Overview
RecycledGate represents the most resilient SSN resolution technique available in SysWhispers4, combining the hook-resistant VA-sorting of FreshyCalls with opcode validation from Hell’s Gate. This dual-verification approach provides maximum confidence even in hostile environments.The Core Insight
RecycledGate asks: What if we could get the benefits of both approaches?- FreshyCalls: Works when hooks modify opcodes, but relies on export table accuracy
- Hell’s Gate: Works when export table is clean, but fails on hooked opcodes
Algorithm
Step-by-Step Process
1
Sort by Virtual Address (FreshyCalls)
Parse
ntdll.dll export table and sort all Nt* functions by VA:2
Check for Hooks (Pattern Detection)
Inspect the first few bytes of each stub for common EDR hook patterns:
3
Opcode Validation (When Clean)
If the stub appears unhoooked, read the SSN from opcodes:
4
Handle Edge Cases
For stubs that are hooked, rely solely on the VA-sort index:
Full Implementation
Advantages
Dual Verification
SSNs are cross-validated when possible, maximizing confidence in results
Hook Resistant
Works even if 100% of stubs are hooked — FreshyCalls provides fallback
Opcode Anomaly Detection
Detects discrepancies between VA-sort and opcodes (EDR tampering indicators)
Fast
Minimal overhead vs. FreshyCalls (~3-5ms vs. ~2ms) — much faster than SyscallsFromDisk
Use Cases
Scenario 1: Partially Hooked NTDLL
EDR hooks 20% ofNt* functions:
Scenario 2: Sophisticated EDR
EDR modifies export table and hooks stubs:Scenario 3: Clean NTDLL
No hooks present (testing, early-stage payload):Performance Analysis
Performance impact is negligible — occurs once during
SW4_Initialize(). Subsequent syscalls are full-speed.Comparison with Alternatives
Limitations
Export Table Manipulation
If an EDR reorders the export directory RVAs to break VA-sorting (extremely rare — would break legitimate API resolution), RecycledGate is defeated:\KnownDlls\.
Opcode Pattern Changes
Future Windows versions may change the syscall stub prologue:When to Use RecycledGate
Ideal Scenarios
Ideal Scenarios
- High-security targets with sophisticated EDRs
- Verification-critical operations (privilege escalation, persistence)
- Partial hook environments (maximizes validation coverage)
- Performance-sensitive but paranoia-required contexts (faster than SyscallsFromDisk)
- Anomaly detection desired — mismatch between VA/opcode signals tampering
Overkill For
Overkill For
- CTF challenges — FreshyCalls is sufficient
- Testing environments without EDR — Static resolution is faster
- Sandboxed contexts — if KnownDlls blocked, no advantage over FreshyCalls
Usage in SysWhispers4
Generate with RecycledGate
Integration Example
Detection Considerations
Observable Behaviors
- Export table enumeration — common, not inherently suspicious
- Opcode reading — may trigger memory scanning alerts
- Hook detection logic — pattern matching via byte checks
EDR Visibility
Best Practices
1
Combine with indirect invocation
Keep RIP inside ntdll during syscalls:
2
Enable obfuscation
Randomize stub order and inject junk instructions:
3
Use ntdll unhooking
Remove hooks before RecycledGate runs:
Further Reading
FreshyCalls
The VA-sorting technique at RecycledGate’s core
Hell's Gate
Opcode reading technique used for validation
SyscallsFromDisk
Alternative when export table tampering suspected
Original Research
RecycledGate by thefLink
