Secondary Categories: 02-Malware
Description:
Using a debugger we can see that the following NTQueueApcThread is hooked by an EDR or AV product since there is a jump instruction
An original syscall in the software would look something like the following
Bypass
This can easily be bypassed using API UnHooking by instead generating our own syscalls using assembly. A good tool that does this is Syswhispers2 for C++ project, but you can also use D/Invoke for C# projects, and NimlineWhispers is great fro Nim projects
Some other methods that can be used to to bypass API hooking is
- taking a copy of ntdll.dll and making a clean copy of it to memory
- Change the permissions of the .text section to RWX in our hooked version of the PE then copying a clean version of our original PE .text section and replacing the hooked section with our clean version
Since programs like SysWhispers can generate these syscalls for us using the exact syscall name its best to change the name from something like:
NtAllocateVirtualMemory to NtAVM just to evade EDR incase the use of string based search is used.
Hellβs Gate VS Haloβs Gate VS Tartarus Gate
Essentially Hellβs Gate is a way to fetch the syscall numbers by parsing the InMemoryOrderModuleList from the PEB Structure. Hells Gate does this by finding the ntdll.dll address, which is usually the first entry in the InMemoryOrderModuleList, it is possible to obtain the syscall numbers by parsing its exports (EAT) for the necessary functions we need.
Halos Gate was amended to Hells Gate and adds to this technique. When making using a syscall Hells Gate syscall lookup is performed to find the syscall number and the first bytes of the funtion are read to search for e9 which is the jmp instruction on the previous or next instruction. Once this is identified then we know that the syscall is hooked.
Since EDRs may not always hook within the first bytes and may use other instructions at the start Tartarus Gates adds to Halos Gate. In Tartarus Gate there is an additional check that is made. It checks the 4th byte in the syscall instruction to see if it e9
NtCreateFile Hooked?
I saw a post by Paranoid Ninja that EDRs are now hooking NtCreateFile which is used to re-map the .text section of ntdll.dll to prevent from API hooking. A way to get around this is by enumerating the kernel for open file handles of ntdll.dll and duplicate them.
Although this is a bit noisy since you have to enumerate a lot of handles with NtQuerySystemInformation.
Resources:
| Title | URL |
|---|---|
| Syswhisper2 | https://github.com/jthuraisamy/SysWhispers2 |
| Shellcode Loaders | https://frischkorn-nicholas.medium.com/windows-evasion-edrs-shellcode-loaders-e57db92de630 |
| Halos Gate / HellsGate | https://github.com/am0nsec/HellsGate |
| Sektor7 Halos Gate | https://sektor7.net/#!res/2021/halosgate.md |
| BreadMan Module Stomping using Native WinAPI | https://medium.com/@Breadman602/breadman-module-stomping-api-unhooking-using-native-apis-b10df89cc0a2 |
| TartarusGate | https://github.com/trickster0/TartarusGate |
| Tartarus Gate Explination | https://trickster0.github.io/posts/Haloβs-Gate-Evolves-to-Tartarus-Gate/ |
| Paranoid Ninja API Hooking NtCreateFile | https://twitter.com/ninjaparanoid/status/1456658367376543748?s=21 |