In a previous post, I described how red team operators can use Hell’s Gate technique to resolve System Service Numbers (SSNs) or syscall IDs during runtime. This eliminates the requirement to hard-code syscall IDs in the code. A drawback of this technique is that it does not work if the required DLL (e.g. ntdll.dll) is hooked.

Reenz0h from @SEKTOR7net, published an update to this technique which patches the Hell’s Gate code to work with hooked DLLs as well. This patched technique is called Halos Gate.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

The main change in Halo’s Gate is in the function responsible for extracting syscall numbers (GetVxTableEntry()). Here’s how it works:

1. Just like Hell’s Gate, Halo’s Gate first scans ntdll.dll in memory to find the syscall number for a given function. If the syscall number is found and is unhooked, it proceeds normally.

2. If the syscall stub is hooked, the code checks the neighboring syscalls instead of failing immediately.

3. It first looks at the next syscall downward in memory by adding 32 bytes to the current location. This is because each syscall stub in ntdll.dll is 32 bytes in size. If this downward syscall is unhooked, it retrieves its syscall number and subtracts 1 to calculate the syscall number of the required function.

4. If the downward syscall is also hooked, it checks the syscall above the current function by subtracting 32 bytes from the current location. If this upward syscall is unhooked, it retrieves its syscall number and adds 1 to estimate the correct syscall number.

5. If both the immediate neighbors (upward and downward) are also hooked, the search continues further until an unhooked syscall is found. Once an unhooked syscall is located, the required syscall number is calculated based on its relative position.

6. Once the correct syscall number is determined, the function proceeds with direct syscall execution, just like in Hell’s Gate.

The following code snippet shows the modification made to Hell’s Gate technique:

The key advantage of Halo’s Gate is that it does not rely on an unhooked copy of ntdll.dll. Even if security software has placed hooks on all major API functions, Halo’s Gate can still extract syscall numbers by analyzing neighboring syscalls.

This makes it more reliable than Hell’s Gate in environments where security tools aggressively hook ntdll.dll. As a result, red team operators using Halo’s Gate have a better chance of executing syscalls stealthily without being detected by traditional API monitoring mechanisms.

A C++ implementation of Halos Gate technique was published by 0xR4UL and is available here.

Bobby Cooke has published a BoF that uses Halos Gate technique to list processes on a system. He has also published an assembly implementation of this technique.

Hannn has published a unhooker based on this technique that helps red team operators remove hooks placed by EDR.

Red Team Notes
Halo’s Gate is an improved version of Hell’s Gate that allows syscall execution even when ntdll.dll is hooked. Instead of relying on an unhooked ntdll.dll, it scans neighboring syscalls (upward and downward) to find an unhooked one and calculates the required syscall number based on its position. 

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.