README

⛧ HADES GATE ⛧

Direct syscall construction from first principles

What is Hades Gate?

Hades Gate is a pure first-principles direct syscall implementation that bypasses userland EDR/AV hooks by:

Walking the PEB to find ntdll.dll (no GetModuleHandle)
Parsing PE headers manually to find exports (no GetProcAddress)
Extracting syscall numbers (SSNs) directly from ntdll stubs
Building clean syscall stubs that never enter hooked code paths
Executing direct syscalls without touching monitored functions

Features

No API imports - Pure PEB walking and PE parsing
No hardcoded offsets - Runtime discovery of structures
No syscall tables - Extracts SSNs from ntdll at runtime
Cross-Windows compatible - Works on Windows 10/11
EDR bypass - Never calls hooked ntdll functions
Small footprint - Minimal code, no CRT dependencies

Architecture

Caller → hg_syscall("NtAllocateVirtualMemory")
    ↓
hg_find_ntdll() - PEB walking (no APIs)
    ↓
hg_resolve() - Manual PE export parsing
    ↓
Extract SSN from stub (4C 8B D1 B8 XX...)
    ↓
hg_build_stub() - Generate clean syscall stub
    ↓
Execute direct syscall → Kernel

7A2E9C85-C6F3-40A4-975D-902F1B7666B7

Building

Prerequisites

Visual Studio 2022 (or any MSVC compiler)
Windows SDK

Compile

# Developer Command Prompt for VS 2022
cl /O2 /GS- examples\test.c src\hades_gate.c /Fe:hades_test.exe

Run

hades_test.exe

Expected output:

[*] Hades Gate - Pure PEB Walker
[1] ntdll base: 0x00007FF87E600000
[2] NtQuerySystemInformation SSN: 54 (0x36)
[3] Syscall result: 0xC0000004
[+] Hades Gate is WORKING!

Usage Example

#include "hades_gate.h"

// Typedef for the syscall
typedef NTSTATUS (NTAPI* pNtAllocateVirtualMemory)(
    HANDLE ProcessHandle,
    PVOID* BaseAddress,
    ULONG_PTR ZeroBits,
    PSIZE_T RegionSize,
    ULONG AllocationType,
    ULONG Protect
);

int main() {
    // Get clean syscall stub
    void* stub = hg_syscall("NtAllocateVirtualMemory");
    if (!stub) return 1;

    // Cast to function pointer
    pNtAllocateVirtualMemory NtAllocateVirtualMemory = 
        (pNtAllocateVirtualMemory)stub;

    // Use it (never touches hooked ntdll!)
    PVOID buffer = NULL;
    SIZE_T size = 0x1000;
    NTSTATUS status = NtAllocateVirtualMemory(
        GetCurrentProcess(), &buffer, 0, &size, 
        MEM_COMMIT, PAGE_READWRITE
    );

    // Cleanup
    VirtualFree(stub, 0, MEM_RELEASE);
    return 0;
}

Honoring Jake Swiz

Hades Gate is built upon the Holy Trilogy:
- Fukahi Na Tekiō - SGN XOR Encoder
- ASLR Bypass - ASLR BYPASS
- SHELLCODE research - SHellcode research

This implementation honors Jake's vision of first-principles security research - knowledge should be free and accessible to all.

Limitations

x64 only (x86 support is trivial - different stub)
Uses VirtualAlloc (replace with NtAllocateVirtualMemory via Hades Gate)
Offsets may vary between Windows versions (adjustable in hg_find_ntdll)

Advanced Features

Clean ntdll mapping - Defeat EDR stub replacement
Indirect syscalls - Bypass syscall instruction hooks
API hashing - Remove string literals
See comments in source for implementation details

Detection & Evasion

Hades Gate is a red team tool for research. Detection considerations:
- PAGE_EXECUTE_READWRITE memory is suspicious
- Direct syscalls without normal call stack may be detected
- Use indirect syscalls and proper memory protection for production

Credits

Jake Swiz - The Holy Trilogy and original vision
Church of Malware - Keeping knowledge free
ekomsSavior - Hades Gate implementation

Links

⛧ From first principles, with respect to those who came before ⛧

source code

files

viewer

select a file

// click a file to view source

license

MIT License Copyright (c) 2026 ek0mssavi0r / Church of Malware Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. USE AT YOUR OWN RISK. NO WARRANTY PROVIDED.