What is Tartarus' Gate and how it enables red team trade-craft?
Learn what is Tartarus' Gate technique for unhooking syscalls and how to use it for red team trade-craft.
In the last post, I covered the Halo’s Gate technique for direct syscall execution. Halo’s Gate itself is an evolved version of Hell’s Gate technique. Turns out trickster0, found a way to further evolve the Halo’s Gate technique. They termed this evolved version as Tartarus' Gate.
During their research, trickster0 found out that Halo’s Gate technique was not working against a certain EDR. This EDR had a different method to to hook Windows APIs, which was not accounted for in the Halo’s Gate technique. Usually, when EDRs hook an API, first few bytes of the syscall stub are replaced with a jmp (e9) instruction.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
However, during their research, trickster0 identified that the EDR they were working with, hooked APIs in a slightly different way. Instead of placing the hook at the first byte, it placed the hook at they fourth byte.
As can be seen in the above screenshot, first three bytes (4c8bd1) represent the mov r10, rcx instruction and the hook (jmp or e9) is placed at the fourth byte.
Since, the Halos Gate technique looks at the first byte of the syscall stub to identify the hook (jmp or e9), it fails to identify the hook placed at the fourth byte.
To resolve this, trickster0 added an additional check to the Halos Gate code (in GetVxTableEntry() specifically) to look for the hook at the fourth byte.
The image below shows the newly added code snippet. Full code for Tartarus’ Gate is available in trickster0’s GitHub repository.
As mentioned by trickster0, there may be other EDRs which hook APIs in yet another different manner. So this technique can be further evolved to account for those cases as well.
This provides an interesting research opportunity. Assuming that a hook will always involve some form of jump, this code can be further evolved to look for common jump patterns starting from the first byte to the tenth byte (or any other arbitrarily chosen byte number). This should account for most EDRs.
Red Team Notes
Tartarus' Gate technique is an evolution of Halo's Gate technique to account for EDRs that hook Windows APIs in a slightly different way. This technique introduces an additional check to look for the hook at the 4th byte.Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.