{"id":17383497,"url":"https://github.com/kara-4search/hellgateloader_csharp","last_synced_at":"2025-04-15T09:53:06.198Z","repository":{"id":45627837,"uuid":"407120642","full_name":"Kara-4search/HellgateLoader_CSharp","owner":"Kara-4search","description":"Load shellcode via HELLGATE, Rewrite hellgate with .net framework for learning purpose.","archived":false,"fork":false,"pushed_at":"2022-01-21T09:53:28.000Z","size":180,"stargazers_count":16,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-28T19:07:27.098Z","etag":null,"topics":["bypass","bypass-antivirus","bypass-edr","bypass-linehook","csharp","hellgate","pentest","redteam","shellcode","shellcode-loader","syscalls"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kara-4search.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-09-16T10:28:00.000Z","updated_at":"2025-02-19T10:26:11.000Z","dependencies_parsed_at":"2022-09-11T23:41:48.196Z","dependency_job_id":null,"html_url":"https://github.com/Kara-4search/HellgateLoader_CSharp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHellgateLoader_CSharp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHellgateLoader_CSharp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHellgateLoader_CSharp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kara-4search%2FHellgateLoader_CSharp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kara-4search","download_url":"https://codeload.github.com/Kara-4search/HellgateLoader_CSharp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249048713,"owners_count":21204306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","bypass-antivirus","bypass-edr","bypass-linehook","csharp","hellgate","pentest","redteam","shellcode","shellcode-loader","syscalls"],"created_at":"2024-10-16T07:42:57.930Z","updated_at":"2025-04-15T09:53:06.181Z","avatar_url":"https://github.com/Kara-4search.png","language":"C#","readme":"# HellgateLoader_CSharp\n\nBlog link: working on it\n- Rewrite hellgate with .net framework for learning purpose\n- Base on the original Hellgate project down below:\n\t1. https://github.com/am0nsec/SharpHellsGate\n\t2. https://github.com/am0nsec/HellsGate\n- And my other project down below:\n\t1. [SysCall_ShellcodeLoader](https://github.com/Kara-4search/SysCall_ShellcodeLoad_Csharp)\n\t2. [HookDetection](https://github.com/Kara-4search/HookDetection_CSharp)\n\t3. [DInvoke_ShellcodeLoader](https://github.com/Kara-4search/DInvoke_shellcodeload_CSharp)\n\t4. [NewNtdllBypassInlineHook](https://github.com/Kara-4search/NewNtdllBypassInlineHook_CSharp)\n\n- **I make this project for learning purpose, use it at you own risk.**\n- Only tested it on Win10/x64 works fine.\n- For better understanding, you really need to read the PDF(https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf) from the original author.\n- Thanks to them I do learn a lot, during coding this project.\n- Also, there is a little different here, Instead of read the syscall id from the memory, I read 24 bytes as the syscall，\n\tso you don‘t need to concat them again. I think that would be more convenient for me.\n- (From the PDF)This general usage code base self-resolves syscalls without the need for static elements. Additionally, this general usage code base makes zero function invocations to aggregate the syscalls themselves.\n- About how it works:\n\t1. Read the ntdll.dll via IO.stream from disk as MemoryStream.\n\t2. Find the RVA of function address.\n\t3. Convert the rva to file offset(RVA - IMAGE_SECTION_HEADER_instance.VirtualAddress + IMAGE_SECTION_HEADER_instance.PointerToRawData;).\n\t4. Use the offset to find to function offset in MemoryStream.\n\t5. Read 24 bytes as syscall from MemoryStream with the right offset.\n\t6. Execute the syscall via delegate.\n- The picture down below helps you to understand file offset.\n\t![avatar](https://github.com/Kara-4search/ProjectPics/blob/main/HellGateLoader_ConvertRVAtoFO.jpg)\n- The code from the original project is elegant as hell, guess that is why is called HELLGATE :) :) ~\n- You could even modify the code to like injection or something else.\n\n## Usage\n1. Set the APIs name that you need in \"SyscallTable.cs\" ,In this case is:\n* v1.Name = \"NtAllocateVirtualMemory\";\n* v2.Name = \"NtCreateThreadEx\";\n* v3.Name = \"NtWaitForSingleObject\";\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/HellGateLoader_APIs.png)\n\n2. Set the shellcode in Program.cs, the default shellcode is a Calc.\n\t![avatar](https://raw.githubusercontent.com/Kara-4search/ProjectPics/main/HellGateLoader_shellcode.png)\n\n\t\n## TO-DO list\n- Works on both x64/x86\n- Restructure the code\n\n## Update history\n- Fix bugs: cannot run normally after compile as release - 20211204\n\t* JIT function address is different bitween DEBUG and RELEASE\n\t* More details check the code in https://github.com/Kara-4search/JIT_DEMO_Csharp\n- Fix bugs: pMethod's address print with wrong format - 20220121\n\t\n\n## Reference link:\n\t1. https://github.com/am0nsec/HellsGate\n\t2. https://github.com/am0nsec/SharpHellsGate\n\t3. https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf \n\t4. https://docs.microsoft.com/zh-cn/dotnet/api/system.reflection.bindingflags?view=net-5.0\n\t5. https://docs.microsoft.com/zh-cn/dotnet/api/system.runtime.compilerservices.runtimehelpers.preparemethod?view=net-5.0\n\t6. https://docs.microsoft.com/zh-cn/dotnet/api/system.runtime.compilerservices.runtimehelpers.preparemethod?redirectedfrom=MSDN\u0026view=net-5.0#System_Runtime_CompilerServices_RuntimeHelpers_PrepareMethod_System_RuntimeMethodHandle_System_RuntimeTypeHandle___\n\t7. https://docs.microsoft.com/zh-cn/dotnet/api/system.runtime.interopservices.marshal.allochglobal?view=net-5.0\n\t8. https://www.cnblogs.com/qintangtao/archive/2013/01/11/2857180.html\n\t9. https://blog.csdn.net/StriveScript/article/details/6279488\n\t10. https://www.cnblogs.com/wyping/p/3643243.html\n\t11. https://blog.csdn.net/e295166319/article/details/52702461\n\t12. https://blog.csdn.net/qiqi5045/article/details/7736576\n\t13. https://blog.csdn.net/tianxiayijia1998/article/details/50119435\n\t14. https://www.runoob.com/csharp/csharp-generic.html\n\t15. https://www.csharpcodi.com/csharp-examples/System.RuntimeMethodHandle.GetFunctionPointer()/\n\t16. https://cloud.tencent.com/developer/article/1015264\n\t17. https://a1ex.online/2020/07/26/PE-to-LoadLibrary-md/\n\t18. https://www.displayfusion.com/Discussions/View/converting-c-data-types-to-c/?ID=38db6001-45e5-41a3-ab39-8004450204b3","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fhellgateloader_csharp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkara-4search%2Fhellgateloader_csharp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkara-4search%2Fhellgateloader_csharp/lists"}