Skip to content

mazen91111/VoidSyscall

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
syscall_stubs.asm
syscall_stubs.asm
 
 
voidsyscall.py
voidsyscall.py
 
 

Repository files navigation

VoidSyscall — Direct NT Syscall Framework

  +================================================================+
  |        VoidSyscall -- Direct NT Syscall Framework               |
  |   Hell's Gate  .  Halos Gate  .  Tartarus Gate  .  SSN Resolve  |
  |      Author: mazen91111 (parasite911)  .  Red Team Research     |
  +================================================================+

Bypass ALL userland hooks by issuing NT syscalls directly — no ntdll.dll dependency. Implements Hell's Gate, Halos Gate, Tartarus Gate, and static SSN resolution. Includes x64 Assembly stubs and Python analysis framework.

Languages

Component Language Description
voidsyscall.py Python Syscall database, stub generator, analysis engine
syscall_stubs.asm x64 Assembly Direct syscall stubs for 11 NT functions

Syscall Database

Syscall SSN (W11) Category Risk MITRE
NtAllocateVirtualMemory 0x0018 Memory HIGH T1055
NtWriteVirtualMemory 0x003A Memory CRITICAL T1055
NtProtectVirtualMemory 0x0050 Memory HIGH T1055
NtCreateThreadEx 0x00C2 Process CRITICAL T1055
NtQueueApcThread 0x0045 Process CRITICAL T1055.004
NtOpenProcess 0x0026 Process HIGH T1055
NtAdjustPrivilegesToken 0x0041 Token CRITICAL T1134.001

SSN Resolution Techniques

Technique Stealth Description
Hell's Gate 7/10 Read SSN from ntdll stub prologue
Halos Gate 9/10 Use neighbor stubs when target is hooked
Tartarus Gate 9/10 Sort all Zw* exports to reconstruct SSN table
SysWhispers 6/10 Static compile-time SSN database
FreshyCalls 8/10 Read SSN from disk copy of ntdll

Installation

git clone https://github.com/mazen91111/VoidSyscall.git
cd VoidSyscall
pip install -r requirements.txt

Usage

# Full syscall analysis demo
python voidsyscall.py --demo

# Generate stub for specific syscall
python voidsyscall.py --stub NtCreateThreadEx

# List all known syscalls
python voidsyscall.py --list

Example Output

  [ SYSCALL NUMBER TABLE (x64) ]
  Syscall                      W10-1809 W10-21H2 W11-22H2  Risk
  NtAllocateVirtualMemory        0x0018   0x0018   0x0018  HIGH
  NtWriteVirtualMemory           0x003A   0x003A   0x003A  CRITICAL
  NtCreateThreadEx               0x00C1   0x00C2   0x00C2  CRITICAL

  [ GENERATED SYSCALL STUBS (x64 ASM) ]
  > NtCreateThreadEx  (SSN: 0x00C2)
  > MITRE: T1055  |  Create remote thread
    Bytes: 4C 8B D1 B8 C2 00 00 00 0F 05 C3
    ASM:   mov r10, rcx
    ASM:   mov eax, 0x00C2
    ASM:   syscall
    ASM:   ret

  [ EDR HOOK DETECTION ]
    Normal stub:  4C 8B D1 B8 (mov r10,rcx; mov eax,SSN)
    Hooked stub:  E9 XX XX XX XX (jmp <EDR_trampoline>)

Author

Mazen Obed@mazen91111 Direct Syscalls | EDR Evasion | Windows Internals | Red Team

Disclaimer

For authorized security research ONLY.

License

MIT License

About

Direct NT Syscall Framework -- Bypass ALL userland hooks via direct syscalls. Hell's Gate, Halos Gate, Tartarus Gate. Assembly + Python.

Topics

python assembly x64 red-team mitre-attack windows-internals edr-evasion direct-syscalls

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages