Skip to content
/ zcircuit Public

Direct Syscall library for Zig. Implements Hell's Gate, TartarusGate, and Hell's Hall for dynamic SSN resolution and EDR bypass.

License

MIT license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Hiroki6/zcircuit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
.github/workflows
.github/workflows
 
 
example
example
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.zig
build.zig
 
 
build.zig.zon
build.zig.zon
 
 

Repository files navigation

zcircuit

Short-circuiting the Windows API for direct syscall execution.

This is a Zig library designed for direct syscall execution by dynamically resolving System Service Numbers (SSNs) and executing syscalls through legitimate memory instructions.

Read the technical deep dive on the implementation here.

Features

  • Hell's Gate: Dynamic SSN resolution by parsing ntdll.dll Export Address Table.
  • TartarusGate: Neighboring syscall analysis to recover SSNs when a target function is hooked.
  • Hell's Hall: Indirect syscall execution by searching for clean syscall; ret gadgets in ntdll memory to bypass instruction-level monitoring.
  • Comptime Stealth: * CRC32 Hashing: Function names are hashed at compile-time with a user-configurable seed. No sensitive strings remain in the binary.

Quick Start

Installation

Add zcircuit to your build.zig.zon:

zig fetch --save git+https://github.com/Hiroki6/zcircuit

Then in your build.zig:

const zcircuit = b.dependency("zcircuit", .{});
exe.root_module.addImport("zcircuit", zcircuit.module("zcircuit"));

Example Usage

const std = @import("std");
const zc = @import("zcircuit");

pub fn main() !void {
    // Initialize with custom seed for compile-time string hashing
    const MyCircuit = zc.Zcircuit(.{ .seed = 0xABCD1234 });
    var circuit = try MyCircuit.init();

    // Resolve syscall by name
    const nt_allocate_virtual_memory = circuit.getSyscall("NtAllocateVirtualMemory", .{}) orelse return;

    const status = nt_allocate_virtual_memory.call(.{
        process_handle,
        &base_addr,
        0,
        &size,
        0x3000, // MEM_COMMIT | MEM_RESERVE
        0x04,   // PAGE_READWRITE
    });

    if (status == std.os.windows.NTSTATUS.SUCCESS) {
        std.debug.print("[+] Memory allocated at: 0x{x}\n", .{base_addr});
    }
}

For a complete example, see the example directory.

> inject_shellcode.exe
[+] Resolved NtAllocateVirtualMemory -> SSN: 0x18, Base: 0x7FFE4410D9A2
[+] Memory allocated at: 0x26afad10000
[+] Resolved NtProtectVirtualMemory -> SSN: 0x50, Base: 0x7FFE4410E0A2
[+] Memory protected!
[+] Resolved NtCreateThreadEx -> SSN: 0xC2, Base: 0x7FFE4410EED2
[+] Thread created!
[+] Resolved NtWaitForSingleObject -> SSN: 0x04, Base: 0x7FFE4410D722

Credits & Inspiration

This project is a Zig implementation and refinement of several pioneering research techniques.

  • Hell's Gate: The original technique for dynamic SSN extraction.
  • TartarusGate: Improved SSN recovery via neighboring stubs.
  • Hell's Hall: Indirect syscall instruction searching.
  • Bananaphone: A major inspiration for the API design.

Legal Disclaimer

This tool is for educational purposes and authorized security auditing only. The author is not responsible for any misuse of this software.

About

Direct Syscall library for Zig. Implements Hell's Gate, TartarusGate, and Hell's Hall for dynamic SSN resolution and EDR bypass.

Topics

zig malware-development redteam edr-evasion

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

zcircuit-0.1.0 Latest
Feb 6, 2026

Packages

No packages published

Languages