{"id":21222792,"url":"https://github.com/0xflux/rust-hells-gate","last_synced_at":"2025-10-07T11:08:24.482Z","repository":{"id":240439696,"uuid":"802637436","full_name":"0xflux/Rust-Hells-Gate","owner":"0xflux","description":"Rust malware EDR evasion via direct syscalls, fully implemented as an example in Rust","archived":false,"fork":false,"pushed_at":"2024-06-04T18:02:27.000Z","size":72,"stargazers_count":60,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-07-10T19:26:41.856Z","etag":null,"topics":["antivirus-bypass","antivirus-evasion","bypass-antivirus","bypass-edr","edr-bypass","edr-evasion","hells-gate","hellsgate","malware","malware-research","offensive-security","pentest","pentest-tool","pentesting","redteam","redteam-tools","redteaming","rust","rust-lang"],"latest_commit_sha":null,"homepage":"https://fluxsec.red/rust-edr-evasion-hells-gate","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xflux.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-05-18T21:02:31.000Z","updated_at":"2025-06-30T14:08:03.000Z","dependencies_parsed_at":"2024-11-20T22:52:14.548Z","dependency_job_id":"8439cb8b-fc12-4ab0-85e5-3dfb658d4fd5","html_url":"https://github.com/0xflux/Rust-Hells-Gate","commit_stats":null,"previous_names":["0xflux/rust-syscall-edr-evasion"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/0xflux/Rust-Hells-Gate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FRust-Hells-Gate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FRust-Hells-Gate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FRust-Hells-Gate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FRust-Hells-Gate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xflux","download_url":"https://codeload.github.com/0xflux/Rust-Hells-Gate/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xflux%2FRust-Hells-Gate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278762930,"owners_count":26041447,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus-bypass","antivirus-evasion","bypass-antivirus","bypass-edr","edr-bypass","edr-evasion","hells-gate","hellsgate","malware","malware-research","offensive-security","pentest","pentest-tool","pentesting","redteam","redteam-tools","redteaming","rust","rust-lang"],"created_at":"2024-11-20T22:47:16.241Z","updated_at":"2025-10-07T11:08:24.450Z","avatar_url":"https://github.com/0xflux.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hells Gate EDR evasion in Rust with Direct Syscalls\n\n\u003cimg width=\"1222\" alt=\"image\" src=\"https://github.com/0xflux/Rust-syscall-EDR-evasion/assets/49762827/b8a788fe-aeec-46b2-bce3-c12d98a2a01a\"\u003e\n\n# About\n\nThis POC demonstrates a call down into NtOpenProcess via Hell's Gate (EDR Evasion, implemented in Rust); for this to be a fully functional malware loader there are\na few other API calls that you must rebuild as syscalls, so this just demonstrates the technique as a POC.\n\nCheck my [blog post at fluxsec.red](https://fluxsec.red/rust-edr-evasion-hells-gate) for this technique! Also I have published\na YouTube video on this where we dive deep into the topic \n[https://www.youtube.com/watch?v=aw6QO4ZDg_U](https://www.youtube.com/watch?v=aw6QO4ZDg_U)\n\nIf you like this, \nplease subscribe to my [Twitter](https://twitter.com/0xfluxsec) and [YouTube](https://www.youtube.com/@FluxSec) \nit would really help me! Feel free to reach out to me on Twitter also, would be great to connect!\n\n# Background\n\nHell’s Gate is a technique published by VX Underground devs. The original paper can be found here. Hell’s Gate is a technique that is now a good few years old, which was a solid attempt at EDR Evasion. Fast forward a few years to today, many EDR’s will now combat this technique - nevertheless it is still great to learn from. I’m working on my own EDR Evasion technique called Lucifers Path, which in theory should work against current EDR’s - but more on that in the future.\n\nWhilst Hell’s Gate may still work on some EDR’s, it does work against antivirus such as Windows Defender, and another premium, paid for, AV I have tested this against.\n\nHel;l’s Gate works in two parts, the first, as stated above I have covered in my blog post on direct syscalls in C. The second part of Hell’s Gate is where it differs from the technique used in that post. In that post we resolve function pointers to ntdll.dll functions by making use of the Windows API’s GetProcAddress and LoadLibraryA - both of which could flag a risk score with AntiVirus or EDR. Hell’s Gate instead resolves the function pointer to the ntdll.dll functions by accessing the PEB (Process Environment Block) in order to resolve the base address of the module we are interested in (in this case ntdll.dll); and then parsing this DLL for the Export Address Table and iterating through it looking for the function we wish to get the address of.\n\nThis technique tries to bypass EDR hooking, which is used to inspect what a piece of code is doing at runtime. For example, EDR or antivirus software may detect activities such as opening handles to other processes, injecting memory remotely, and adding shellcode. This sequence of events can be easily hooked and monitored via certain Windows DLL APIs. By using Hell’s Gate to avoid these hooks, we can prevent this behavior analysis from happening, thus evading detection by EDR solutions. Modern EDR’s will now account for this technique, by hooking within NTDLL itself, and overwriting the SSN, so we cannot read it.