https://github.com/Maldev-Academy/HellHall/
Why do these people gotta do what I’m trying to do but 10x better and cooler AAAAAAAAA
SetConfig(WORD wSSN, PVOID pInst)
⇒ store the ecx as the SSN and the rdx as the address of the syscall
instruction
HellHall(args)
⇒ Set up the registers and JMP to the syscall instruction. SetConfig
must be called beforehand to ensure the SSN and syscall instructions are properly configured by the most recent call to SetConfig
_SysFunc
pInst
PVOID of the syscall
instructionpAddress
PBYTE of the Base address of the Nt APIwSSN
WORD, the syscall iduHash
UINT32_T, the hash of the syscall nameSYSCALL
⇒ Calls SetConfig(wSSN, pInst)
InitilizeNtdllConfig
) to find the base address of ntdll.dllHashes are generated via the
crc32b
function, which takes a string (presumably the ntapi name), and outputs the hash to be used in the first step.
InitilizeSysFunc(NtAPI hash)
getSysFuncStruct(&s.something)
to store the SSN and syscall instruction address to a variableSYSCALL(s.something)
, which will call SetConfig
to set up the SSN and syscall instruction addressHellHall
and pass in the normal args you would to the respective syscall