{"id":13840854,"url":"https://github.com/daem0nc0re/AtomicSyscall","last_synced_at":"2025-07-11T09:33:43.110Z","repository":{"id":62361663,"uuid":"475511609","full_name":"daem0nc0re/AtomicSyscall","owner":"daem0nc0re","description":"Tools and PoCs for Windows syscall investigation.","archived":false,"fork":false,"pushed_at":"2024-04-25T08:41:12.000Z","size":1616,"stargazers_count":349,"open_issues_count":0,"forks_count":49,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-08-05T17:26:01.156Z","etag":null,"topics":["syscalls","windows","windows-kernel"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daem0nc0re.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-29T15:44:50.000Z","updated_at":"2024-06-30T19:30:44.000Z","dependencies_parsed_at":"2024-04-25T09:52:31.650Z","dependency_job_id":null,"html_url":"https://github.com/daem0nc0re/AtomicSyscall","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FAtomicSyscall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FAtomicSyscall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FAtomicSyscall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FAtomicSyscall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daem0nc0re","download_url":"https://codeload.github.com/daem0nc0re/AtomicSyscall/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712779,"owners_count":17512484,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["syscalls","windows","windows-kernel"],"created_at":"2024-08-04T17:00:58.278Z","updated_at":"2024-11-21T10:30:52.509Z","avatar_url":"https://github.com/daem0nc0re.png","language":"C#","readme":"# AtomicSyscall\nTools and PoCs for Windows syscall investigation.\n\n\n## Table Of Contents\n\n- [AtomicSyscall](#atomicsyscall)\n - [HeavensGate](#heavensgate)\n - [SyscallDumper](#syscalldumper)\n - [SyscallPoCs](#syscallpocs)\n - [SyscallResolvers](#syscallresolvers)\n - [Get-SyscallNumber.ps1](#get-syscallnumberps1)\n - [Reference](#reference)\n - [Acknowledgments](#acknowledgments)\n\n## HeavensGate\n\nThis directory is for Heaven's Gate technique.\nSee [README.md](./HeavensGate/README.md)\n\n\n## SyscallDumper\n\n[Back to Top](#atomicsyscall)\n\n[Project](./SyscallDumper)\n\nThis tool is to dump Windows syscall from `ntdll.dll` or `win32u.dll`:\n\n```\nC:\\Tools\u003eSyscallDumper.exe -h\n\nSyscallDumper - Tool to dump syscall.\n\nUsage: SyscallDumper.exe [Options] [INPUT_DLL_1] [INPUT_DLL_2]\n\n -h, --help : Displays this help message.\n -d, --dump : Flag to dump syscall from ntdll.dll or win32u.dll.\n -D, --diff : Flag to take diff between 2 dlls.\n -f, --format : Specifies output format. \"c\" for C/C++, \"cs\" for CSharp, \"py\" for Python.\n -n, --number : Specifies syscall number to lookup in decimal or hex format.\n -o, --output : Specifies output file (e.g. \"-o result.txt\").\n -s, --search : Specifies search filter (e.g. \"-s createfile\").\n INPUT_DLL_1 : Specifies path of ntdll.dll or win32u.dll. Older one in diffing.\n INPUT_DLL_2 : Specifies path of ntdll.dll or win32u.dll. Newer one in diffing.\n```\n\nTo dump syscall numbers from ntdll.dll or win32u.dll, use `-d` (`--dump`) option.\nIf you don't specifies source DLL, this tool dumps syscall numbers from `C:\\Windows\\System32\\ntdll.dll` and `C:\\Windows\\System32\\win32u.dll`:\n\n```\nC:\\Tools\u003eSyscallDumper.exe -d\n\n[*] No target is specified.