Signature-based function discovery
Stargate is a novel Rust library that takes a fundamentally different approach to locating Windows API functions. Instead of relying on easily-hooked structures like the PEB or Export Address Table, Stargate uses signature-based scanning to find functions in memory. Used in combination with moonwalk to avoid PEB walking to locate target dll base addresses. Together moonwalk and stargate represent a novel approach to locating windows API function addresses in memory.
Why this matters: Traditional function location techniques follow well-trodden paths that defenders have learned to monitor. Stargate treats function discovery as a pattern matching problem rather than a structure parsing problem.
For detailed technical information, see blog.md.
Instead of asking "where is the export table pointing?", Stargate asks "what does this function look like in memory?"
Stargate provides advanced inline hook detection capabilities: - Syscall Pattern Recognition: Detect ntdll syscall prologue modifications (4C 8B D1) - Multiple Hook Patterns: Identify JMP, CALL, PUSH+RET, and MOV+JMP patterns - Inline Hook Detection: Find modified bytes within function bodies - Target Address Analysis: Analyze hook redirect targets for suspicious patterns - Relocation Search: Find functions that have been moved - Alternative Locations: Check common relocation patterns
Add to your Cargo.toml:
[dependencies]
stargate = { git = "https://github.com/Teach2Breach/stargate.git" }
use stargate::*;
use std::ffi::c_void;
type NtQuerySystemTimeFunc = extern "system" fn(lpSystemTime: *mut i64) -> i32;
fn main() -> Result<(), Box<dyn std::error::Error>> {
// Extract signatures silently (ntdll recommended for strict environments)
let db = extract_all_signatures("ntdll", 32)?;
// Find and call function with minimal output
if let Some(result) = find_specific_function("ntdll", "NtQuerySystemTime", &db) {
let query_time: NtQuerySystemTimeFunc = unsafe {
std::mem::transmute(result.found_address as *const c_void)
};
let mut system_time = 0i64;
let status = query_time(&mut system_time);
// Only print essential result
println!("NtQuerySystemTime: {} (status: {})", system_time, status);
}
Ok(())
}
// Extract all signatures from a clean DLL (version detected automatically)
// Recommended: Use ntdll for strict environments
let db = extract_all_signatures("ntdll", 32)?;
println!("Extracted {} signatures", db.len());
// Extract single function signature
let sig = extract_single_signature("ntdll", "NtQuerySystemTime", 32)?;
// Note: kernel32 scanning may trigger security products in strict environments
// let sig = extract_single_signature("kernel32", "Sleep", 32)?; // Use with caution
// Scan entire DLL (recommended: ntdll for strict environments)
let results = scan_loaded_dll("ntdll", &db)?;
// Find specific function
let result = find_specific_function("ntdll", "NtQuerySystemTime", &db)?;
// Scan all loaded DLLs (use with caution in strict environments)
let all_results = scan_all_loaded_dlls(&db);
// Note: kernel32 scanning may trigger security products
// let result = find_specific_function("kernel32", "Sleep", &db)?; // Use with caution
for result in results {
println!("Function: {}", result.function_name);
println!(" Found at: 0x{:x}", result.found_address);
println!(" Expected RVA: 0x{:x}", result.expected_rva);
println!(" Actual RVA: 0x{:x}", result.actual_rva);
println!(" Hooked: {}", result.hook_detected);
println!(" Confidence: {:.1}%", result.confidence_score * 100.0);
}
# Extract signatures from ntdll
cargo run -- ntdll
# Extract and scan for specific function
cargo run -- ntdll NtQuerySystemTime
# Extract with custom signature length
cargo run -- kernel32 Sleep 64
cargo run --example enhanced_hook_detection
Features:
- Advanced syscall pattern recognition (4C 8B D1)
- Multiple hook pattern detection (JMP, CALL, PUSH+RET, MOV+JMP)
- Inline hook identification
- Target address analysis
- Detailed reporting to enhanced_hooks.txt
Example Output:
Enhanced Hook Detection Scanner
This example demonstrates improved hook detection with syscall pattern analysis
=== Step 1: Extracting Signatures ===
Extracted 2514 signatures from ntdll
=== Step 2: Enhanced Hook Detection ===
Scanned 2514 functions
=== Step 3: Analyzing Results ===
Found 9 hooked functions out of 2514 total functions
=== Step 4: Writing Enhanced Analysis ===
Enhanced hook report written to enhanced_hooks.txt
Found 9 hooked functions
=== Step 5: Enhanced Console Summary ===
⚠️ ENHANCED HOOK DETECTION RESULTS:
ntdll!NtCreateFile at 0x7fff15f02900
Hook type: JumpHook
Target: 0x7fff12345678
Syscall pattern detected!
cargo run --example signature_scanning
Example Output:
DLL Inspector - Signature Scanning Example
This example demonstrates hook-resistant signature scanning
=== Step 1: Extracting Signatures ===
Extracting ntdll signatures...
Extracted 2514 ntdll signatures
Extracting kernel32 signatures...
