NT-Internal-Scanner

NT-Internal-Scanner is a high-performance, minimalist C++ utility designed for security researchers and low-level developers. It specializes in retrieving System Service Numbers (SSNs) directly from the ntdll.dll binary on disk, effectively neutralizing user-mode hooks placed by EDR (Endpoint Detection and Response) and Antivirus solutions.

Core Capabilities

• Disk-to-Memory SSN Recovery: Instead of relying on GetProcAddress (which often points to hooked stubs), this tool parses the raw ntdll.dll from System32.

• Halo's Gate Methodology: Implements an address-sorting algorithm to resolve syscall indices at runtime. By sorting function addresses, it reconstructs the syscall table dynamically.

• Forwarded Export Protection: Robust PE parsing logic that identifies and skips forwarded exports, ensuring the harvested SSN map is 100% accurate.

• Telemetry-Aware Memory Scanning:

• Noise Reduction: Filters for MEM_PRIVATE and MEM_COMMIT regions to minimize EDR telemetry noise.

• Wildcard Pattern Matching: Supports flexible mask matching (e.g., 48 8B ? 05) to locate dynamic code blocks.

• Performance: Utilizes page-aligned reading (4KB chunks) for optimal cache locality and speed.

• Zero Dependencies: Independent of heavy external libraries. Uses raw pointer architecture and minimalist RAII to maintain a near-zero binary footprint.

Technical Implementation

The scanner employs a manual mapping-like approach to read the export directory of ntdll.dll. By converting RVA (Relative Virtual Addresses) to Raw File Offsets, it accesses the export name and address tables directly from the disk image, bypassing any in-memory modifications.

Quick Start

#include "include/nt_scanner.hpp"

int main() {
    // Attach to the target process
    sys::scanner hunter("target_app.exe"); 

    // Define the pattern (Signature)
    uint8_t pattern[] = { 0x55, 0x8B, 0xEC, 0x83, 0xE4, 0xF8 }; 
    const char* mask = "xxxxxx";

    // Start the stealthy scan
    uintptr_t result = hunter.scan(pattern, mask, sizeof(pattern));

    if (result) {
        // Match found outside of hooked module space!
    }
    return 0;
}

Project Structure

NT-Internal-Scanner/
├── include/                # Core Library (Header-only)
│   └── nt_scanner.hpp      
├── examples/               # Implementation Examples
│   └── main.cpp            
├── docs/                   # Technical Documentation
│   └── internals.md        
└── LICENSE                 # MIT License

---

⚠️ Disclaimer

This project is created for educational purposes, security research, and authorized penetration testing only.

• The author is not responsible for any misuse or damage caused by this tool.
• Using this utility against systems you do not have explicit permission to test is illegal.
• This tool is a proof-of-concept (PoC) for understanding Windows internals and EDR bypass methodologies.

Show Your Support

If you find this project useful for your research or it helped you understand Windows internals better, please consider giving it a Star!

1. Star the repository on GitHub.
2. Fork it to add your own improvements.
3. Share it with your fellow researchers.