\n[\u003e] Dumping from system default ntdll.dll and win32u.dll.\n[\u003e] Loading C:\\Windows\\System32\\ntdll.dll.\n[+] C:\\Windows\\System32\\ntdll.dll is loaded successfully.\n [*] Architecture : AMD64\n [*] Image Name : ntdll.dll\n[+] Got 463 syscall(s).\n[\u003e] Loading C:\\Windows\\System32\\win32u.dll.\n[+] C:\\Windows\\System32\\win32u.dll is loaded successfully.\n [*] Architecture : AMD64\n [*] Image Name : win32u.dll\n[+] Got 1258 syscall(s).\n\n[Syscall Table from C:\\Windows\\System32\\ntdll.dll]\n\n---------------------------------------------------------------------------------\n| Syscall Name | Number | Number (hex) |\n---------------------------------------------------------------------------------\n| NtAcceptConnectPort | 2 | 0x0002 |\n| NtAccessCheck | 0 | 0x0000 |\n\n--snip--\n\n| NtWriteVirtualMemory | 58 | 0x003A |\n| NtYieldExecution | 70 | 0x0046 |\n---------------------------------------------------------------------------------\n\n[*] Found 463 syscall(s).\n\n\n[Syscall Table from C:\\Windows\\System32\\win32u.dll]\n\n-----------------------------------------------------------------------------------\n| Syscall Name | Number | Number (hex) |\n-----------------------------------------------------------------------------------\n| NtBindCompositionSurface | 4373 | 0x1115 |\n| NtCloseCompositionInputSink | 4374 | 0x1116 |\n\n--snip--\n\n| NtValidateCompositionSurfaceHandle | 5350 | 0x14E6 |\n| NtVisualCaptureBits | 5351 | 0x14E7 |\n-----------------------------------------------------------------------------------\n\n[*] Found 1258 syscall(s).\n```\n\nIf you want to filter syscall name from dump result, use `-s` (`--search`) option.\nAnd you can save result to a file with `-o` (`--output`) option as follows:\n\n```\nC:\\Tools\u003eSyscallDumper.exe -d C:\\SyscallSamples\\1809x64\\ntdll.dll -s token -o result.txt\n\n[\u003e] Loading C:\\SyscallSamples\\1809x64\\ntdll.dll.\n[+] C:\\SyscallSamples\\1809x64\\ntdll.dll is loaded successfully.\n [*] Architecture : AMD64\n [*] Image Name : ntdll.dll\n[+] Got 462 syscall(s).\n[\u003e] Trying to save results.\n [*] Output File Path : c:\\Tools\\result.txt\n[+] Results are saved successfully.\n\nc:\\Tools\u003etype result.txt\n[Syscall Table from C:\\SyscallSamples\\1809x64\\ntdll.dll]\n\n--------------------------------------------------------------\n| Syscall Name | Number | Number (hex) |\n--------------------------------------------------------------\n| NtAdjustGroupsToken | 107 | 0x006B |\n| NtAdjustPrivilegesToken | 65 | 0x0041 |\n| NtAdjustTokenClaimsAndDeviceGroups | 108 | 0x006C |\n| NtCompareTokens | 155 | 0x009B |\n| NtCreateLowBoxToken | 172 | 0x00AC |\n| NtCreateToken | 191 | 0x00BF |\n| NtCreateTokenEx | 192 | 0x00C0 |\n| NtDuplicateToken | 66 | 0x0042 |\n| NtFilterToken | 222 | 0x00DE |\n| NtFilterTokenEx | 223 | 0x00DF |\n| NtImpersonateAnonymousToken | 246 | 0x00F6 |\n| NtOpenProcessToken | 290 | 0x0122 |\n| NtOpenProcessTokenEx | 48 | 0x0030 |\n| NtOpenThreadToken | 36 | 0x0024 |\n| NtOpenThreadTokenEx | 47 | 0x002F |\n| NtQueryInformationToken | 33 | 0x0021 |\n| NtQuerySecurityAttributesToken | 339 | 0x0153 |\n| NtSetInformationToken | 404 | 0x0194 |\n--------------------------------------------------------------\n\n[*] Found 18 syscall(s).\n[*] Filter String : \"token\"\n```\n\nUsing `-n` (`--number`) option, you can lookup syscall name by syscall number as follows.