sysplant-docs
Iterators

Hell's Gate

Detailed walkthrough of the Hell's Gate syscall resolution algorithm as implemented in Sysplant.

Hell's Gate

Origin: @RtlMateusz / @am0nsec — 2020
Default method: direct
Reference: github.com/am0nsec/HellsGate

Principle

Hell's Gate resolves syscall numbers by reading the opcode bytes of each Nt* function stub directly from the in-memory ntdll.dll. Every unhooked Windows syscall stub starts with a fixed byte sequence that encodes the SSN:

mov r10, rcx     ; 4C 8B D1
mov eax, <SSN>   ; B8 [SSN_lo] [SSN_hi] 00 00
syscall          ; 0F 05
ret              ; C3

Bytes 4 and 5 of this sequence (the two low bytes of mov eax, imm16) hold the SSN in little-endian order.

Algorithm (from source)

  1. Locate ntdll base — read PEB via GS:[0x60] (x64) or FS:[0x30] (x86), walk the module list to find ntdll.dll.
  2. Parse Export Directory — enumerate all named exports; for each, compute FunctionAddress = DllBase + RVA.
  3. Byte scan — for each function, walk forward byte-by-byte (offset cw starting at 0) and at each position check for the pattern: 
    [cw+0] == 0x4C   (MOV R10)
[cw+1] == 0x8B
[cw+2] == 0xD1
[cw+3] == 0xB8   (MOV EAX)
[cw+6] == 0x00   (high word of imm32 = 0)
[cw+7] == 0x00
  4. Extract SSN — if the pattern matches: 
    BYTE high = *(FunctionAddress + 5 + cw);
BYTE low  = *(FunctionAddress + 4 + cw);
ssn = (high << 8) | low;
  5. Stop conditions — the scan stops if 0x0F 0x05 (syscall) or 0xC3 (ret) is encountered at the current offset; these mark the end of the stub.
  6. Store the entry — the SSN is used directly as the array index: Entries[ssn].Hash = hash and Entries[ssn].Address = FunctionAddress.

Limitation: hooks at the function start

If a hook replaces the first bytes with a JMP (E9 xx xx xx xx), the byte scan will either:

  • Fail to find the 4C 8B D1 B8 pattern (because it was overwritten), or
  • Walk until it hits a syscall (0F 05) or ret (C3) stop condition and give up.

Hell's Gate does not perform any neighbour-walk to recover the SSN from a nearby clean stub. It only scans within the bytes of the current function. In environments where targeted functions are hooked, this iterator will fail to resolve those functions.

For resilience against hooked stubs, see Halo's Gate or Tartarus' Gate.

When to use

  • Simple, lightly-monitored environments where the specific syscalls you need are not hooked.
  • Learning and testing — Hell's Gate is the original and conceptually simplest gate.

Iterators

The 7 gate techniques Sysplant supports, how each resolves syscall numbers, and when to use each.

Halo's Gate

Detailed walkthrough of the Halo's Gate syscall resolution algorithm as implemented in Sysplant.

Copyright © 2026