Skip to main content

Overview

RecycledGate represents the most resilient SSN resolution technique available in SysWhispers4, combining the hook-resistant VA-sorting of FreshyCalls with opcode validation from Hell’s Gate. This dual-verification approach provides maximum confidence even in hostile environments.
Use RecycledGate when you need highest confidence in SSN accuracy without the performance cost of SyscallsFromDisk.

The Core Insight

RecycledGate asks: What if we could get the benefits of both approaches?
  • FreshyCalls: Works when hooks modify opcodes, but relies on export table accuracy
  • Hell’s Gate: Works when export table is clean, but fails on hooked opcodes
Solution: Use FreshyCalls as the primary source, Hell’s Gate as validation when possible:

Algorithm

Step-by-Step Process

1

Sort by Virtual Address (FreshyCalls)

Parse ntdll.dll export table and sort all Nt* functions by VA:
2

Check for Hooks (Pattern Detection)

Inspect the first few bytes of each stub for common EDR hook patterns:
3

Opcode Validation (When Clean)

If the stub appears unhoooked, read the SSN from opcodes:
4

Handle Edge Cases

For stubs that are hooked, rely solely on the VA-sort index:

Full Implementation

Advantages

Dual Verification

SSNs are cross-validated when possible, maximizing confidence in results

Hook Resistant

Works even if 100% of stubs are hooked — FreshyCalls provides fallback

Opcode Anomaly Detection

Detects discrepancies between VA-sort and opcodes (EDR tampering indicators)

Fast

Minimal overhead vs. FreshyCalls (~3-5ms vs. ~2ms) — much faster than SyscallsFromDisk

Use Cases

Scenario 1: Partially Hooked NTDLL

EDR hooks 20% of Nt* functions:
Result: All SSNs correct, 80% double-verified.

Scenario 2: Sophisticated EDR

EDR modifies export table and hooks stubs:
Result: Still works — FreshyCalls component is export-table-independent at the VA level.

Scenario 3: Clean NTDLL

No hooks present (testing, early-stage payload):

Performance Analysis

Performance impact is negligible — occurs once during SW4_Initialize(). Subsequent syscalls are full-speed.

Comparison with Alternatives

Limitations

Export Table Manipulation

If an EDR reorders the export directory RVAs to break VA-sorting (extremely rare — would break legitimate API resolution), RecycledGate is defeated:
Mitigation: Use SyscallsFromDisk, which maps clean ntdll from \KnownDlls\.

Opcode Pattern Changes

Future Windows versions may change the syscall stub prologue:
Impact: Opcode validation would fail, but FreshyCalls fallback ensures SSNs are still resolved.

When to Use RecycledGate

  • High-security targets with sophisticated EDRs
  • Verification-critical operations (privilege escalation, persistence)
  • Partial hook environments (maximizes validation coverage)
  • Performance-sensitive but paranoia-required contexts (faster than SyscallsFromDisk)
  • Anomaly detection desired — mismatch between VA/opcode signals tampering
  • CTF challenges — FreshyCalls is sufficient
  • Testing environments without EDR — Static resolution is faster
  • Sandboxed contexts — if KnownDlls blocked, no advantage over FreshyCalls

Usage in SysWhispers4

Generate with RecycledGate

Integration Example

Detection Considerations

Observable Behaviors

  1. Export table enumeration — common, not inherently suspicious
  2. Opcode reading — may trigger memory scanning alerts
  3. Hook detection logic — pattern matching via byte checks

EDR Visibility

Best Practices

1

Combine with indirect invocation

Keep RIP inside ntdll during syscalls:
2

Enable obfuscation

Randomize stub order and inject junk instructions:
3

Use ntdll unhooking

Remove hooks before RecycledGate runs:

Further Reading

FreshyCalls

The VA-sorting technique at RecycledGate’s core

Hell's Gate

Opcode reading technique used for validation

SyscallsFromDisk

Alternative when export table tampering suspected

Original Research

RecycledGate by thefLink