NtExt is an advanced C++ framework for WoW64 Heaven’s Gate + Direct Syscall , Heaven's Gate, and EDR evasion. and load 64-bit kernel32 and bypass user-land hooks.
If you are frustrated with the instability of traditional Heaven's Gate implementations, require direct 64-bit API access from a 32-bit process, or need to bypass deep user-land hooks, NtExt is the definitive solution.
- Limbo's Gate (WoW64 Heaven’s Gate + Direct Syscall)
I refer to this specific technique as "Limbo's Gate". It allows a 32-bit process to dynamically resolve System Service Numbers (SSN) and execute raw 64-bitsyscallinstructions directly, entirely bypassingntdll.dllRing 3 hooks in both the 32-bit and 64-bit address spaces. - WoW64 64-bit Kernel32 Loading
Loading the 64-bitkernel32.dllwithin a WoW64 process typically fails due to PEB subsystem validation inLdrLoadDll. NtExt utilizes a precise PEB spoofing technique (hot-swappingIMAGE_SUBSYSTEM_WINDOWS_CUItoGUI) to deceive the OS loader, enabling flawless 64-bit module initialization. - The Holy Trinity of Gates
- Heaven's Gate: Seamless segment switching (
0x23<->0x33) for cross-architecture execution. - Hell's Gate: Dynamic SSN extraction directly from the in-memory 64-bit export table, eliminating hardcoded OS-specific numbers.
- Halo's Gate: Defeats inline hooks by implementing a neighbourhood search algorithm (
_seachImpl) to deduce the correct SSN from adjacent unhooked functions.
- Heaven's Gate: Seamless segment switching (
- Non-Virtual Interface (NVI) Architecture
Provides an elegantNtExt::CallandNtExt::Syscallfront-end interface backed by a thread-safe (Shared Mutex) caching system, minimizing redundant memory parsing.
NtExt seamlessly supports both WoW64 (32-bit) and Native x64 (64-bit) environments. The framework exposes distinct APIs optimized for each context.
These functions are specifically designed to bridge the 32-bit process with the 64-bit subsystem.
| Function | Attribute | Description |
|---|---|---|
GetTeb64 / GetPeb64 |
[Ex] | Get the 64-bit TEB/PEB base address across the boundary |
GetNtdll64 / GetKernel64 |
[Ex] | Get the 64-bit ntdll/kernel32 base address |
LoadLibrary64 |
[Ex] | Load a specified module natively in the 64-bit space |
GetModuleBase64 |
[Ex] | Get the base address of a specified module in 64-bit |
GetModuleLdrEntry64 |
[Ex] | Get the LDR_DATA_TABLE_ENTRY structure of a specified module |
GetProcAddress64 |
[Ex] | Get the address of a specified function in 64-bit (Cached) |
GetSyscallNumber64 |
[Ex] | Get the SSN of a specified function in 64-bit |
GetLdrGetProcedureAddress64 |
[Ex] | Get the address of the LdrGetProcedureAddress function in 64-bit |
Call |
[Ex] | Cross-architecture call to a specified 64-bit function |
Syscall |
[Ex] | Cross-architecture direct Syscall to a 64-bit function |
memcpy64 |
**[Ex] | Safe memory copy bridging 32-bit and 64-bit address spaces |
#include <iostream>
#include <NtExt.hpp>
using namespace NtExt;
int main() {
// 1. Normal cross-architecture call
DWORD64 ntdll64 = Resolver.GetNtdll64();
DWORD64 pRtlGetVersion = Resolver.GetProcAddress64(ntdll64, "RtlGetVersion");
alignas(8) BYTE osvi[300] = { 0 };
*(DWORD*)osvi = 284;
NTSTATUS status = Call(pRtlGetVersion)((DWORD64)&osvi);
if (status == 0) {
DWORD major = *(DWORD*)(osvi + 4);
DWORD minor = *(DWORD*)(osvi + 8);
DWORD build = *(DWORD*)(osvi + 12);
std::cout << "[+] OS Version: " << major << "." << minor << "." << build << std::endl;
}
// 2. Direct Syscall (Limbo's Gate / Hell's Gate)
DWORD64 ssn = Resolver.GetSyscallNumber64(ntdll64, "NtReadVirtualMemory");
WORD dosMagic = 0;
NTSTATUS status2 = Syscall((WORD) ssn)(
(DWORD64) -1,
(DWORD64) ntdll64,
(DWORD64) &dosMagic,
(DWORD64) sizeof(dosMagic),
(DWORD64) 0
);
if (status2 == 0) {
std::cout << "[+] NTDLL DOS Magic: 0x" << std::hex << dosMagic << std::endl;
}
return 0;
}