Skip to content

Latest commit

 

History

History
13 lines (9 loc) · 2.3 KB

README.md

File metadata and controls

13 lines (9 loc) · 2.3 KB

SyscallShuffler

SyscallShuffler is like a vaccine for your NTDLL so it will immune from modern direct syscall methods like SysWhispers2, FreshyCalls and Halo's Gate/Tartarus Gate (will not be immune if you dont hook the APIs at runtime for Halo's Gate/Tartarus Gate). What SyscallShuffler do is shuffling the position of NT* functions in memory, so the syscall ID doesnt corresponds with the position of the function in memory, which will make methods that get the syscall ID from sorting the position in memory get the wrong syscall ID. For now, SyscallShuffler can only make a "vaccinated" NTDLL from disk, and cant do it on runtime. The NTDLL modified by SyscallShuffler doesnt have a valid checksum yet! Expect a BSOD when you try to boot a Windows with that. Contribution is really appreciated.

Demonstration

SysWhispers2 and FreshyCalls method demonstration (using SysGate)

SyscallShufflerDemo-2022-04-01_17.02.37.mp4

So the reason the NTAVM call output returns InvalidParameter on the second test is not because the parameter is wrong, but because it calls the wrong syscall, which doesnt match the parameter with NTAVM's parameter, causing InvalidParameter. Hence, the NTDLL is immune from this technique.

Halo's Gate/Tartarus Gate method demonstration (using SharpHalos)

SyscallShufflerDemo2-2022-04-05_23.19.22.mp4

The result is really different compared with the SysWhispers2 and FreshyCalls method demonstration. As I said before, the NTDLL will not be immune if you dont hook the APIs at runtime. So the reason that the Halo's Gate/Tartarus Gate method successfully used the syscalls from the modified NTDLL is because the APIs inside the NTDLL aren't hooked, Halo's Gate/Tartarus Gate only walks through the memory "neighbours" when the wanted API is hooked, but because it isn't hooked, the method successfully got the syscall ID and used it. As I said before, the NTDLL will not be immune if you dont hook the APIs at runtime.