Hell's Gate

// Dynamic SSN Resolution & Direct Syscalls

Modules

Language

x64 ASM

Assembly

Difficulty Tiers

Master the original dynamic syscall technique that spawned a generation of EDR evasion research. Learn how to resolve System Service Numbers at runtime from ntdll stubs, bypass userland hooks, and execute direct syscalls from your own code. By am0nsec (Paul Lainé) & RtlMateusz.

01 Beginner

EDR Hooking & The Problem

How EDRs hook ntdll.dll, why direct API calls get intercepted, and the motivation behind direct syscalls.

02 Beginner

Windows Syscall Architecture

Ring transitions, the SSDT, the syscall instruction, KiSystemCall64, and the user-to-kernel bridge.

03 Beginner

System Service Numbers (SSN)

What SSNs are, how they map to Nt functions in the SSDT, and why they change across Windows versions.

04 Intermediate

ntdll.dll Stub Anatomy

The syscall stub pattern: mov r10,rcx / mov eax,SSN / syscall / ret. Parsing stubs from the Export Address Table.

05 Intermediate

The Hell's Gate Algorithm

Dynamically resolving SSNs from clean or hooked stubs. The up/down neighbor search strategy.

06 Intermediate

Direct Syscall Execution

The ASM stub, register setup, invoking the syscall instruction directly from user-mode code.

07 Advanced

Halo's Gate & TartarusGate

Handling hooked stubs via JMP detection, neighbor delta calculation, and extended gate techniques.

08 Advanced

Full Chain & Detection

Complete execution flow, EDR detection vectors, ETW syscall telemetry, and kernel callbacks.

References & Resources

Hell's Gate Repository — github.com/am0nsec/HellsGate
Hell's Gate Paper — vxunderground.org/papers (am0nsec & RtlMateusz)
Halo's Gate (sektor7) — blog.sektor7.net/#!res/2021/halosgate.md
TartarusGate (trickster0) — github.com/trickster0/TartarusGate
SysWhispers2 — github.com/jthuraisamy/SysWhispers2
SysWhispers3 — github.com/klezVirus/SysWhispers3
RecycledGate (thefLink) — github.com/thefLink/RecycledGate
Windows Syscall Tables — j00ru.vexillium.org/syscalls/nt/64/