edition. 32-bit Windows is fully supported, but I don't port every single feature there.

bytecode77 avatar Jun 26 '25 09:06 bytecode77