Methods
Direct
How the direct syscall method works in Sysplant — inline syscall instruction with SSN resolution at runtime.
Direct Method
Principle
The direct method places a syscall instruction inline in the generated stub. The SSN is resolved at runtime by calling SPT_GetSyscallNumber, then EAX is set to the resolved value before the syscall instruction executes.
This is the simplest execution path: the entire syscall happens within your module's code.
Generated stub (x64, from source)
SPT_Syscall:
pop rax ; discard return address from SPT_Syscall's caller frame
pop rax ; load function hash (pushed by the Nt* wrapper)
mov [rsp+ 8], rcx ; save arg1
mov [rsp+16], rdx ; save arg2
mov [rsp+24], r8 ; save arg3
mov [rsp+32], r9 ; save arg4
sub rsp, 0x28 ; allocate 40-byte shadow space
mov rcx, rax ; function hash → first argument for SPT_GetSyscallNumber
call SPT_GetSyscallNumber ; returns SSN in EAX/RAX
add rsp, 0x28 ; restore stack
mov rcx, [rsp+ 8] ; restore arg1
mov rdx, [rsp+16] ; restore arg2
mov r8, [rsp+24] ; restore arg3
mov r9, [rsp+32] ; restore arg4
mov r10, rcx ; Windows x64 syscall ABI: R10 = first arg
syscall ; kernel transition — EAX holds the SSN
ret
The syscall instruction is literal in the generated file (the ##__SYSCALL_INT__## placeholder is replaced with the actual opcode 0F 05).
What the kernel sees
The kernel's syscall handler receives:
- EAX: the SSN that identifies the target kernel function.
- R10, RDX, R8, R9: the first four arguments (further arguments are on the stack).
- Return address (on the stack): the address inside your module immediately after the
syscallinstruction.
The return address is inside your binary, not inside ntdll. Some EDR products use kernel callback mechanisms to inspect the user-mode return address during a syscall and flag calls whose return address does not point to ntdll.
Characteristics
| Property | Value |
|---|---|
Inline syscall in binary | Yes — 0F 05 bytes present in your .text section |
| SSN resolved at runtime | Yes — via SPT_GetSyscallNumber |
| EAX set explicitly | Yes |
| Return address during syscall | Inside your module |
| Hook avoidance | Iterator-dependent (hook bypass only at SSN resolution, not at call site) |
When to use
- First choice when call-stack inspection is not a concern.
- Simplest to integrate; any iterator can be combined with
direct.