SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.
Kristal-g
/ SyscallProvider.md
Created
May 12, 2025 09:02
Kristal-g
/ mutate_signed_pe.py
Created
October 24, 2020 19:15
Adds random data to PE file without breaking its digital signature
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import secrets | |
| # pefile==2019.4.18 | |
| import pefile | |
| if len(sys.argv) < 3: | |
| print("Usage: mutate_signed_pe.py <pe_path> <mod_factor>") | |
| exit(0) |