https://github.com/Maldev-Academy/HellHall/

Why do these people gotta do what I’m trying to do but 10x better and cooler AAAAAAAAA

Assembly

• SetConfig(WORD wSSN, PVOID pInst) ⇒ store the ecx as the SSN and the rdx as the address of the syscall instruction
  • Recall that first 4 args are rcx, rdx, r8, r9, and that the ecx is just the lower 32 bits of the rcx
• HellHall(args) ⇒ Set up the registers and JMP to the syscall instruction. SetConfig must be called beforehand to ensure the SSN and syscall instructions are properly configured by the most recent call to SetConfig

Datatypes

• _SysFunc
  • pInst PVOID of the syscall instruction
  • pAddress PBYTE of the Base address of the Nt API
  • wSSN WORD, the syscall id
  • uHash UINT32_T, the hash of the syscall name

Other Core functions

• SYSCALL ⇒ Calls SetConfig(wSSN, pInst)

Backend

• It seems the PEB is walked (InitilizeNtdllConfig) to find the base address of ntdll.dll
• Then a standard walk of the PE is done to find all the export names and addresses

General Usage

Hashes are generated via the crc32b function, which takes a string (presumably the ntapi name), and outputs the hash to be used in the first step.

• First, obtain information for the syscall that we want via InitilizeSysFunc(NtAPI hash)
• Then, call getSysFuncStruct(&s.something) to store the SSN and syscall instruction address to a variable
• Then, call SYSCALL(s.something), which will call SetConfig to set up the SSN and syscall instruction address
• Then call HellHall and pass in the normal args you would to the respective syscall