\nIf you want to specifies the syscall number in hex format, should be start with \"0x\".\n\n```\nC:\\Tools\u003eSyscallDumper.exe -d C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll -n 85\n\n[\u003e] Loading C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll.\n[+] C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll is loaded successfully.\n [*] Architecture : AMD64\n [*] Image Name : ntdll.dll\n[+] Got 470 syscall(s).\n\n[Syscall Table from C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll]\n\n----------------------------------------\n| Syscall Name | Number | Number (hex) |\n----------------------------------------\n| NtCreateFile | 85 | 0x0055 |\n----------------------------------------\n\n[*] Found 1 syscall(s).\n\n\nC:\\Tools\u003eSyscallDumper.exe -d C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll -n 0x55\n\n[\u003e] Loading C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll.\n[+] C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll is loaded successfully.\n [*] Architecture : AMD64\n [*] Image Name : ntdll.dll\n[+] Got 470 syscall(s).\n\n[Syscall Table from C:\\dev\\SyscallSamples\\21H1x64\\ntdll.dll]\n\n----------------------------------------\n| Syscall Name | Number | Number (hex) |\n----------------------------------------\n| NtCreateFile | 85 | 0x0055 |\n----------------------------------------\n\n[*] Found 1 syscall(s).\n```\n\nIf you want to change output format, use `-f` (`--format`) option.\nCurrently, C/C++ (`c`), CSharp (`cs`) and Python (`py`) are supported:\n\n```\nC:\\Tools\u003eSyscallDumper.exe -d C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll -f c\n\n[\u003e] Loading C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll.\n[+] C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll is loaded successfully.\n [*] Architecture : ARM64\n [*] Image Name : ntdll.dll\n[+] Got 486 syscall(s).\n\n[Syscall Table from C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll]\n\nenum NT_SYSCALLS\n{\n NtAcceptConnectPort = 2,\n NtAccessCheck = 0,\n NtAccessCheckAndAuditAlarm = 41,\n\n--snip--\n\n NtWriteVirtualMemory = 58,\n NtYieldExecution = 70\n}\n\n[*] Found 486 syscall(s).\n\n\n\nC:\\Tools\u003eSyscallDumper.exe -d C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll -f cs\n\n[\u003e] Loading C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll.\n[+] C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll is loaded successfully.\n [*] Architecture : ARM64\n [*] Image Name : ntdll.dll\n[+] Got 486 syscall(s).\n\n[Syscall Table from C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll]\n\npublic enum NT_SYSCALLS\n{\n NtAcceptConnectPort = 2,\n NtAccessCheck = 0,\n NtAccessCheckAndAuditAlarm = 41,\n\n\n--snip--\n\n NtWriteVirtualMemory = 58,\n NtYieldExecution = 70\n}\n\n[*] Found 486 syscall(s).\n\n\n\nC:\\Tools\u003eSyscallDumper.exe -d C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll -f py\n\n[\u003e] Loading C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll.\n[+] C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll is loaded successfully.\n [*] Architecture : ARM64\n [*] Image Name : ntdll.dll\n[+] Got 486 syscall(s).