Skip to content

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

License

Notifications You must be signed in to change notification settings

boku7/AsmHalosGate

Repository files navigation

ASM HalosGate Direct System Caller

Assembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and displays the PPID of the explorer.exe process.

  • In this screenshot the "NtQuerySystemInformation" & "NtAllocateVirtualMemory" NTDLL.DLL APIs systemcalls are discovered by using the HalosGate technique after failing to retrieve them via HellsGate technique due to EDR UserLand hooks.
  • After the systemcalls are resolved via the HellsGate and HalosGate method, they are are called directly. The code in NTDLL is never executed.

To Do List

  • Obfuscate the strings for that are used for resolving the addresses of the NTDLL symbols
    • Or use hashing
  • Need to fix some bugs when switching from debug to release mode in visual studio's (Fixed 05/08/21)
  • Need to figure out how to properly overload the call to HellDescent() (Fixed 05/08/21)
  • Clean up the assembly functions, they are messy and could be better (Some cleanup 05/08/21)
  • Do better checking for the process image name so it doesnt conflict with other processes named explorer (Fixed 05/08/21)
  • Better error handling (Some better handling 05/08/21)
  • Make this into a cobalt strike beacon object file ( Complete! 06/08/21)
  • Build on this project for process injection / syscall PS
  • Use halos gate to handle EDR hooks. (Implemented in this project on 05/08/21)

Credits / References

About

x64 Assembly HalosGate direct System Caller to evade EDR UserLand hooks

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published