HellsHall - Another Way To Fetch Clean Syscalls
HellsHall is a combination of HellsGate and indirect syscalls.
How it works
First, HellsHall checks whether the syscall address is hooked and tries to retrieve the syscall number by checking the presence of the following bytes:
0x4C, 0x8B, 0xD1, 0xB8
which represent mov r10,rcx && mov eax,SSn
. This is how every syscall should start.
At this point, HellsGate simply grabs the Syscall SSn (Syscall Number) and uses it directly resulting in a syscall being called from outside of the address space of ntdll.dll
. This is an IoC in itself and can be used to detect such syscalls. Detection Examples:
HellsHall however will search for a syscall
instruction near the address of the syscall function and then save this syscall's instruction's address to a global variable which will be jumped to later on rather than executing this instruction directly from the asm
file. This will cause the syscall function to be executed from inside of ntdll.dll
address space with the only difference being that it's unhooked.
Enhancement
TartarusGate can be used to further enhance this technique.
HellsGate
HellsHall
Profit
Bypassing The Below EDR using This HellsHall Implementation That is Using NtAllocateVirtualMemory
, NtProtectVirtualMemory
, and NtCreateThreadEx
syscalls with an RWX
section.
Code
The Github repo can be found here
Authors
- ORCA (@ORCx41)
- mr.d0x (@mrd0x)