MCPcopy Index your code
hub / github.com/almounah/superdeye

github.com/almounah/superdeye @v1.1.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.1.0 ↗ · + Follow
52 symbols 83 edges 8 files 1 documented · 2% updated 12mo agov1.1.0 · 2025-07-08★ 1381 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

SuperdEye

superdeye

SuperdEye is the implementation of HellHall (a revised version of TartarusGate) in pure Go and Go Assembler.

The purpose is to scan hooked NTDLL and retrieve the Syscall number to then do an indirect Syscall with it, thus allowing the bypass of AV/EDR that put hooks on functions.

Usage

Just import the package and use it !

The SuperdEye package exposes the SuperSyscall that can be used to do Indirect syscall.

import (
    "fmt"
    "unsafe"

    "github.com/almounah/superdeye"
)
...

    NTSTATUS, err = superdeye.SuperdSyscall("NtCreateThreadEx", uintptr(unsafe.Pointer(&hThread)), uintptr(0x1FFFFF), uintptr(0), handleProcess, pBaseAddress, uintptr(0), uintptr(0), uintptr(0), uintptr(0), uintptr(0), uintptr(0))
    if err != nil {
        fmt.Println("Syscall was not executed... Likely the Syscall was not found or a bug...")
        fmt.Println(err.Error())
    }
    fmt.Println("Syscall NtCreateThreadEx Made with NTSTATUS ", NTSTATUS)

For better usability, some syscall are already wrapped to be compatible with the official golang.org/x/sys/windows package.

import (
    "fmt"
    "unsafe"

    "github.com/almounah/superdeye"
    "golang.org/x/sys/windows"
)
...
    pBaseAddress, NTSTATUS, err := superdeye.NtAllocateVirtualMemory(windows.Handle(handleProcess), uintptr(0), uintptr(len(payloadClearText)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE)
    if err != nil {
        fmt.Println("Syscall was not executed... Likely the Syscall was not found or a bug...")
        fmt.Println(err.Error())
    }
    fmt.Println("Syscall NtAllocateVirtualMemory Made with NTSTATUS ", NTSTATUS)
...

More Syscalls will be made compatible with the official windows package in the future (Contributions are welcome in superdwrapper.go)

Examples

Full examples are given in examples/

What does it do ?

It is the implementation of TartarusGate by trickster0 and HellHall by mrd0x and NUL0x4C in Go.

Basically, a hooked NTDLL will be scanned. Once the target function is found, in case it is hooked by an AV or an EDR, a scan of the neighboors above and below will be made until a clean syscall is found. This will allow the calculation of the target function's ssn.

Once the ssn is found, an indirect syscall will be constructed.

I tried illustrating the principle with the following diagram.

superdeye

Other Similar Tools in Go

Other notable tools that are worth noting are BananaPhone and acheron.

BananaPhone uses a similar aproach to HellHall and TartarusGate but does not search far in the neighbor. Plus the syscall is direct. BananaPhone is the equivalent of the HellGate project in Go.

Acheron on the other hand, use a totally different aproach than HellGate and HellHall (and TartarusGate). Basically, at the beginning Acheron scan all the NTDLL, sort all the function's hashes by address. The ssn is then deduced by simply calculating the index of the function in the address list. In Acheron the syscall is an indirect one. Acheron is the equivalent of the SysWhisper3 project in Go.

Side Story: Why the name SuperdEye

In Mushoku Tensei the Superd is a tribal Demonic Race from the Demon Continent. They have green emerald Hair and a third Eye on their forehead that let them perceive mana not detectable by others.

The superd tribe are hated by Demons and Human alike due to historical reasons. A Superd is hated and feared for just being a Superd.

I named this project SuperdEye as it let you percieve syscall number and do indirect syscall, much like having a Superd Eye will let you detect mana and fight the enemy.

Core symbols most depended-on inside this repo

SuperdSyscall
called by 3
superdeye.go
checkIfCleanSSN
called by 3
internal/manalocator/locator.go
findSyscallAddress
called by 3
internal/manalocator/locator.go
NtAllocateVirtualMemory
called by 1
superdwrapper.go
NtWriteVirtualMemory
called by 1
superdwrapper.go
GetPEB
called by 1
internal/utils/helper/misc.go
GetImageExportDirectory
called by 1
internal/utils/helper/misc.go
NameRvaToString
called by 1
internal/utils/helper/misc.go

Shape

TypeAlias 23
Struct 16
Function 13

Languages

Go100%

Modules by API surface

internal/utils/superdwindows/types.go38 symbols
internal/utils/helper/misc.go4 symbols
internal/manalocator/locator.go4 symbols
superdwrapper.go2 symbols
superdeye.go1 symbols
internal/utils/hash/hash.go1 symbols
internal/superdsyscall/superdsyscall.go1 symbols
examples/selfInject/selfInject.go1 symbols

For agents

$ claude mcp add superdeye \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact