x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

Overview

ASM HalosGate Direct System Caller

Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and displays the PPID of the explorer.exe process.

  • In this screenshot the "NtQuerySystemInformation" & "NtAllocateVirtualMemory" NTDLL.DLL APIs systemcalls are discovered by using the HalosGate technique after failing to retrieve them via HellsGate technique due to EDR UserLand hooks.
  • After the systemcalls are resolved via the HellsGate and HalosGate method, they are are called directly. The code in NTDLL is never executed.

To Do List

  • Obfuscate the strings for that are used for resolving the addresses of the NTDLL symbols
    • Or use hashing
  • Need to fix some bugs when switching from debug to release mode in visual studio's (Fixed 05/08/21)
  • Need to figure out how to properly overload the call to HellDescent() (Fixed 05/08/21)
  • Clean up the assembly functions, they are messy and could be better (Some cleanup 05/08/21)
  • Do better checking for the process image name so it doesnt conflict with other processes named explorer (Fixed 05/08/21)
  • Better error handling (Some better handling 05/08/21)
  • Make this into a cobalt strike beacon object file ( Complete! 06/08/21)
  • Build on this project for process injection / syscall PS
  • Use halos gate to handle EDR hooks. (Implemented in this project on 05/08/21)

Credits / References

You might also like...
AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows
AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows

AlleyWind AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows. AlleyWind could: Displays a graphic

A System Fetching Program written in C.
A System Fetching Program written in C.

A System Fetching Program written in C.

mathia : a simple computer algebra system in C++.

mathiu.cpp mathiu : a simple computer algebra system in C++ The library originated as a demo library showing the usage of the C++ pattern matching lib

Another system information tool written in C++
Another system information tool written in C++

Sysfex Another neofetch-like system information fetching tool for linux-based systems written in C++. This is a hobby project, so bugs are to be expec

A fast character conversion and transliteration library based on the scheme defined for Japan National Tax Agency (国税庁) 's corporate number (法人番号) system.
A fast character conversion and transliteration library based on the scheme defined for Japan National Tax Agency (国税庁) 's corporate number (法人番号) system.

jntajis-python Documentation: https://jntajis-python.readthedocs.io/ What's JNTAJIS-python? JNTAJIS-python is a transliteration library, specifically

Small implementation of c++ entity component system inspired by Unity

EntityComponentSystem About This is small implementation of entity component system with C++. The API is heavily inspired by Unity ECS framework, but

KeyScan is a C++ open source explanation tool targeting windows operating system.
KeyScan is a C++ open source explanation tool targeting windows operating system.

KeyScan is a C++ open source explanation tool targeting windows operating system. it allows you to send keyboard events, mouse events and capture keystrokes (keylogger).!

Edf is an event-driven framework for embedded system (e.g. FreeRTOS) with state machine and subscriber-publisher pattern.

Edf means event-driven framework. Event-driven programming is a common pattern in embedded systems. However, if you develop software directly on top o

Proof of concept Beacon Object File (BOF) that attempts to detect userland hooks in place by AV/EDR

Detect-Hooks Detect-Hooks is a proof of concept Beacon Object File (BOF) that attempts to detect userland API hooks in place by AV/EDR. The BOF will r

A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Shellcode loader written in rust. Strives to evade modern EDR solutions.

Pestilence What is pestilence? Pestilence is a shellcode loader written in rust. It strives to evade modern EDR solutions. How does it work? It loads

RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc
RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc

Introduction RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks,

Design and Implementation of kernel level threads for xv6 operating system. Adding system call related to threading environment in xv6 along with userland threading library with one to one mapping and semaphore implementation as synchronisation primitive   A simple D3D11 Hook for x64 and x86 games. This project is ready to compile (x64 or x86).
A simple D3D11 Hook for x64 and x86 games. This project is ready to compile (x64 or x86).

D3D11Hook Features: Good Performance Simple, clean, GUI. Rendering using ImGui Clean code Easy to use with another project C++ 17 Xor String Ready to

Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.
Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Visual Studio extension for assembly syntax highlighting and code completion in assembly files and the disassembly window
Visual Studio extension for assembly syntax highlighting and code completion in assembly files and the disassembly window

Asm-Dude Assembly syntax highlighting and code assistance for assembly source files and the disassembly window for Visual Studio 2015, 2017 and 2019.

Calleree helps to analyze Ruby's caller-callee relationships.

Calleree Calleree helps to analyze Ruby's caller-callee relationships. Note that this tool consumes memory and introduces additional overhead because

Owner
Bobby Cooke
SpiderLabs | OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.

WdToggle A Proof of Concept Cobalt Strike Beacon Object File which uses direct system calls to enable WDigest credential caching and circumvent Creden

Outflank B.V. 197 Sep 23, 2022
Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Arsenii Pustovit 130 Aug 10, 2022
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

hasherezade 1.4k Oct 2, 2022
Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

null 7 Jul 22, 2022
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Kento Oki 123 Sep 25, 2022
Simple Virtual Machine with its own Bytecode and Assembly language.

BM Simple Virtual Machine with its own Bytecode and Assembly language. Build We are using nobuild build system which requires a bootstrapping step wit

Tsoding 79 Sep 18, 2022
Whitee is a tiny compiler written in C++17, which translates SysY language into ARM-v7a assembly.

Whitee is a tiny compiler written in C++17, which translates SysY language into ARM-v7a assembly. Table of Contents Background Install Usage Ar

null 13 Sep 21, 2022
Locate the current executable and the current module/library on the file system

Where Am I? A drop-in two files library to locate the current executable and the current module on the file system. Supported platforms: Windows Linux

Gregory Pakosz 373 Sep 28, 2022
Hexagonal hierarchical geospatial indexing system

H3: A Hexagonal Hierarchical Geospatial Indexing System H3 is a geospatial indexing system using a hexagonal grid that can be (approximately) subdivid

Uber Open Source 3.7k Oct 2, 2022
This is another way to bypass the restriction of calling dl functions for system lib.

简介 在Android7.0以及以上的版本中,dlfcn.h头文件中dlopen, dlsym函数已经无法在系统库上使用。 比较常见的规避方法是,先通过maps文件找到so文件对应起始地址,然后通过解析elf 文件,得到函数的偏移量,起始地址加上偏移量就算出函数的真实地址。 具体实现方式是:Noug

Wind 54 Sep 27, 2022