“According to the research published by Hackmosphere, the technique works by avoiding the conventional execution path where applications call Windows API functions through libraries like kernel32.dll, which then forwards requests to ntdll.dll before making the actual system call to the kernel.”
Additional Information:
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-1/
https://www.hackmosphere.fr/bypass-windows-defender-antivirus-2025-part-2/
I never made that claim, nor did the person you corrected.
Yes, but that’s why x86 assembly programmers do it…
No argument there. It’s also why it’s done in ARM, 8080, SM83, z80, 6502, and basically every other assembly language. It’s only not done in RISC-V because you can fold 0 into any instruction as an operand, therefore eliminating the need to clear a register before an instruction.
So why correct the person with a more narrow claim that makes it seem like xor being faster than loading zero is a rarity in CPU architectures? If I said “birds can fly”, and your response was “eagles can fly. Ftfy. Not all birds can fly”, it would be both true and utterly unhelpful.
Hey look, I’m good at something.