SuperdEye - Stealthy Indirect Syscalls for AV/EDR Evasion in Go

SuperdEye - Stealthy Indirect Syscalls for AV/EDR Evasion in Go

SuperdEye is a powerful tool designed for bypassing antivirus (AV) and endpoint detection and response (EDR) solutions by leveraging indirect syscalls.

It is an implementation of HellHall (a revised version of TartarusGate) written in pure Go and Go Assembler. This guide will walk you through its purpose, usage, and functionality.

What Is SuperdEye?

SuperdEye scans hooked NTDLL functions to retrieve syscall numbers, enabling indirect syscalls. This approach allows developers to bypass hooks placed by AV/EDR solutions on sensitive functions, such as NtCreateThreadEx or NtAllocateVirtualMemory. By avoiding direct calls to hooked functions, SuperdEye helps evade detection mechanisms.

The project is inspired by TartarusGate (by trickster0), HellHall (by mrd0x and NUL0x4C), and other notable tools like BananaPhone and Acheron.

How Does It Work?

  1. Scanning Hooked NTDLL: SuperdEye scans the hooked NTDLL to locate the target function.

  2. Finding Clean Syscalls: If the target function is hooked, it scans neighboring memory regions above and below the function to find a clean syscall.

  3. Calculating the SSN: Once a clean syscall is identified, the system service number (SSN) is calculated.

  4. Constructing Indirect Syscalls: Using the SSN, an indirect syscall is constructed and executed.

This process ensures that syscalls bypass AV/EDR hooks effectively.

Getting Started with SuperdEye

SuperdEye provides an easy-to-use interface for implementing indirect syscalls in your Go projects. Below are instructions for importing the package and using its features.

Installation

To get started, import the SuperdEye package into your Go project:

import (

"fmt"

"unsafe"

"github.com/almounah/superdeye"

)

Using SuperSyscall

The SuperSyscall function allows you to execute indirect syscalls by specifying the target function name and its arguments.

Example: Executing NtCreateThreadEx

NTSTATUS, err := superdeye.SuperdSyscall(

    "NtCreateThreadEx",

    uintptr(unsafe.Pointer(&hThread)),

    uintptr(0x1FFFFF),

    uintptr(0),

    handleProcess,

    pBaseAddress,

    uintptr(0),

    uintptr(0),

    uintptr(0),

    uintptr(0),

    uintptr(0),

    uintptr(0),

)

if err != nil {

    fmt.Println("Syscall was not executed... Likely the Syscall was not found or a bug...")

    fmt.Println(err.Error())

} else {

    fmt.Println("Syscall NtCreateThreadEx made with NTSTATUS", NTSTATUS)

}

This example demonstrates how to use SuperSyscall to execute the NtCreateThreadEx function indirectly.

Pre-Wrapped Syscalls

For convenience, some syscalls are pre-wrapped in SuperdEye to ensure compatibility with the official golang.org/x/sys/windows package. For example:

Example: Allocating Virtual Memory with NtAllocateVirtualMemory

import (

"fmt"

"unsafe"

"github.com/almounah/superdeye"

"golang.org/x/sys/windows"

)

pBaseAddress, NTSTATUS, err := superdeye.NtAllocateVirtualMemory(

    windows.Handle(handleProcess),

    uintptr(0),

    uintptr(len(payloadClearText)),

    windows.MEM_COMMIT|windows.MEM_RESERVE,

    windows.PAGE_EXECUTE_READWRITE,

)

if err != nil {

    fmt.Println("Syscall was not executed... Likely the Syscall was not found or a bug...")

    fmt.Println(err.Error())

} else {

    fmt.Println("Syscall NtAllocateVirtualMemory made with NTSTATUS", NTSTATUS)

}

This example shows how to allocate virtual memory using an indirect syscall.

Similar Tools in Go

SuperdEye is part of a broader ecosystem of tools designed for syscall manipulation in Go:

  • BananaPhone: Implements a direct syscall approach similar to HellGate but does not scan neighboring memory regions.

  • Acheron: Uses a different strategy by scanning all NTDLL functions at initialization, sorting them by address, and calculating SSNs based on their index. Acheron performs indirect syscalls and is equivalent to SysWhisper3 in C/C++.

Why "SuperdEye"?

The name SuperdEye is inspired by the fictional Superd tribe from Mushoku Tensei. The tribe possesses a third eye that allows them to perceive mana undetectable by others. Similarly, SuperdEye "sees" syscall numbers hidden behind AV/EDR hooks and enables stealthy execution of indirect syscalls.

Contributing

The project welcomes contributions! Developers can extend functionality by adding more pre-wrapped syscalls in superdwrapper.go. Full examples are provided in the examples/ directory for reference.

By leveraging SuperdEye, you can enhance your understanding of low-level Windows internals while building advanced tools for research or development purposes. You can learn more and Download SuperdEye in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog