Rust-for-Malware-Development

Tartarus Gate

Tartarus Gate is a slick technique for direct syscall execution in Windows, used in malware and red team ops to evade antivirus and EDRs (Endpoint Detection and Response). Its an upgrade over Hells Gate and Halos Gate, built to handle sneaky EDR hooks that mess with Windows API calls.

How it works

windows syscalls (like NtAllocateVirtualMemory) are low-level functions in ntdll.dll that malware loves for stealth. But EDRs hook these functions, redirecting them to their own code to spot bad behavior. Tartarus Gate outsmarts this by:

• grabing the (EAT) - Export Address Table to find functions like NtWriteVirtualMemory by their hashed names (using djb2 to avoid hardcoded strings).

• then checks the func code for the syscall pattern - mov r10, rcx; mov eax, <SSN> .

• If a function is hooked (starts with a jmp/e9 at byte 0 or 3), it looks up or down 32 bytes (UP/DOWN constants) for an unhooked syscall, adjusting the SSN. Tartarus Gate adds a check for hooks at byte 3 (e.g., 4c8bd1e9), which Halos Gate missed.

• Uses the SSNs with assembly (like HellsGate and HellDescent) to call the kernel directly, skipping hooked APIs.

Download Tartarus Gate: Download

Credits

• trickster0: Created Tartarus Gate, evolving Halos Gate. Check GitHub for the full scoop.

• Reenz0h: Halos Gate inspiration.

• Paul Laîné & smelly__vx: Hells Gate OGs.

Written in Rust by @5mukx

This site is open source. Improve this page.