SuperdEye: Go-ing Beyond AV/EDR with Indirect Syscalls
SuperdEye
SuperdEye is the implementation of HellHall (a revised version of TartarusGate) in pure Go and Go Assembler.
The purpose is to scan hooked NTDLL and retrieve the Syscall number to then do an indirect Syscall with it, thus allowing the bypass of AV/EDR that put hooks on functions.
What does it do?
It is the implementation of TartarusGate by trickster0 and HellHall by mrd0x and NUL0x4C in Go.
Basically, a hooked NTDLL will be scanned. Once the target function is found, in case it is hooked by an AV or an EDR, a scan of the neighboors above and below will be made until a clean syscall is found. This will allow the calculation of the target function’s ssn.
Once the ssn is found, an indirect syscall will be constructed.
I tried illustrating the principle with the following diagram.
Other Similar Tools in Go
Other notable tools that are worth noting are BananaPhone and acheron.
BananaPhone uses a similar aproach to HellHall and TartarusGate but does not search far in the neighbor. Plus the syscall is direct. BananaPhone is the equivalent of the HellGate project in Go.
Acheron on the other hand, use a totally different aproach than HellGate and HellHall (and TartarusGate). Basically, at the beginning Acheron scan all the NTDLL, sort all the function’s hashes by address. The ssn is then deduced by simply calculating the index of the function in the address list. In Acheron the syscall is an indirect one. Acheron is the equivalent of the SysWhisper3 project in Go.
