Monday, June 27, 2022

Halo’s Gate Evolves -> Tartarus’ Gate

A while ago in my twitter, I have mentioned what a huge fan I am of Hell’s Gate and Halo’s Gate. Hell’s Gate originally is a very creative way to fetch the syscall numbers by parsing the InMemoryOrderModuleLIst from PEB structure. By finding the ntdll.dll address, which is usually the first entry in InMemoryOrderModuleLIst, it is possible to obtain the syscall numbers by parsing its exports for the necessary functions we need.

Even though this is an excellent technique to bypass most of the Ant…

