HellsHall - Another Way To Fetch Clean Syscalls

HellsHall is a combination of HellsGate and indirect syscalls.

How it works

First, HellsHall checks whether the syscall address is hooked and tries to retrieve the syscall number by checking the presence of the following bytes:

0x4C, 0x8B, 0xD1, 0xB8 which represent mov r10,rcx && mov eax,SSn. This is how every syscall should start.

At this point, HellsGate simply grabs the Syscall SSn (Syscall Number) and uses it directly resulting in a syscall being called from outside of the address space of ntdll.dll. This is an IoC in itself and can be used to detect such syscalls. Detection Examples:

• Detecting Manual Syscalls from User Mode

• Detecting Direct Syscalls with Frida

HellsHall however will search for a syscall instruction near the address of the syscall function and then save this syscall's instruction's address to a global variable which will be jumped to later on rather than executing this instruction directly from the asm file. This will cause the syscall function to be executed from inside of ntdll.dll address space with the only difference being that it's unhooked.

Enhancement

TartarusGate can be used to further enhance this technique.

HellsGate

HellsHall

Profit

Bypassing The Below EDR using This HellsHall Implementation That is Using NtAllocateVirtualMemory, NtProtectVirtualMemory, and NtCreateThreadEx syscalls with an RWX section.

Code

The Github repo can be found here

Authors

• ORCA (@ORCx41)
• mr.d0x (@mrd0x)