Skip to content
/ HadesGate Public

A New Method Of Retrieving System Call Service Numbers By Parsing NtOsKrnl Exports.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dk0m/HadesGate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
HadesGate
HadesGate
 
 
HadesGate.sln
HadesGate.sln
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

HadesGate

A New Method Of Retrieving System Call Service Numbers By Parsing NtOsKrnl Exports.

How Does It Work?

If we open ntoskrnl.exe in IDA, And search for functions with the Zw prefix and select a random one, For example ZwAlpcCreatePort, We will find this:

public ZwAlpcCreatePort
ZwAlpcCreatePort proc near
mov     rax, rsp
cli
sub     rsp, 10h
push    rax
pushfq
push    10h
lea     rax, nullsub_4
push    rax
mov     eax, 7Bh <--- This is the SSN
jmp     sub_140411580
ZwAlpcCreatePort endp

So what HadesGate does is parse the exports, Look for functions with the Zw prefix, Go through the stub's memory until we find a 0xB8 opcode in the stub, Which indicates we are currently going through the mov eax, SSN line, Then HadesGate extracts the SSN from the function and returns.

Problems With It

This method will NOT get you every single SSN you want, So I wouldn't suggest using it in a real engagement unless the system calls you need are exported in ntoskrnl.exe.

About

A New Method Of Retrieving System Call Service Numbers By Parsing NtOsKrnl Exports.

Topics

windows malware hellsgate

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages