acheron: indirect syscalls for AV/EDR evasion in Go assembly
Acheron
Acheron is a library inspired by SysWhisper3/FreshyCalls/RecycledGate, with most of the functionality implemented in Go assembly.
acheron package can be used to add indirect syscall capabilities to your Golang tradecraft, to bypass AV/EDRs that makes use of usermode hooks and instrumentation callbacks to detect anomalous syscalls that don’t return to ntdll.dll when the call transition back from kernel->userland.
Main Features
- No dependencies
- Pure Go and Go assembly implementation
- Custom string encryption/hashing function support to counter static analysis
How it works
The following steps are performed when creating a new syscall proxy instance:
- Walk the PEB to retrieve the base address of in-memory ntdll.dll
- Parse the exports directory to retrieve the address of each exported function
- Calculate the system service number for each Zw* function
- Enumerate unhooked/clean syscall;ret gadgets in ntdll.dll, to be used as trampolines
- Creates the proxy instance, which can be used to make indirect (or direct) syscalls
Install & Use
Copyright (c) 2023 f1zm0 <root@fzm.ooo>
