⛧ Church of Malware / ⛧ HADES GATE ⛧

⛧ HADES GATE ⛧

Direct syscall construction from first principles

License: MIT
Windows

What is Hades Gate?

Hades Gate is a pure first-principles direct syscall implementation that bypasses userland EDR/AV hooks by:

  1. Walking the PEB to find ntdll.dll (no GetModuleHandle)
  2. Parsing PE headers manually to find exports (no GetProcAddress)
  3. Extracting syscall numbers (SSNs) directly from ntdll stubs
  4. Building clean syscall stubs that never enter hooked code paths
  5. Executing direct syscalls without touching monitored functions

Features

  • No API imports - Pure PEB walking and PE parsing
  • No hardcoded offsets - Runtime discovery of structures
  • No syscall tables - Extracts SSNs from ntdll at runtime
  • Cross-Windows compatible - Works on Windows 10/11
  • EDR bypass - Never calls hooked ntdll functions
  • Small footprint - Minimal code, no CRT dependencies

Architecture

Caller → hg_syscall("NtAllocateVirtualMemory")
    ↓
hg_find_ntdll() - PEB walking (no APIs)
    ↓
hg_resolve() - Manual PE export parsing
    ↓
Extract SSN from stub (4C 8B D1 B8 XX...)
    ↓
hg_build_stub() - Generate clean syscall stub
    ↓
Execute direct syscall → Kernel

7A2E9C85-C6F3-40A4-975D-902F1B7666B7

Building

Prerequisites

  • Visual Studio 2022 (or any MSVC compiler)
  • Windows SDK

Compile

# Developer Command Prompt for VS 2022
cl /O2 /GS- examples\test.c src\hades_gate.c /Fe:hades_test.exe

Run

hades_test.exe

Expected output:

[*] Hades Gate - Pure PEB Walker
[1] ntdll base: 0x00007FF87E600000
[2] NtQuerySystemInformation SSN: 54 (0x36)
[3] Syscall result: 0xC0000004
[+] Hades Gate is WORKING!

Usage Example

#include "hades_gate.h"

// Typedef for the syscall
typedef NTSTATUS (NTAPI* pNtAllocateVirtualMemory)(
    HANDLE ProcessHandle,
    PVOID* BaseAddress,
    ULONG_PTR ZeroBits,
    PSIZE_T RegionSize,
    ULONG AllocationType,
    ULONG Protect
);

int main() {
    // Get clean syscall stub
    void* stub = hg_syscall("NtAllocateVirtualMemory");
    if (!stub) return 1;

    // Cast to function pointer
    pNtAllocateVirtualMemory NtAllocateVirtualMemory = 
        (pNtAllocateVirtualMemory)stub;

    // Use it (never touches hooked ntdll!)
    PVOID buffer = NULL;
    SIZE_T size = 0x1000;
    NTSTATUS status = NtAllocateVirtualMemory(
        GetCurrentProcess(), &buffer, 0, &size, 
        MEM_COMMIT, PAGE_READWRITE
    );

    // Cleanup
    VirtualFree(stub, 0, MEM_RELEASE);
    return 0;
}

Honoring Jake Swiz

Hades Gate is built upon the Holy Trilogy:
- Fukahi Na Tekiō - SGN XOR Encoder
- ASLR Bypass - ASLR BYPASS
- SHELLCODE research - SHellcode research

This implementation honors Jake's vision of first-principles security research - knowledge should be free and accessible to all.

Limitations

  • x64 only (x86 support is trivial - different stub)
  • Uses VirtualAlloc (replace with NtAllocateVirtualMemory via Hades Gate)
  • Offsets may vary between Windows versions (adjustable in hg_find_ntdll)

Advanced Features

  • Clean ntdll mapping - Defeat EDR stub replacement
  • Indirect syscalls - Bypass syscall instruction hooks
  • API hashing - Remove string literals
  • See comments in source for implementation details

Detection & Evasion

Hades Gate is a red team tool for research. Detection considerations:
- PAGE_EXECUTE_READWRITE memory is suspicious
- Direct syscalls without normal call stack may be detected
- Use indirect syscalls and proper memory protection for production

Credits

  • Jake Swiz - The Holy Trilogy and original vision
  • Church of Malware - Keeping knowledge free
  • ekomsSavior - Hades Gate implementation

⛧ From first principles, with respect to those who came before ⛧