\n\n[Syscall Table from C:\\dev\\SyscallSamples\\Win11Arm64\\ntdll-arm64.dll]\n\ng_NtSyscalls = {\n \"NtAcceptConnectPort\": 2,\n \"NtAccessCheck\": 0,\n \"NtAccessCheckAndAuditAlarm\": 41,\n \"NtAccessCheckByType\": 99,\n \"NtAccessCheckByTypeAndAuditAlarm\": 89,\n\n--snip--\n```\n\nTo take difference between 2 DLL's syscall tables, use `-D` (`--diff`) option as follows:\n\n```\nC:\\Tools\u003eSyscallDumper.exe -D C:\\dev\\SyscallSamples\\1809x64\\win32u.dll C:\\dev\\SyscallSamples\\1903x64\\win32u.dll\n\n[\u003e] Trying to take diff.\n [*] Old File : C:\\dev\\SyscallSamples\\1809x64\\win32u.dll\n [*] New File : C:\\dev\\SyscallSamples\\1903x64\\win32u.dll\n[\u003e] Loading C:\\dev\\SyscallSamples\\1809x64\\win32u.dll.\n[+] C:\\dev\\SyscallSamples\\1809x64\\win32u.dll is loaded successfully.\n [*] Architecture : AMD64\n [*] Image Name : win32u.dll\n[+] Got 1242 syscall(s).\n[\u003e] Loading C:\\dev\\SyscallSamples\\1903x64\\win32u.dll.\n[+] C:\\dev\\SyscallSamples\\1903x64\\win32u.dll is loaded successfully.\n [*] Architecture : AMD64\n [*] Image Name : win32u.dll\n[+] Got 1258 syscall(s).\n\n################################################\n# DELETED SYSCALLS #\n################################################\n\n-------------------------------------------------------------------\n| Syscall Name | Number | Number (hex) |\n-------------------------------------------------------------------\n| NtDCompositionCreateSharedVisualHandle | 4391 | 0x1127 |\n| NtGdiDdDDINetDispStopSessions | 4608 | 0x1200 |\n| NtGdiDdDDISetDisplayPrivateDriverFormat | 4664 | 0x1238 |\n| NtMITCoreMsgKGetConnectionHandle | 4907 | 0x132B |\n| NtMITCoreMsgKSend | 4909 | 0x132D |\n| NtMITSynthesizeMouseWheel | 4919 | 0x1337 |\n| NtMITWaitForMultipleObjectsEx | 4922 | 0x133A |\n| NtUserGetPointerFrameArrivalTimes | 5105 | 0x13F1 |\n-------------------------------------------------------------------\n\n[*] Deleted 8 syscall(s).\n\n\n################################################\n# MODIFIED SYSCALLS #\n################################################\n\n----------------------------------------------------------------------------------------\n| Syscall Name | Number | Number (hex) |\n----------------------------------------------------------------------------------------\n| NtDxgkEndTrackedWorkload | 4435 -\u003e 4436 | 0x1153 -\u003e 0x1154 |\n| NtDxgkGetAvailableTrackedWorkloadIndex | 4436 -\u003e 4437 | 0x1154 -\u003e 0x1155 |\n\n--snip--\n\n| NtValidateCompositionSurfaceHandle | 5334 -\u003e 5350 | 0x14D6 -\u003e 0x14E6 |\n| NtVisualCaptureBits | 5335 -\u003e 5351 | 0x14D7 -\u003e 0x14E7 |\n----------------------------------------------------------------------------------------\n\n[*] Modified 623 syscall(s).\n\n\n################################################\n# NEW SYSCALLS #\n################################################\n\n-----------------------------------------------------------------------------------\n| Syscall Name | Number | Number (hex) |\n-----------------------------------------------------------------------------------\n| NtDCompositionCreateSharedResourceHandle | 4391 | 0x1127 |\n| NtDxgkDispMgrOperation | 4435 | 0x1153 |\n\n--snip--\n\n| NtUserSetMagnificationDesktopMagnifierOffsetsDWMUpdated | 5283 | 0x14A3 |\n| NtUserSetProcessMousewheelRoutingMode | 5293 | 0x14AD |\n-----------------------------------------------------------------------------------\n\n[*] Added 24 syscall(s).\n```\n\n\n## SyscallPoCs\n\n[Back to Top](#atomicsyscall)\n\n[Project](./SyscallPoCs)\n\nThe purpose of this project is to investigate how attackers resolve and execute Windows syscall.