Extracted 1691 kernel32 signatures
Combined database contains 4205 signatures
=== Step 2: Scanning Loaded DLLs ===
Scanning loaded ntdll.dll...
Found 2514 functions in loaded ntdll
Scanning loaded kernel32.dll...
Found 1691 functions in loaded kernel32
=== Step 3: Analysis Results ===
Total functions found: 4205
Exact signature matches: 4196
Hooked functions detected: 9
Relocated functions: 0
=== Step 4: Detailed Function Analysis ===
Function: NtQuerySystemTime
DLL: ntdll
Found at: 0x7fff15f02900
Expected RVA: 0x162900
Actual RVA: 0x162900
Scan method: ExactMatch
Confidence: 100.0%
✅ Signature matches exactly!
Function: Sleep
DLL: kernel32
Found at: 0x7fff14e71980
Expected RVA: 0x31980
Actual RVA: 0x31980
Scan method: ExactMatch
Confidence: 100.0%
✅ Signature matches exactly!
For opsec-sensitive operations and implants, use the silent example that minimizes output and avoids kernel32:
cargo run --release --target x86_64-pc-windows-msvc --example silent_call
Example Output:
NtQuerySystemTime: 133970745314599291 (status: 0)
This example demonstrates clean function calling with minimal logging - only prints the function name and result, and uses ntdll for maximum opsec.
⚠️ WARNING: This example will attempt to unhook ntdll functions! Only run in controlled environments!
The unhook example demonstrates enhanced hook detection combined with automatic unhooking using nt_unhooker:
cargo run --example unhook
Features:
- Enhanced hook detection with syscall pattern recognition
- Automatic unhooking using nt_unhooker library
- Pre and post-unhook verification scanning
- Detailed success rate analysis
- Comprehensive reporting to unhook_report.txt
Example Output:
Stargate Unhook Example
This example demonstrates enhanced hook detection and unhooking using nt_unhooker
⚠️ WARNING: This example will attempt to unhook ntdll functions!
Only run this in a controlled environment!
=== Step 1: Extracting Signatures ===
Extracted 2488 signatures from ntdll
=== Step 2: Initial Hook Detection ===
Scanned 2481 functions
Found 64 hooked functions before unhooking
=== Step 3: Writing Initial Analysis ===
=== Step 4: Unhooking Functions ===
Attempting to unhook 64 functions using nt_unhooker...
Processing sections...
Processing section: .text
Found .text section at RVA: 0x1000, Raw offset: 0x1000, Size: 0x12e000
Writing clean section at 0x7ffb28711000 with size 0x12e000
Successfully wrote 1236992 bytes
✅ nt_unhooker unhook_ntdll() completed successfully
=== Step 5: Post-Unhook Verification ===
Post-unhook scan completed: 2481 functions
Found 0 hooked functions after unhooking
=== Step 6: Analysis and Comparison ===
Unhooking Results:
Initial hooks: 64
Remaining hooks: 0
Successfully unhooked: 64
Success rate: 100.0%
=== Step 7: Final Summary ===
🎉 All 64 hooks were successfully removed!
✅ Unhook example completed successfully!
Check unhook_report.txt for detailed analysis
Dependencies:
- Requires nt_unhooker crate for unhooking functionality
- Uses winapi for Windows API types
For production builds with static linking:
# Set environment variable for static CRT
set RUSTFLAGS=-C target-feature=+crt-static
# Build enhanced hook detection example
cargo build --release --target x86_64-pc-windows-msvc --example enhanced_hook_detection
# Run the built example
target\x86_64-pc-windows-msvc\release\examples\enhanced_hook_detection.exe
extract_all_signatures(dll_name, length) - Extract all signatures from clean DLL (version detected automatically)extract_all_signatures_from_loaded) - Extract all signatures from DLL by base address.extract_single_signature(dll_name, function_name, length) - Extract single function signaturescan_loaded_dll(dll_name, db) - Scan loaded DLL for matching functionsfind_specific_function(dll_name, function_name, db) - Find specific functionscan_all_loaded_dlls(db) - Scan all loaded DLLsSignatureDatabase - In-memory signature storageFunctionSignature - Individual function signature dataScanResult - Result of signature scanning operationHookDetails - Information about detected hooksWhy ntdll-only scanning is recommended:
- ntdll.dll contains the core Windows NT functions that are less likely to be monitored
- kernel32.dll scanning has been observed to trigger some security products - more testing is needed to patch a solution
- Most critical functions can be accessed through ntdll equivalents
- Reduces the attack surface for detection
- Enhanced hook detection works best with ntdll syscall patterns
When to scan kernel32: - Development and testing environments - Research and analysis scenarios - When specific kernel32 functions are required - In environments where you have confirmed EDR behavior
byont - Clean DLL extraction and processingmoonwalk - Memory scanning and DLL base address locationthiserror - Error handlingnt_unhooker - NTDLL unhooking functionality (optional, for unhook example)winapi - Windows API bindings (optional, for unhook example)$ claude mcp add stargate \
-- python -m otcore.mcp_server <graph>