Giters

boku7 / HellsGatePPID

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Custom HellsGate Implementation

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process.

  • In this screenshot the "NtQuerySystemInformation" & "NtAllocateVirtualMemory" NTDLL.DLL API's are called by direct windows system calls.
  • The systemcalls are dynamically discovered at runtime using the HellsGate method.
  • Going to build on this and use a custom halos gate method to handle/evade EDR userland hooks.

To Do List

  • Obfuscate the strings for that are used for resolving the addresses of the NTDLL symbols
    • Or use hashing
  • Need to fix some bugs when switching from debug to release mode in visual studio's (Fixed 05/08/21)
  • Need to figure out how to properly overload the call to HellDescent() (Fixed 05/08/21)
  • Clean up the assembly functions, they are messy and could be better (Some cleanup 05/08/21)
  • Do better checking for the process image name so it doesnt conflict with other processes named explorer (Fixed 05/08/21)
  • Better error handling (Some better handling 05/08/21)
  • Make this into a cobalt strike beacon object file ( Complete! 06/08/21)
  • Build on this project for process injection / syscall PS
  • Use halos gate to handle EDR hooks. (05/08/21)

Credits / References

About

Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

License:MIT License

Languages

Language:C 78.3%Language:Assembly 21.7%