Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll

Overview

RecycledGate

This is just another implementation of Hellsgate + Halosgate/Tartarusgate.

However, this implementation makes sure that all system calls still go through ntdll.dll to avoid the usage of direct systemcalls. To do so, I parse the ntdll for nonhooked syscall-stubs and re-use existing syscall;ret instructions - thus the name of this project.

This probably bypasses some EDR trying to detect abnormal systemcalls.
I have verified the sample program in this repository against syscall-detect by @winternl_t which uses the HookingNirvana technique to detect abnormal systemcalls.

.\Sample.exe HelloWorld.bin
[SYSCALL-DETECT] Console logging started...
[SYSCALL-DETECT] ntdll BaseAddress: 0x368508928
[SYSCALL-DETECT] win32u BaseAddress: 0x0
[*] Resolving Syscall: 916c6394
        Found syscall using Halos gate
        Found syscall; ret instruction
        Syscall nr: 74
        Gate: 00007FF9160100E2
[SNIP]
[*] Resolving Syscall: 8a4e6274
        Found syscall using Halos gate
        Found syscall; ret instruction
        Syscall nr: 188
        Gate: 00007FF916010F12
[*] Created section: 0x00000000000000B4
[*] Mapped section locally: 0x000001B244E50000
[*] Mapped section remote: 0x0000000000FE0000
[*] NtQueueApcThread successfull
[*] Resumed thread

The sample program can be found in the sample folder

Usage

Here is a snippet, which should be self-explanatory.

Syscall sysNtCreateSection = { 0x00 };
NTSTATUS ntStatus;

dwSuccess = getSyscall(0x916c6394, &sysNtCreateSection);
if (dwSuccess == FAIL)
  goto exit;

PrepareSyscall(sysNtCreateSection.dwSyscallNr, sysNtCreateSection.pRecycledGate);
ntStatus = DoSyscall(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)&sizeBuffer, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);
if (!NT_SUCCESS(ntStatus)) {
  printf("[-] Failed to create section\n");
  goto exit;
}

Note:

  • No instructions must exist between the call to PrepareSyscall and DoSyscall
  • The hash algorithm used is djb2. All hashes must be encrypted with the key 0x41424344. You can use the Hashgenerator in this repository

Credits

You might also like...
Detect-KeAttachProcess by iterating through all processes as well as checking the context of the thread.
Detect-KeAttachProcess by iterating through all processes as well as checking the context of the thread.

Detect-KeAttachProcess Detect-KeAttachProcess - by iterating through all processes as well as checking the context of the thread. Recently I started s

This repository shows my all (maybe all) solved problem (CodeForces & AtCoder) and their description with my Codes!!!

Submissions Auto-generated with ❤ using Harwest Introduction A repository to keep track of problem solving practice, containing solutions from platfor

Send messages to a LED Matrix display through Telegram. Inspired by a tweet from Smarter Every Day

Send messages to a LED Matrix display through Telegram. Inspired by a tweet from Smarter Every Day

ESP32 software USB host through general IO pins. We can connect up to 4 USB-LS HID (keyboard mouse joystick) devices simultaneously.

esp32_usb_soft_host esp32 USB-LS pure software host thru general IO pins. Up to 4 HID devices simultaneously. board ~$3 :https://www.aliexpress.com/pr

A Fingerprint Door Lock using a microprocessor named Arduino UNO and programming through Arduino IDE
A Fingerprint Door Lock using a microprocessor named Arduino UNO and programming through Arduino IDE

INSTRUCTIONS - The codes for the Fingerprint Door lock are present in the Code For Fingerprint Door Lock folder The instructions of how to operate the

A continuation of FSund's pteron-keyboard project. Feel free to contribute, or use these files to make your own! Kits and PCBs are also available through my facebook page.
A continuation of FSund's pteron-keyboard project. Feel free to contribute, or use these files to make your own! Kits and PCBs are also available through my facebook page.

pteron-pcb Intro This project is the evolution of the Pteron-Keyboard project, an incredible ergonomic keyboard that was handwired only. I aimed to in

Quick patch to prevent fatal crashing when downloading title assets (boxart, etc) through FSD or Aurora.

Quick patch to prevent fatal crashing when downloading title assets (boxart, etc) through FSD or Aurora. As of v0.2-beta, this patch should work for everyone, regardless of geographic location (both in and outside of the US).

ESP8266 software USB host through general IO pins. We can connect up to 2 USB-LS HID (keyboard mouse joystick) devices simultaneously.
ESP8266 software USB host through general IO pins. We can connect up to 2 USB-LS HID (keyboard mouse joystick) devices simultaneously.

esp8266_usb_soft_host Test for esp8266 usb host . Works with ESP-IDF v3.4 80MHz and 160MHz. WorkInProgress Test run with mouse & combined mouse & keyb

Owner
Red Teaming and Tooling stuff @codewhitesec
null
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 231 Sep 28, 2022
Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.

hiding-your-syscalls What is this? This repository contains all of the source code from my blog post about avoiding direct syscall detections, which y

null 197 Sep 15, 2022
Collection of DLL function export forwards for DLL export function proxying

dll-exports Collection of DLL function export forwards for DLL export function proxying. Typical usecase is for backdooring applications for persisten

Magnus Stubman 47 Sep 14, 2022
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Micca 2 Nov 24, 2021
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

Chuyu Team 231 Sep 29, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

Jack Ren 1 Jan 21, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

null 31 Sep 9, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Bobby Cooke 337 Sep 24, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Bobby Cooke 341 Oct 4, 2022