{"id":29886788,"url":"https://github.com/0xflux/hells-hollow","last_synced_at":"2025-10-16T12:06:30.881Z","repository":{"id":307333907,"uuid":"1028653932","full_name":"0xflux/Hells-Hollow","owner":"0xflux","description":"Hells Hollow Windows 11 Rootkit technique to Hook the SSDT via Alt Syscalls","archived":false,"fork":false,"pushed_at":"2025-07-30T16:55:51.000Z","size":102,"stargazers_count":62,"open_issues_count":0,"forks_count":8,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-07-30T19:01:31.383Z","etag":null,"topics":["alt-syscalls","alternative-syscalls","exploit","kernel","kernel-exploit","malware","rootkit","ssdt","ssdt-hook","ssdt-hooking","ssdt-plug","syscalls","windows-11","windows11"],"latest_commit_sha":null,"homepage":"https://fluxsec.red/hells-hollow-a-new-SSDT-hooking-technique-with-alt-syscalls-rootkit","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xflux.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-29T21:23:29.000Z","updated_at":"2025-07-30T18:29:02.000Z","dependencies_parsed_at":"2025-07-30T19:01:35.993Z","dependency_job_id":"384faa3d-98ea-4a85-8566-2892e54af83d","html_url":"https://github.com/0xflux/Hells-Hollow","commit_stats":null,"previous_names":["0xflux/hells-hollow"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/0xflux/Hells-Hollow","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FHells-Hollow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FHells-Hollow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FHells-Hollow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FHells-Hollow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xflux","download_url":"https://codeload.github.com/0xflux/Hells-Hollow/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FHells-Hollow/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279188655,"owners_count":26122554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-16T02:00:06.019Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["alt-syscalls","alternative-syscalls","exploit","kernel","kernel-exploit","malware","rootkit","ssdt","ssdt-hook","ssdt-hooking","ssdt-plug","syscalls","windows-11","windows11"],"created_at":"2025-07-31T17:11:46.435Z","updated_at":"2025-10-16T12:06:30.875Z","avatar_url":"https://github.com/0xflux.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hells Hollow\n\nHell's Hollow is a Windows 11 compatible rootkit technique that is equivalent to a modern (PatchGuard and HyperGuard) resistant technique to effectively\nperform SSDT Hooking (System Service Dispatch Table) - bypassing all previous defence mechanisms put in the kernel.\n\nThis technique works by abusing an undocumented Alternate Syscall handler mechanism in the kernel, within which we are able to directly\nalter the KTRAP_FRAME, allowing us to effectively hook the SSDT in Windows 11. We are able to decide to either let the OS continue to dispatch the \nsystem call (and giving us the ability to alter the arguments passed to it), or to alter it on behalf of the dispatcher, and return straight back to \nuserland - so the calling application thinks the system call was dispatched normally.\n\n- [Blog post on Hells Hollow](https://fluxsec.red/hells-hollow-a-new-SSDT-hooking-technique-with-alt-syscalls-rootkit)\n- [Blog post on Alt Syscalls internals](https://fluxsec.red/alt-syscalls-for-windows-11)\n\nShoutout to [@sixtyvividtails](https://x.com/sixtyvividtails) who made a key [observation](https://x.com/sixtyvividtails/status/1950581722070069404) in my first implementation of this, that the KTRAP discovery can be simplified\nby reading directly from the KTHREAD. The repo is now updated to reflect this, and it now works even better with no stack modification required!\n\nAltering the return value from a syscall via the hook:\n\n![Hells Hollow SSDT hooking Windows 11 Rust](img/poc.png)\n\n### Limitations \n\nThanks to some testing by [Xacone](https://github.com/Xacone), we now know that **HVCI** prevents writing to the `PspServiceDescriptorGroupTable ` structure; so this technique is blocked by HVCI. From my own\ntesting, it appears that this is still resistant to both PatchGuard and HyperGuard under VBS. I used [ssde](https://github.com/valinet/ssde/) to load my driver whilst Secure Boot and VBS were enabled, of which it is\nmy understanding should be enough to test it against HyperGuard. This was done with debug mode off, which should also allow PatchGuard full authority to detect and block (BugCheck) the technique.\n\n## Setup\n\nI have uploaded this repo as a MVP for producing the technique (in RUst). If you are new to Rust, and simply want to get it up\nand running, follow the environment config steps at [Windows Rust Drivers](https://github.com/microsoft/windows-drivers-rs) project and run `cargo make`.\n\nIt will spit our a driver that you can simply load with OSR or whatever tool you want. This POC is designed to hook `NtTraceEvent` in the kernel (via Alt Syscalls),\nit will modify the return value to 0xff in `rax` to usermode. \n\nIf you want to test this out on a SSN of your choice that isn't `NtTraceEvent`, then make a program called `hello_world.exe` (this rootkit currently filters on that)\nand in [alt_syscalls.rs](https://github.com/0xflux/Hells-Hollow/blob/master/src/alt_syscalls.rs) change which SSN you want to hook, which is currently defined as:\n\n```rust\nconst NT_TRACE_EVENT_SSN: u32 = 0x005e;\n```\n\nThen, via either a kernel debugger for the Alt Syscall callback / trap, or a usermode debugger on the syscall itself, you'll see what's going on under the hood.\n\nVideo POC coming soon with a bit more of an explanation on what is going on, until then, read my blog :).\n\n### References\n\n- [Alt Syscalls for Windows 11 - 0xflux](https://fluxsec.red/alt-syscalls-for-windows-11)\n- [System Calls Tracing \u0026 Monitoring via Alternative Handlers - Xacone](https://xacone.github.io/BestEdrOfTheMarketV3.html#4)\n- [WinAltSyscallHandler - 0xcpu](https://github.com/0xcpu/WinAltSyscallHandler/tree/master)\n- [Symbols](https://www.vergiliusproject.com/kernels/x64/windows-11/24h2)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xflux%2Fhells-hollow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xflux%2Fhells-hollow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xflux%2Fhells-hollow/lists"}