A modular C# library for shellcode execution using FreshyCalls - the modern approach to bypassing EDR hooks.
FreshyCalls loads a clean, unhooked copy of ntdll.dll from Windows' \KnownDlls\ section object instead of parsing the hooked ntdll in your process memory. This guarantees clean syscall numbers regardless of what EDR hooks are present.
- ✅ FreshyCalls: Loads clean
ntdll.dllfrom\KnownDlls\(no disk I/O) - ✅ Indirect Syscalls: Execute
NtAllocateVirtualMemory,NtProtectVirtualMemory, etc. without hooks - ✅ No RWX Memory: Proper RW → RX transition for OPSEC
- ✅ Callback Execution: Uses
EnumWindowsinstead ofCreateThread - ✅ RET Gadget: Execution origin masking
- ✅ AMSI/ETW Bypass: Hardware breakpoint patches
- ✅ Library-ready: Use as a standalone library in your loaders
SharpFreshGate/
├── Core/
│ ├── FreshNtdll.cs # Loads clean ntdll from \KnownDlls\
│ ├── SyscallResolver.cs # Parses fresh ntdll for SSNs
│ ├── IndirectSyscall.cs # Syscall execution engine
│ ├── HardwareBreakpoints.cs # AMSI/ETW bypass
│ ├── PEParser.cs # PE parsing for gadgets
│ ├── DynamicInvoke.cs # Bootstrap API resolution
│ ├── Logger.cs # Debug logging
│ └── NativeStructs.cs # Windows structures
├── Execution/
│ ├── ShellcodeLoader.cs # Main orchestration
│ ├── MemoryManager.cs # Memory ops via indirect syscalls
│ └── CallbackExecutor.cs # EnumWindows execution
└── Program.cs # Example usage
VirtualAlloc() → kernel32!VirtualAlloc → ntdll!NtAllocateVirtualMemory
│ │
[EDR HOOK] [EDR HOOK]
1. Open \KnownDlls\ntdll.dll section object (NtOpenSection)
2. Map clean ntdll into process memory (NtMapViewOfSection)
3. Parse CLEAN ntdll export table
4. Extract syscall numbers from CLEAN function prologues
Example: NtAllocateVirtualMemory
4C 8B D1 mov r10, rcx
B8 18 00 00 00 mov eax, 0x18 ← Clean SSN!
0F 05 syscall
C3 ret
5. Find clean syscall;ret gadget
6. Build runtime stub:
- mov r10, rcx
- mov eax, SSN
- jmp [clean syscall;ret gadget]
7. Execute → syscall runs, EDR hooks bypassed!
1. Load fresh ntdll from \KnownDlls\
2. Initialize SyscallResolver (parse fresh ntdll)
3. Patch AMSI & ETW (if enabled)
4. Allocate RW memory (NtAllocateVirtualMemory via indirect syscall)
5. Write shellcode (NtWriteVirtualMemory via indirect syscall)
6. Change to RX (NtProtectVirtualMemory via indirect syscall)
7. Find RET gadget in ntdll for origin masking
8. Execute via EnumWindows callback
using SharpFreshGate.Core;
using SharpFreshGate.Execution;
// Configure loader
var config = new ShellcodeLoader.LoaderConfig
{
BypassAmsi = true,
BypassEtw = true,
UseIndirectSyscalls = true, // FreshyCalls
ExecutionMethod = ExecutionMethod.EnumWindows,
UseRetGadget = true,
AddNopSled = true
};
// Execute shellcode
using (var loader = new ShellcodeLoader())
{
bool success = loader.Execute(shellcode, config);
}# Debug build with console output
dotnet build -c Debug
# Release build (silent)
dotnet build -c Release
# Run
.\bin\x64\Debug\SharpFreshGate.exe- User-mode inline hooks on Nt* functions
- IAT hooking on kernel32/ntdll
- API monitoring via detours/trampolines
- Pattern-based syscall detection (uses fresh ntdll, not pattern matching)
- Kernel callbacks (PsSetCreateProcessNotifyRoutine, etc.)
- ETW from kernel (syscall telemetry still visible)
- Stack trace analysis (advanced EDRs can detect unusual call stacks)
- Memory content scanning (shellcode signatures)
- Platform: .NET Framework 4.8, x64 only
- SSN Resolution: Runtime extraction from fresh ntdll (no hardcoded SSNs)
- KnownDlls Loading: Zero disk I/O, uses section objects
- Syscall Execution: Dynamic stub generation per-call
Loads clean ntdll.dll from \KnownDlls\ntdll.dll using:
NtOpenSectionto open the section objectNtMapViewOfSectionto map into process memory- No file system access
Parses the fresh ntdll to:
- Enumerate Nt* functions from export table
- Extract SSNs from function prologues
- Find clean
syscall;retgadgets - Build syscall lookup table
Executes syscalls by:
- Building runtime assembly stubs
- Loading SSN into EAX
- Jumping to clean syscall gadget
- Returning results
This tool is for authorized security testing only. Unauthorized use is illegal.
Apache License 2.0