A small POC to bypass NT API hooking using @maldevacademy indirect sycall technique.
The tool consists of the following features -
- HellsHall implementation of indirect syscall bypass by @maldevacademy
- Mechanism to detect the presence of InetSim sandbox, if detected halts the execution of the malware.
- API hashing.
- IPv6 shellcode obfuscation.
- IAT Obfuscation to evade static analysis.
- Debugger check
Here are the screenshot and demo of the tool
Before execution, the malware will check if the InetSim, which is a internet simulation sandox to trick malwares to continue to execute and make connection to the C2.
IAT Obfuscation hides the presence of malicious APIs in IAT table to evade basic static analysis.
Using HellsHall indirect system calls which is a modified version of Tartarus gate logic to evade NT Api hooking by @BestEdrOfTheMarket EDR.
352714034-fc7cb7a9-a33f-4034-94f2-536241dd44ec.mp4
Note - This tool is not tested against commercial EDRs and AV evasion and kernel base detection is out of the scope as well. New features and techniques will be implemented in other tools in near future.