sysplant-docs
Iterators

Halo's Gate

Detailed walkthrough of the Halo's Gate syscall resolution algorithm as implemented in Sysplant.

Halo's Gate

Origin: @Sektor7net — 2021
Default method: direct

Principle

Halo's Gate extends Hell's Gate with a neighbour-walk recovery strategy. If the target function's stub has been overwritten with a JMP hook at its first byte, Halo's Gate looks at adjacent stubs in memory to find a clean one and derives the original SSN from it.

The key insight: Windows assigns SSNs to syscalls in ascending order of function address. Stubs for adjacent Nt* functions are laid out sequentially in memory at fixed intervals. A clean neighbour stub at distance ±N (in memory) has an SSN of target_SSN ± N.

Algorithm (from source)

The initial export-directory enumeration and byte-scan are identical to Hell's Gate. The difference activates when a JMP hook is detected:

JMP detection

At the current scan offset cw inside the function, Halo's Gate checks:

if (*((PBYTE)FunctionAddress + cw) == 0xe9)   // E9 = JMP rel32

Neighbour walk

If a JMP is detected, the code searches up to MAX_STEPS = 200 neighbours in both directions:

for (int index = 1; index <= MAX_STEPS; index++) {
    // Check neighbour at +index stubs (DOWN)
    ssn = isClean(FunctionAddress, cw, +index);
    if (ssn > -1) break;

    // Check neighbour at -index stubs (UP)
    ssn = isClean(FunctionAddress, cw, -index);
    if (ssn > -1) break;
}

SSN derivation from neighbour

isClean with a step argument reads the byte pattern at FunctionAddress + cw + (step * STEP_SIZE). If the expected opcodes are found, it subtracts the step from the encoded SSN to recover the original:

return ((high << 8) | low) - step;

For example, if the immediate above neighbour (step = −1) has SSN 42, then the hooked target has SSN 41.

Stop conditions

The same stop conditions as Hell's Gate apply: 0x0F 0x05 (syscall) or 0xC3 (ret) end the scan.

Limitation

Halo's Gate only detects a hook when the first byte at offset cw is 0xE9. If an EDR places the JMP at a different position (e.g. after MOV R10, RCX, at byte offset 3), the hook check is not triggered and Halo's Gate behaves like Hell's Gate — with no recovery.

For hooks at the first or fourth byte, see Tartarus' Gate.

When to use

  • Environments where common syscalls may be hooked at the first instruction, but adjacent stubs remain clean.
  • A good upgrade over Hell's Gate for more defended targets.

Hell's Gate

Detailed walkthrough of the Hell's Gate syscall resolution algorithm as implemented in Sysplant.

Tartarus' Gate

Detailed walkthrough of the Tartarus' Gate syscall resolution algorithm as implemented in Sysplant.

Copyright © 2026