\nAll PoCs try to list kernel modules by `NtQuerySystemInformation` syscall.\n\n| PoC Name | Description |\n| :--- | :--- |\n| [PhysicalResolvePoC](./SyscallPoCs/PhysicalResolvePoC) | This PoC simply resolves the syscall numbers of `NtQuerySystemInformation` from `C:\\Windows\\System32\\ntdll.dll`. |\n| [HellsGatePoC](./SyscallPoCs/HellsGatePoC) | This PoC resolves the syscall numbers of `NtQuerySystemInformation` by the Hell's Gate technique. |\n| [HalosGatePoC](./SyscallPoCs/HalosGatePoC) | This PoC resolves the syscall numbers of `NtQuerySystemInformation` by the Halo's Gate technique. |\n\n\n## SyscallResolvers\n\n[Back to Top](#atomicsyscall)\n\n[Project](./SyscallResolvers)\n\nThe purpose of this project is to help to learn how in-memory syscall number resolve techniques work:\n\n| PoC Name | Description |\n| :--- | :--- |\n| [HellsGateResolver](./SyscallResolvers/HellsGateResolver) | This PoC resolves the syscall numbers in ntdll.dll by the Hell's Gate technique. Not works for functions patched with anti-virus products. |\n| [HalosGateResolver](./SyscallResolvers/HalosGateResolver) | This PoC resolves the syscall numbers in ntdll.dll by the Halo's Gate technique. |\n| [InitialProcessResolver](./SyscallResolvers/InitialProcessResolver) | This PoC resolves syscall numbers in ntdll.dll from initial process which created by `NtCreateUserProcess`. |\n| [KnownDllsResolver](./SyscallResolvers/KnownDllsResolver) | This PoC resolves syscall numbers in ntdll.dll with `\\KnownDlls\\ntdll.dll`. |\n\nThe following figure shows the difference between Hell's Gate and Halo's Gate in anti-virus software installed environment.\nHell's Gate technique does not work for patched `NtCreateProcessEx` function.\nOn the other hand, Halo's Gate technique works for patched `NtCreateProcessEx` function:\n\n![syscallresolvers.png](./figures/syscallresolvers.png)\n\nIn some anti-virus software installed machine, some ntdll.dll code is hooked as following debugger output:\n\n```\n0:001\u003e u ntdll!ntcreateprocessex\nntdll!NtCreateProcessEx:\n00007fff`b33ef700 e9930a1800 jmp 00007fff`b3570198\n00007fff`b33ef705 cc int 3\n00007fff`b33ef706 cc int 3\n00007fff`b33ef707 cc int 3\n00007fff`b33ef708 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1\n00007fff`b33ef710 7503 jne ntdll!NtCreateProcessEx+0x15 (00007fff`b33ef715)\n00007fff`b33ef712 0f05 syscall\n00007fff`b33ef714 c3 ret\n```\n\nBut process which created by `NtCreateUserProcess` or `NtCreateProcessEx` are loaded only non-hooked ntdll.dll in initial state.\nWe can confirm it with scanning suspended initial process memory.\nSuspended process cannot be attached with debugger, so I wrote a small tool [ProcMemScan](https://github.com/daem0nc0re/TangledWinExec/tree/main/ProcMemScan).\nTo test it, I implemented `-d` flag which can pause initial process to the InitialProcessResolver after syscall number detection:\n\n```\nPS C:\\Dev\u003e .\\InitialProcessResolver.exe -n ntcreateprocessex -d\n\n[\u003e] Trying to create initial process.\n[+] Initial process is created successfully.\n [*] Process Name : svchost\n [*] Process ID : 1336\n[\u003e] Trying to dump Nt API address.\n[*] ntdll.dll @ 0x00007FFFB3350000\n[+] Got 491 entries (Architecure: AMD64).\n[+] NtCreateProcessEx @ 0x00007FFFB33EF700\n[+] Syscall number for NtCreateProcessEx is 77 (0x4D).