(In)Direct Syscalls: A Journey from High to Low

By: Daniel Feichter


Our workshop/journey will be called "(In)direct Syscalls: A Journey from High to Low". It is a hands-on experience where we start with some Windows internals basics, talk about system calls in Windows OS in general, take a look at Win32 APIs, Native APIs, etc. We also take a look at the concepts of direct syscalls and indirect syscalls. Based on various chapters, each student will build their own indirect syscall shellcode loader step by step and analyze it a bit with x64dbg. Below is an overview of the chapters covered in the workshop.

- Chapter 1: Windows NT Basics

- Chapter 2: Windows OS System Calls

- Chapter 3: The concept of direct syscalls

- Chapter 4: Building and Analyzing the Win32 API shellcode loader

- Chapter 5: Building and analyzing the NTAPI shellcode loader

- Chapter 6: Build and analyze the direct syscall shellcode loader

- Chapter 7: Build and analyze the indirect syscall shellcode loader

- Chapter 8: Call stack analysis

- Chapter 9: Summary

If we have some time left, we can take a look at the bonus chapters to improve our indirect syscall shellcode loader step by step.

- Bonus Chapter 1: Getting SSNs dynamically via GetProcAddress

- Bonus Chapter 2: Getting SSNs dynamically via PEB/EAT

- Bonus Chapter 3: Indirect Syscalls and Hooked SSNs via EDR

All materials required for this workshop will be posted on the day of the event, August 12th (US time). These resources, including slides, theory, playbooks, etc., will be hosted on a dedicated GitHub repository to ensure easy access for all attendees. The link to this repository will be published on the day of the workshop and will be available at


The general requirements and the technical requirements can be found at the following links.



(c)2023, Red Team Village