Evasive shellcode loader that combines SSNs sorting and syscalls for AV/EDR evasion in Go and Go ASM
Go to file
2023-04-29 13:12:18 +02:00
.github ci: add ignored paths to release workflow 2023-04-29 12:54:26 +02:00
cmd chore: make sure cli flags are lowercase 2023-04-20 08:40:44 +02:00
internal/loader feat!: include direct syscall logic only with build constraint 2023-04-25 21:15:01 +02:00
pkg feat!: include direct syscall logic only with build constraint 2023-04-25 21:15:01 +02:00
scripts chore: change dir structure 2023-01-12 13:41:20 +01:00
.gitignore init 2022-10-11 10:31:29 +02:00
.golangci.yml ci: add github action for autorelease and golangci file 2023-03-31 18:23:57 +02:00
CHANGELOG.md chore: change commit category in changelog 2023-04-29 13:07:57 +02:00
go.mod chore: replace acheron dependency with public version 2023-04-25 19:20:42 +02:00
go.sum chore: replace acheron dependency with public version 2023-04-25 19:20:42 +02:00
LICENSE chore: added license 2023-01-10 22:32:04 +01:00
Makefile chore: clean targets and vars in Makefile 2023-01-11 18:24:59 +01:00
README.md docs: fixed typo in main readme 2023-04-29 12:54:43 +02:00

Made with Go Go Reference project license project status Twitter Follow


Hades is a proof of concept loader that combines several evasion technques with the aim of bypassing the defensive mechanisms commonly used by modern AV/EDRs.


The easiest way, is probably building the project on Linux using make.

git clone https://github.com/f1zm0/hades && cd hades

Then you can bring the executable to a x64 Windows host and run it with .\hades.exe [options].

PS > .\hades.exe -h

  '||'  '||'     |     '||''|.   '||''''|   .|'''.|
   ||    ||     |||     ||   ||   ||  .     ||..  '
   ||''''||    |  ||    ||    ||  ||''|      ''|||.
   ||    ||   .''''|.   ||    ||  ||       .     '||
  .||.  .||. .|.  .||. .||...|'  .||.....| |'....|'

          version: dev [11/01/23] :: @f1zm0

  hades -f <filepath> [-t selfthread|remotethread|queueuserapc]

  -f, --file <str>        shellcode file path (.bin)
  -t, --technique <str>   injection technique [selfthread, remotethread, queueuserapc]


Inject shellcode that spawms calc.exe with queueuserapc technique:

.\hades.exe -f calc.bin -t queueuserapc


User-mode hooking bypass with syscall RVA sorting (NtQueueApcThread hooked with frida-trace and custom handler)

NtQueueApcThread Frida interceptor

Instrumentation callback bypass with indirect syscalls (injected DLL is from syscall-detect by jackullrich)

syscall-detect bypass

Additional Notes

Direct syscall version

In the latest release, direct syscall capabilities have been replaced by indirect syscalls provided by acheron. If for some reason you want to use the previous version of the loader that used direct syscalls, you need to explicitly pass the direct_syscalls tag to the compiler, which will figure out what files needs to be included and excluded from the build.

GOOS=windows GOARCH=amd64 go build -ldflags "-s -w" -tags='direct_syscalls' -o dist/hades_directsys.exe cmd/hades/main.go



This project has been created for educational purposes only, to experiment with malware dev in Go, and learn more about the unsafe package and the weird Go Assembly syntax. Don't use it to on systems you don't own. The developer of this project is not responsible for any damage caused by the improper use of this tool.


Shoutout to the following people that shared their knowledge and code that inspired this tool:


This project is licensed under the GPLv3 License - see the LICENSE file for details