Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

Overview

Custom HellsGate Implementation

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process.

  • In this screenshot the "NtQuerySystemInformation" & "NtAllocateVirtualMemory" NTDLL.DLL API's are called by direct windows system calls.
  • The systemcalls are dynamically discovered at runtime using the HellsGate method.
  • Going to build on this and use a custom halos gate method to handle/evade EDR userland hooks.

To Do List

  • Obfuscate the strings for that are used for resolving the addresses of the NTDLL symbols
    • Or use hashing
  • Need to fix some bugs when switching from debug to release mode in visual studio's (Fixed 05/08/21)
  • Need to figure out how to properly overload the call to HellDescent() (Fixed 05/08/21)
  • Clean up the assembly functions, they are messy and could be better (Some cleanup 05/08/21)
  • Do better checking for the process image name so it doesnt conflict with other processes named explorer (Fixed 05/08/21)
  • Better error handling (Some better handling 05/08/21)
  • Make this into a cobalt strike beacon object file
  • Build on this project for process injection / syscall PS
  • Use halos gate to handle EDR hooks. (05/08/21)

Credits / References

You might also like...
A rewrite of the old legacy software
A rewrite of the old legacy software "depends.exe" in C# for Windows devs to troubleshoot dll load dependencies issues.

Dependencies - An open-source modern Dependency Walker Download here (If you're running an AV, use this download instead) NB : due to limitations on /

Operating system project - implementing scheduling algorithms and some system calls for XV6 OS

About XV6 xv6 is a modern reimplementation of Sixth Edition Unix in ANSI C for multiprocessor x86 and RISC-V systems.

"Sigma File Manager" is a free, open-source, quickly evolving, modern file manager (explorer / finder) app for Windows, MacOS, and Linux.

"Sigma File Manager" is a free, open-source, quickly evolving, modern file manager (explorer / finder) app for Windows, MacOS, and Linux.

use classic context menu in Windows 11 file explorer

Classic Context Menu for Windows 11 Shell32Patcher allows you to use classic context menu in Windows 11 file explorer. Usage Uncheck 'Launch folder wi

An old-style web browser stub, comes from Internet Explorer was genocided on Windows.
An old-style web browser stub, comes from Internet Explorer was genocided on Windows.

Outernet Explorer An old-style web browser stub, comes from Internet Explorer was genocided on Windows. Download from: https://github.com/kekyo/Outern

Operating System Coded in Assembly and C

SimpleOS Operating System Coded in Assembly and C. Has a Virtual Filesystem, Simple Shell, GDT and IDT, and more. Planning to add networking functiona

Slops (SLow OPerating System) | An hobby OS written in C and assembly

slops: SLow OPerating System slops is a simple unix-like operating system, written in assembly and C. BUILD ISO IMAGE 1. sync limine git submodule upd

C and Assembly System (protogen uwu)

ProtogenOS C and Assembly System (protogen uwu) Installation for Windows: ------------- git clone Edouard127/ProtogenOS cd ./ProtogenOS curl -O https:

Slops (SLow OPerating System) An hobby OS written in C and assembly

slops: SLow OPerating System slops is a simple unix-like operating system, written in assembly and C. How to use Build iso image 1. build the toolchai

Owner
Bobby Cooke
SpiderLabs | OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

null 12 Dec 26, 2022
way-displays: Manage Your Wayland Displays

way-displays: Manage Your Wayland Displays Sets preferred mode or highest at maximum refresh Arranges left to right Auto scales based on DPI: 96 is a

Alexander Courtis 80 Jan 1, 2023
Maker of special .exe, which contains additional files which are unpacked when .exe is run

exe-archivator Program that make exec-me.exe, which contains additional files which are unpacked when exec-me.exe is run. After compleating unpacking

Roman Karetnikov 4 Dec 17, 2021
Protect files under a specific folder from deleting or moving by explorer.exe.

Explorer-Delete-Protection Protect files under a specific folder from deleting or moving by explorer.exe. Requierments: Microsoft Detours Library - ht

null 6 Nov 14, 2022
Visual Studio extension for assembly syntax highlighting and code completion in assembly files and the disassembly window

Asm-Dude Assembly syntax highlighting and code assistance for assembly source files and the disassembly window for Visual Studio 2015, 2017 and 2019.

Henk-Jan Lebbink 4k Jan 6, 2023
Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Create a Jupyter Kernel for 8085 Microprocessor assembly language that can interpret assembly-level programs right from the Jupyter notebook.

Sarita Singh 4 Oct 5, 2022
Some extensions for windows explorer, tested on windows 10+

WindowsExplorerExtension Extensions for windows explorer, tested on windows 10 & windows 11. New Folder Extension What's This A Gnome nautilus inspire

anpho 4 Jan 13, 2022
An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory

memory-module-loader memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. T

SCYTHE 118 Nov 21, 2022
idf.py.exe, wrapper tool to invoke idf.py on Windows

IDF wrapper tool (idf.py.exe) This tools helps invoke idf.py in Windows CMD shell. In Windows CMD shell, python scripts can be executed directly (by t

Espressif Systems 3 Dec 13, 2021