\n[*] Debug break. To exit this program, hit [ENTER] key.\n```\n\nWe can confirm that the syscall number for `NtCreateProcessEx` is 77 from output, and `svchost` process is created by InitialProcessResolver is 1336.\nBy scanning this `svchost` with ProcMemScan, we can see that the `svchost` process loads only ntdll.dll as follows:\n\n```\nPS C:\\Dev\u003e .\\ProcMemScan.exe -p 1336 -l\n\n[\u003e] Trying to get target process memory information.\n[*] Target process is 'svchost' (PID : 1336).\n[+] Got target process memory information.\n\n Base Size State Protect Type Mapped\n0x0000000000000000 0x7FFE0000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x000000007FFE0000 0x1000 MEM_COMMIT PAGE_READONLY MEM_PRIVATE N/A\n0x000000007FFE1000 0xC000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x000000007FFED000 0x1000 MEM_COMMIT PAGE_READONLY MEM_PRIVATE N/A\n0x000000007FFEE000 0xBCE9C12000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x000000BD69C00000 0x28000 MEM_RESERVE NONE MEM_PRIVATE N/A\n0x000000BD69C28000 0x3000 MEM_COMMIT PAGE_READWRITE MEM_PRIVATE N/A\n0x000000BD69C2B000 0x1D5000 MEM_RESERVE NONE MEM_PRIVATE N/A\n0x000000BD69E00000 0x79000 MEM_RESERVE NONE MEM_PRIVATE N/A\n0x000000BD69E79000 0x3000 MEM_COMMIT PAGE_READWRITE, PAGE_GUARD MEM_PRIVATE N/A\n0x000000BD69E7C000 0x4000 MEM_COMMIT PAGE_READWRITE MEM_PRIVATE N/A\n0x000000BD69E80000 0x145FCB70000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x00000203669F0000 0x20000 MEM_COMMIT PAGE_READWRITE MEM_PRIVATE N/A\n0x0000020366A10000 0x1F000 MEM_COMMIT PAGE_READONLY MEM_MAPPED N/A\n0x0000020366A2F000 0x7BF1C9D61000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x00007DF530790000 0x1000 MEM_COMMIT PAGE_EXECUTE_READ MEM_PRIVATE N/A\n0x00007DF530791000 0xF000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x00007DF5307A0000 0x1000 MEM_COMMIT PAGE_READONLY MEM_MAPPED N/A\n0x00007DF5307A1000 0xF000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x00007DF5307B0000 0x1C67000 MEM_RESERVE NONE MEM_MAPPED N/A\n0x00007DF532417000 0x2000 MEM_COMMIT PAGE_NOACCESS MEM_MAPPED N/A\n0x00007DF532419000 0x165000 MEM_RESERVE NONE MEM_MAPPED N/A\n0x00007DF53257E000 0x1000 MEM_COMMIT PAGE_NOACCESS MEM_MAPPED N/A\n0x00007DF53257F000 0x1F7D2E4F000 MEM_RESERVE NONE MEM_MAPPED N/A\n0x00007FED053CE000 0x1000 MEM_COMMIT PAGE_READONLY MEM_MAPPED N/A\n0x00007FED053CF000 0x809C3D000 MEM_RESERVE NONE MEM_MAPPED N/A\n0x00007FF50F00C000 0x2000 MEM_COMMIT PAGE_READONLY MEM_MAPPED N/A\n0x00007FF50F00E000 0x1F049000 MEM_RESERVE NONE MEM_MAPPED N/A\n0x00007FF52E057000 0x1426000 MEM_COMMIT PAGE_NOACCESS MEM_MAPPED N/A\n0x00007FF52F47D000 0x9000 MEM_COMMIT PAGE_READONLY MEM_MAPPED N/A\n0x00007FF52F486000 0x132A000 MEM_RESERVE NONE MEM_MAPPED N/A\n0x00007FF5307B0000 0x270F80000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x00007FF7A1730000 0x1000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\svchost.exe\n0x00007FF7A1731000 0x7000 MEM_COMMIT PAGE_EXECUTE_READ MEM_IMAGE C:\\Windows\\System32\\svchost.exe\n0x00007FF7A1738000 0x4000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\svchost.exe\n0x00007FF7A173C000 0x1000 MEM_COMMIT PAGE_WRITECOPY MEM_IMAGE C:\\Windows\\System32\\svchost.exe\n0x00007FF7A173D000 0x1000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\svchost.exe\n0x00007FF7A173E000 0x1000 