HellsHall is a combination of HellsGate and indirect syscalls.
First, HellsHall checks whether the syscall address is hooked and tries to retrieve the syscall number by checking the presence of the following bytes:
0x4C, 0x8B, 0xD1, 0xB8 which represent mov r10,rcx && mov eax,SSn. This is how every syscall should start.
At this point, HellsGate simply grabs the Syscall SSn (Syscall Number) and uses it directly resulting in a syscall being called from outside of the address space of ntdll.dll. This is an IoC in itself and can be used to detect such syscalls. Detection Examples:
HellsHall however will search for a syscall instruction near the address of the syscall function and then save this syscall's instruction's address to a global variable which will be jumped to later on rather than executing this instruction directly from the asm file. This will cause the syscall function to be executed from inside of ntdll.dll address space with the only difference being that it's unhooked.
TartarusGate can be used to further enhance this technique.
Bypassing The Below EDR using This HellsHall Implementation That is Using NtAllocateVirtualMemory, NtProtectVirtualMemory, and NtCreateThreadEx syscalls with an RWX section.
The Github repo can be found here
- NULL (@NUL0x4C)
- mr.d0x (@mrd0x)