acheron: indirect syscalls for AV/EDR evasion in Go assembly

Acheron

Acheron is a library inspired by SysWhisper3/FreshyCalls/RecycledGate, with most of the functionality implemented in Go assembly.

acheron package can be used to add indirect syscall capabilities to your Golang tradecraft, to bypass AV/EDRs that makes use of usermode hooks and instrumentation callbacks to detect anomalous syscalls that don’t return to ntdll.dll when the call transition back from kernel->userland.

Main Features

• No dependencies
• Pure Go and Go assembly implementation
• Custom string encryption/hashing function support to counter static analysis

How it works

The following steps are performed when creating a new syscall proxy instance:

1. Walk the PEB to retrieve the base address of in-memory ntdll.dll
2. Parse the exports directory to retrieve the address of each exported function
3. Calculate the system service number for each Zw* function
4. Enumerate unhooked/clean syscall;ret gadgets in ntdll.dll, to be used as trampolines
5. Creates the proxy instance, which can be used to make indirect (or direct) syscalls

Install & Use

Copyright (c) 2023 f1zm0 <root@fzm.ooo>