MEM_COMMIT PAGE_WRITECOPY MEM_IMAGE C:\\Windows\\System32\\svchost.exe\n0x00007FF7A173F000 0x2000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\svchost.exe\n0x00007FF7A1741000 0x811C0F000 MEM_FREE PAGE_NOACCESS NONE N/A\n0x00007FFFB3350000 0x1000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB3351000 0x130000 MEM_COMMIT PAGE_EXECUTE_READ MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB3481000 0x4D000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB34CE000 0xC000 MEM_COMMIT PAGE_WRITECOPY MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB34DA000 0xF000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB34E9000 0x1000 MEM_COMMIT PAGE_READWRITE MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB34EA000 0x3000 MEM_COMMIT PAGE_WRITECOPY MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB34ED000 0x77000 MEM_COMMIT PAGE_READONLY MEM_IMAGE C:\\Windows\\System32\\ntdll.dll\n0x00007FFFB3564000 0x4CA8C000 MEM_FREE PAGE_NOACCESS NONE N/A\n\n[*] Completed.\n\nPS C:\\Dev\u003e\n```\n\nAnd `NtCreateProcessEx` code is not hooked:\n\n```\nPS C:\\Dev\u003e .\\ProcMemScan.exe -p 1336 -d -b 0x00007FFFB33EF700 -r 20\n\n[\u003e] Trying to dump target process memory.\n[*] Target process is 'svchost' (PID : 1336).\n[+] Got target process memory.\n [*] BaseAddress : 0x00007FFFB33EF000\n [*] AllocationBase : 0x00007FFFB3350000\n [*] RegionSize : 0x92000\n [*] AllocationProtect : PAGE_EXECUTE_WRITECOPY\n [*] State : MEM_COMMIT\n [*] Protect : PAGE_EXECUTE_READ\n [*] Type : MEM_IMAGE\n [*] Mapped File Path : C:\\Windows\\System32\\ntdll.dll\n [*] Hexdump (0x20 Bytes):\n\n 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n\n 00007FFFB33EF700 | 4C 8B D1 B8 4D 00 00 00-F6 04 25 08 03 FE 7F 01 | L.Ñ,M... ö.%.._..\n 00007FFFB33EF710 | 75 03 0F 05 C3 CD 2E C3-0F 1F 84 00 00 00 00 00 | u...AI.A ........\n\n\n[*] Completed.\n\nPS C:\\Dev\u003e\n```\n\n![initialprocessresolver.png](./figures/initialprocessresolver.png)\n\n\n## Get-SyscallNumber.ps1\n\n[Back to Top](#atomicsyscall)\n\n[Script](./Get-SyscallNumber.ps1)\n\nIn this script, following 3 functions are implemented:\n\n* __`Get-ModuleHandle`__ : As the name implies, this function resolve loaded module's base address as `GetModuleHandle` API.\n\n* __`Get-ProcAddress`__ : As the name implies, this function resolve export function's address as `GetProcAddress` API.\n\n* __`Get-SyscallNumber`__ : This function resolve syscall number with Hell's Gate or Halo's Gate technique.\n\nIf you want to resolve module base address such as `ntdll.dll`, set the module name as 1st arguments or `-ModuleName` option:\n\n```\nPS C:\\\u003e Import-Module C:\\dev\\Get-SyscallNumber.ps1\nPS C:\\\u003e Get-ModuleHandle ntdll.dll\n140720055189504\nPS C:\\\u003e (140720055189504).ToString(\"X16\")\n00007FFBF0E70000\nPS C:\\\u003e Get-ModuleHandle -ModuleName kernel32.dll\n140720022028288\nPS C:\\\u003e (140720022028288).ToString(\"X16\")\n00007FFBEEED0000\nPS C:\\\u003e\n```\n\nTo resolve export function address in a module, set base address of the module and export function name for `Get-ProcAddress` function.\nThe base address of the module should be specified with 1st argument or `-Module` option.