This is just another implementation of Hellsgate + Halosgate/Tartarusgate.
This probably bypasses some EDR trying to detect abnormal systemcalls.
This combines elements of Hells Gate (extracting syscall numbers from NTDLL stubs) and Halos Gate (searching nearby stubs if the target is hooked) to dynamically resolve and invoke NT syscalls.
The key evasion aspect is jumping to recycled syscall; ret sequences within ntdlls loaded memory, ensuring the syscall instruction executes from NTDLLs address space bypassing EDR hooks on exports while avoiding inline/direct "syscall" in your binary, which can trigger detections in syscall-detect tool.
I have made some changes to the logic and code that support compatibility.
Download RecycledGate PoC: Downlaod
- thefLink for original C Implementation of RecycledGate
- Sektor7 for inventing and documenting Halosgate on which this project is based
- @Am0nsec and @RtlMateusz for the original Hellsgate implementation
- @0xBoku for inspiration and his Halosgate implementation
- @trickster012 for the implementation of Tartarusgate
- @winternl_t for the amazing blogpost on detection of direct syscalls