v0.13.0
-
True Direct Syscall Engine: Replaced the previous "Tartarus Gate" (direct
ntdll.dllexport invocation) with a true direct syscall engine for both x64 and ARM64 architectures.- The injector now resolves syscall numbers (SSNs) at runtime by sorting
ntdll.dll'sZw*export table by address ("Hell's Gate" technique). - It then finds the executable
syscall(x64) orsvc(ARM64) instruction gadget within the function's body, completely bypassing the function prologue and any user-land hooks placed by EDR/AV solutions. - A custom assembly trampoline (
syscall_trampoline_x64.asm&syscall_trampoline_arm64.asm) was created for each architecture to correctly marshal arguments from the C calling convention to the kernel's syscall convention, including full support for stack-based arguments. - This change dramatically increases the tool's stealth and resilience against modern security monitoring.
- The injector now resolves syscall numbers (SSNs) at runtime by sorting
-
Post-Injection Memory Hardening: After the payload DLL is written to the target process's allocated memory, its permissions are now explicitly changed from
PAGE_EXECUTE_READWRITEtoPAGE_EXECUTE_READusing a direct syscall toNtProtectVirtualMemory. This reduces the memory region's "suspiciousness" to Endpoint Detection and Response (EDR) solutions that monitor for writable and executable memory, thereby improving overall stealth and limiting the attack surface. -
Headless Browser Auto-Launch: When the
--start-browseroption is used, the injector now launches the target browser (Chrome, Brave, Edge) in headless mode. This ensures that no visible browser window appears during the operation, reducing user detection and improving operational stealth.