Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cybersecurityup/phantomsgate

PhantomsGate: Advanced Shellcode Injection Technique
https://github.com/cybersecurityup/phantomsgate

Last synced: about 1 month ago
JSON representation

PhantomsGate: Advanced Shellcode Injection Technique

Host: GitHub
URL: https://github.com/cybersecurityup/phantomsgate
Owner: CyberSecurityUP
Created: 2024-06-02T22:29:39.000Z (7 months ago)
Default Branch: main
Last Pushed: 2024-07-15T02:09:11.000Z (6 months ago)
Last Synced: 2024-07-15T03:23:35.752Z (6 months ago)
Language: C++
Homepage:
Size: 1.07 MB
Stars: 6
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # PhantomsGate: Advanced Shellcode Injection Technique

## Introduction

PhantomsGate is a sophisticated shellcode injection technique that leverages Hell's Gate to dynamically find syscall numbers, modifies system calls, and uses thread hijacking to inject and execute shellcode within a target process. This technique is designed to evade detection and bypass security mechanisms by dynamically resolving syscall numbers and executing shellcode in the context of existing threads.

## PhantomGate: Enhanced LiesGate Technique

PhantomGate is an improvement over LiesGate, adding the ability to dynamically modify functions to use different syscall numbers, set hardware breakpoints, and update registers. This enhanced method provides additional stealth and flexibility, making it even more effective in evading detection.

## Features

- **Dynamic Syscall Resolution (Hell's Gate)**: Finds syscall numbers dynamically by analyzing function bytes in `ntdll.dll`.

- **Function Modification**: Modifies functions to use different syscall numbers.

- **Thread Hijacking**: Suspends and resumes threads to execute shellcode.

- **Hardware Breakpoints**: Sets hardware breakpoints on functions for additional control.

- **Register Updates**: Updates registers and continues execution seamlessly.

## Requirements

- Windows OS

- Visual Studio or a compatible C++ compiler

- Administrative privileges for process and thread manipulation

## How It Works

1. **Dynamic Syscall Resolution**: The `FindSyscallNumber` function parses the bytes of a function in `ntdll.dll` to find the syscall number.

2. **Function Modification**: The `ModifyFunctionToSyscall` function modifies the first few bytes of a function to directly invoke a syscall with a specified syscall number.

3. **Loading Shellcode**: Shellcode is read from a binary file and written into the target process's memory.

4. **Memory Protection**: Changes the memory protection of the allocated shellcode region to `PAGE_EXECUTE_READ`.

5. **Thread Hijacking**: Takes a snapshot of the target process's threads, finds a thread, suspends it, modifies its context to point to the shellcode, and resumes it.

6. **Hardware Breakpoints**: Sets a hardware breakpoint on the modified function for additional control.

## Usage

1. **Compile the Code**: Use Visual Studio or a compatible C++ compiler to compile the code.

2. **Run the Program**: Execute the compiled binary with administrative privileges, specifying the target process ID and the shellcode file.

## License

This project is licensed under the MIT License.

### Based Techniques On

1. LiesGate Implementation [https://github.com/CyberSecurityUP/LiesGate]

2. MutationsGate Implementation [https://github.com/senzee1984/MutationGate]

3. HellsGate [https://github.com/am0nsec/HellsGate]