YouMayPasser is an x64 implementation of Gargoyle (
It contains several parts.
- Lockd: This is the main Gargoyle component
- sRDI-Master: This has been slightly re worked to provide a free mechanism.
- test.profile: This sample profile shows required options to work
- This is the altered python generator with the new sRDI assembly
Below are a list of current IOCs
- The new sRDI assembly can of course by statically detected in memory.
- The DLL loads are leveraged in order to obtain the required ropgadgets, these can all be monitored and alerted on
- VEH Handlers constantly getting created and deleted not originating from disk (These get removed on sleep so it cannot be detected on sleep)
- VEH Handlers getting created that aren't generated from disk
- The SetThreadContext injection leveraged to spoof the start address is in itself suspicious as these calls are often only used by debuggers
I will fix none of these issues. This is nothing more than an x64 gargoyle POC to demonstrate how it can be leveraged to bypass PeSieve and Moneta.
- Ret address spoofing - Namaszo (
- Timer sleep - computerBeat (
- VEH Hooks - CheatEngine Forums