Added SyscallResolvers project

README.md

@@ -7,6 +7,7 @@ Tools and PoCs for Windows syscall investigation.
 - [AtomicSyscall](#atomicsyscall)
   - [SyscallDumper](#syscalldumper)
   - [SyscallPoCs](#syscallpocs)
+  - [SyscallResolvers](#syscallresolvers)
   - [Reference](#reference)
   - [Acknowledgments](#acknowledgments)
 
@@ -205,6 +206,26 @@ All PoCs try to list kernel modules by `NtQuerySystemInformation` syscall.
 | [HalosGatePoC](./SyscallPoCs/HalosGatePoC) | This PoC resolves the syscall numbers of `NtQuerySystemInformation` by the Halo's Gate technique. |
 
 
+## SyscallResolvers
+
+[Back to Top](#atomicsyscall)
+
+[Project](./SyscallResolvers)
+
+The purpose of this project is to help to learn how in-memory syscall number resolve techniques work:
+
+| PoC Name | Description |
+| :--- | :--- |
+| [HellsGateResolver](./SyscallResolvers/HellsGateResolver) | This PoC resolves the syscall numbers in ntdll.dll by the Hell's Gate technique. Not works for functions patched with anti-virus products. |
+| [HalosGateResolver](./SyscallResolvers/HalosGateResolver) | This PoC resolves the syscall numbers in ntdll.dll by the Halo's Gate technique. |
+
+The following figure shows the difference between Hell's Gate and Halo's Gate in anti-virus software installed environment.
+Hell's Gate technique does not work for patched `NtCreateProcessEx` function.
+On the other hand, Halo's Gate technique works for patched `NtCreateProcessEx` function:
+
+![syscallresolvers.png](./figures/syscallresolvers.png)
+
+
 ## Reference
 
 [Back to Top](#atomicsyscall)

SyscallResolvers/HalosGateResolver/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
+    </startup>
+</configuration>

SyscallResolvers/HalosGateResolver/HalosGateResolver.cs

@@ -0,0 +1,52 @@
+using System;
+using System.Collections.Generic;
+using HalosGateResolver.Library;
+
+namespace HalosGateResolver
+{
+    class HalosGateResolver
+    {
+        static void Main(string[] args)
+        {
+            Console.WriteLine("\n--[ Halo's Gate syscall number resolver\n");
+
+            if (args.Length == 0)
+            {
+                Console.WriteLine(
+                    "Usage: {0} <Syscall Name in ntdll.dll>\n",
+                    AppDomain.CurrentDomain.FriendlyName);
+
+                return;
+            }
+
+            string target;
+
+            if (args[0].IndexOf("Nt", StringComparison.OrdinalIgnoreCase) == 0)
+            {
+                target = args[0];
+            }
+            else
+            {
+                Console.WriteLine("[-] Syscall name should be start with \"Nt\".");
+
+                return;
+            }
+
+            Dictionary<string, int> table = HalosGate.ResolveSyscallNumber(target);
+
+            if (table.Count > 0)
+            {
+                foreach (var entry in table)
+                {
+                    Console.WriteLine("[+] Found.");
+                    Console.WriteLine("    |-> Syscall Name   : {0}", entry.Key);
+                    Console.WriteLine("    |-> Syscall Number : {0} (0x{1})\n", entry.Value, entry.Value.ToString("X"));
+                }
+            }
+            else
+            {
+                Console.WriteLine("[-] Failed to resolve syscall number.\n");
+            }
+        }
+    }
+}

SyscallResolvers/HalosGateResolver/HalosGateResolver.csproj

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{8540319A-E47D-42FB-B1AC-9D8815107805}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>HalosGateResolver</RootNamespace>
+    <AssemblyName>HalosGateResolver</AssemblyName>
+    <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <Deterministic>true</Deterministic>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>..\bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>..\bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="HalosGateResolver.cs" />
+    <Compile Include="Library\HalosGate.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>