\n\nTake a look at the diagram which follows this list of the Hell's Gate process which is hopefully a little easier to digest...\n\n1) First we get the address of the `PEB` (Process Environment Block)\n2) Within the `PEB` is a pointer to a `PEB_LDR_DATA` structure\n3) Within `PEB_LDR_DATA` is a pointer to InMemoryOrderModuleList\n4) `InMemoryOrderModuleList` points to a `LDR_DATA_TABLE_ENTRY`, but specifically points to a `LIST_ENTRY` structure within the `LDR_DATA_TABLE_ENTRY`. `LDR_DATA_TABLE_ENTRY` is essentially a doubly linked list.\n5) The `LIST_ENTRY` structure contains more pointers:\n   1) `Flink` points to the next `LIST_ENTRY` within a LDR_DATA_TABLE_ENTRY\n   2) `Blink` points to the previous `LIST_ENTRY` within a LDR_DATA_TABLE_ENTRY\n6) Within each `LDR_DATA_TABLE_ENTRY`, there is a pointer to the `DLLBase`, the base address (virtual address) of the module the `LDR_DATA_TABLE_ENTRY` relates to.\n7) We take that virtual address, which will contain a DLL mapped to memory, to then parse the `PE` (Portable Executable) headers\n8) We search for the `DataDirectory` within the `OptionalHeader` of the `PE`\n9) Within the `DataDirectory`, at index 0, is the `RVA` (Relative Virtual Address) of the `Export Address Table` (relative to the `DLLBase`)\n10) The `Export Address Table` contains all of the functions the DLL exports; this is what we iterate through to find our function (such as `NtOpenProcess`)\n11) Finally, we can get the ordinal number, and use it to obtain a pointer to the address where that exported function resides.\n\n![hellsgate](https://github.com/0xflux/Rust-Hells-Gate/assets/49762827/c4a35cd5-24f6-4731-bff3-773bcd4a381d)\n\n## Usage\n\n```shell\n./demo.exe \u003cpid\u003e\n\n# or if running from source code:\ncargo run -- \u003cpid\u003e\n```\n\n![image](https://github.com/0xflux/Rust-Hells-Gate/assets/49762827/f92f0011-fd54-4596-a3b2-6c9857a650ca)\n\n### Proof:\n\nHere's a side by side comparison of on the left making a call to OpenProcess via the Windows API \n(commented out in the source code normally), and on the right is the binary dump when using the Syscall technique.\nAs you can see, OpenProcess isn't listed!\n\n![image](https://github.com/0xflux/Rust-syscall-EDR-evasion/assets/49762827/65f66427-4b06-4070-8a35-782de96ce81b)\n\n# Legal disclaimer\n\nThis is simply a PROOF OF CONCEPT and is not enough for anybody to take away without a deep knowledge in this\nfield; it is script kiddy proof. \n\nThis project, including all associated source code and documentation, is developed and shared solely for \neducational, research, and defensive purposes in the field of cybersecurity. It is intended to be used \nexclusively by cybersecurity professionals, researchers, and educators to enhance understanding, develop \ndefensive strategies, and improve security postures.\n\nUnder no circumstances shall this project be used for criminal, unethical, or any other unauthorized activities. \nThis is meant to serve as a resource for learning and should not be employed for offensive operations or actions \nthat infringe upon any individual's or organization's rights or privacy.\n\nThe author of this project disclaims any responsibility for misuse or illegal application of the material \nprovided herein. By accessing, studying, or using this project, you acknowledge and agree to use the information \ncontained within strictly for lawful purposes and in a manner that is consistent with ethical guidelines and \napplicable laws and regulations.\n\nUSE AT YOUR OWN RISK. If you decide to use this software CONDUCT A THOROUGH INDEPENDENT CODE REVIEW to ensure it \nmeets your standards. No unofficial third party dependencies are included to minimise attack surface of a supply \nchain risk. I cannot be held responsible for any problems that arise as a result of executing this, the burden \nis on the user of the software to validate its safety \u0026 integrity. All care has been taken to write safe code.\n\nIt is the user's responsibility to comply with all relevant local, state, national, and international laws and \nregulations related to cybersecurity and the use of such tools and information. If you are unsure about the \nlegal implications of using or studying the material provided in this project, please consult with a legal \nprofessional before proceeding. Remember, responsible and ethical behavior is paramount in cybersecurity research \nand practice. The knowledge and tools shared in this project are provided in good faith to contribute positively \nto the cybersecurity community, and I trust they will be used with the utmost integrity.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xflux%2Frust-hells-gate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xflux%2Frust-hells-gate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xflux%2Frust-hells-gate/lists"}