Iterators

Tartarus' Gate

Detailed walkthrough of the Tartarus' Gate syscall resolution algorithm as implemented in Sysplant.

Tartarus' Gate

Origin: @trickster0 — 2021
Default method: direct

Principle

Tartarus' Gate is a direct extension of Halo's Gate. It activates the neighbour-walk on a wider set of hook patterns: a JMP at the first byte or the fourth byte of the stub.

The fourth byte is the start of the MOV EAX, SSN instruction (B8 xx xx 00 00). An EDR can place its hook there to overwrite the SSN bytes while leaving MOV R10, RCX intact.

Algorithm (from source)

All steps are identical to Halo's Gate except the hook-detection condition:

Halo (single check)

if (*((PBYTE)FunctionAddress + cw) == 0xe9)

Tartarus (dual check)

if ((*((PBYTE)FunctionAddress + cw) == 0xe9) ||
    (*((PBYTE)FunctionAddress + 3 + cw) == 0xe9))

The additional check at +3 catches hooks placed after the 3-byte MOV R10, RCX prefix.

Once the hook is detected (by either condition), the neighbour-walk proceeds identically to Halo's Gate: up to MAX_STEPS = 200 neighbours are scanned in both directions, and the SSN is derived from the clean neighbour's encoded value minus the step offset.

Limitation

The dual-position check covers two hook placements (byte 0 and byte 3). Hooks inserted at other offsets — or more exotic patching techniques — are not handled by this check.

When to use

Environments where you suspect hooks may be installed at either the first or the fourth byte of ntdll stubs.
A drop-in upgrade over Halo's Gate for the same performance cost.

Edit this page

Halo's Gate

Detailed walkthrough of the Halo's Gate syscall resolution algorithm as implemented in Sysplant.

FreshyCalls

Detailed walkthrough of the FreshyCalls syscall resolution algorithm as implemented in Sysplant.