\nThe export function name should be specified with 2nd argument or `-ProcName` option as follows:\n\n```\nPS C:\\\u003e $ntdll = Get-ModuleHandle -ModuleName ntdll.dll\nPS C:\\\u003e Get-ProcAddress $ntdll NtCreateToken\n140720055839008\nPS C:\\\u003e (140720055839008).ToString(\"X16\")\n00007FFBF0F0E920\nPS C:\\\u003e Get-ProcAddress -ProcName ntcreatetoken -Module $ntdll\n140720055839008\nPS C:\\\u003e\n```\n\nIf you want to know syscall number, set the syscall name to 1st argument or `-SyscallName` option for `Get-SyscallNumber` function:\n\n```\nPS C:\\\u003e Get-SyscallNumber ntcreateuserprocess\nSyscall Number : 0xC8\n200\nPS C:\\\u003e Get-SyscallNumber -SyscallName ntcreateprocessex\nSyscall Number : 0x4D\n77\nPS C:\\\u003e\n```\n\n![getsyscallnumber.png](./figures/getsyscallnumber.png)\n\n\n## Reference\n\n[Back to Top](#atomicsyscall)\n\n### Fundamentals\n\n* [https://jhalon.github.io/utilizing-syscalls-in-csharp-1/](https://jhalon.github.io/utilizing-syscalls-in-csharp-1/)\n\n* [https://jhalon.github.io/utilizing-syscalls-in-csharp-2/](https://jhalon.github.io/utilizing-syscalls-in-csharp-2/)\n\n* [https://github.com/jhalon/SharpCall](https://github.com/jhalon/SharpCall)\n\n### Heaven's Gate\n* [https://wbenny.github.io/2018/11/04/wow64-internals.html](https://wbenny.github.io/2018/11/04/wow64-internals.html)\n\n* [https://medium.com/@fsx30/hooking-heavens-gate-a-wow64-hooking-technique-5235e1aeed73](https://medium.com/@fsx30/hooking-heavens-gate-a-wow64-hooking-technique-5235e1aeed73)\n\n* [https://mark.rxmsolutions.com/through-the-heavens-gate/](https://mark.rxmsolutions.com/through-the-heavens-gate/)\n\n* [https://speakerdeck.com/aaaddress1/rebuild-the-heavens-gate-from-32-bit-hell-back-to-heaven-wonderland](https://speakerdeck.com/aaaddress1/rebuild-the-heavens-gate-from-32-bit-hell-back-to-heaven-wonderland)\n\n* [http://blog.rewolf.pl/blog/?p=102](http://blog.rewolf.pl/blog/?p=102)\n\n* [https://www.mandiant.com/resources/blog/wow64-subsystem-internals-and-hooking-techniques](https://www.mandiant.com/resources/blog/wow64-subsystem-internals-and-hooking-techniques)\n\n* [https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html](https://www.malwaretech.com/2014/02/the-0x33-segment-selector-heavens-gate.html)\n\n* [https://int0h.wordpress.com/2009/12/24/the-power-of-wow64/](https://int0h.wordpress.com/2009/12/24/the-power-of-wow64/)\n\n* [https://modexp.wordpress.com/2015/11/19/dllpic-injection-on-windows-from-wow64-process/](https://modexp.wordpress.com/2015/11/19/dllpic-injection-on-windows-from-wow64-process/)\n\n### Hell's Gate\n\n* [https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf](https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf)\n\n* [https://github.com/am0nsec/HellsGate](https://github.com/am0nsec/HellsGate)\n\n\n### Halo's Gate\n\n* [https://blog.sektor7.net/#!res/2021/halosgate.md](https://blog.sektor7.net/#!res/2021/halosgate.md)\n\n\n### Acknowledgments\n\n[Back to Top](#atomicsyscall)\n\nThanks for your research and blog posts:\n\n* Paul Laîné ([@am0nsec](https://twitter.com/am0nsec))\n\n* smelly__vx ([@smelly__vx](https://twitter.com/smelly__vx))\n\n* reenz0h ([@sektor7net](https://twitter.com/sektor7net))\n\n* Jack Halon ([@jack_halon](https://twitter.com/jack_halon))\n","funding_links":[],"categories":["C# #"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2FAtomicSyscall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaem0nc0re%2FAtomicSyscall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2FAtomicSyscall/lists"}