Evasive shellcode loader that combines SSNs sorting and syscalls for AV/EDR evasion in Go and Go ASM
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
f1zm0 03150b46f0
docs: fix handles in credits
2 weeks ago
cmd feat: add cli flags and tool banner 2 weeks ago
internal refactor: modified visibility and error handling in build func 2 months ago
pkg refactor: remove unused aes package 2 weeks ago
static docs: update readme and add poc gif 2 weeks ago
.gitignore init 4 months ago
LICENSE chore: added license 2 weeks ago
Makefile chore: clean targets and vars in Makefile 2 weeks ago
README.md docs: fix handles in credits 2 weeks ago
go.mod init 4 months ago
go.sum init 4 months ago


Made with Go project license Issues project status

SSN sorting and direct syscall invocation for AV/EDR evasion in Go and Go ASM


The techniques used in this project are not new. This project is just a proof of concept, and has been created for educational purposes only, to experiment with malware dev in Go, and learn more about the unsafe package and the weird Go Assembly syntax.


The easiest way, is probably building the project on Linux using make.

git clone https://github.com/f1zm0/hades && make

Then you can bring the executable to a x64 Windows host and run it with ./hades or ./hades -h to see the available options.

PS > .\hades.exe -h

  '||'  '||'     |     '||''|.   '||''''|   .|'''.|
   ||    ||     |||     ||   ||   ||  .     ||..  '
   ||''''||    |  ||    ||    ||  ||''|      ''|||.
   ||    ||   .''''|.   ||    ||  ||       .     '||
  .||.  .||. .|.  .||. .||...|'  .||.....| |'....|'

          version: dev [11/01/23] :: @f1zm0

  hades -f <filepath> [-t selfthread|remotethread|queueuserapc]

  -f, --file <str>        shellcode file path (.bin)
  -t, --technique <str>   injection technique [selfthread, remotethread, queueuserapc]

For instance you can run the tool with:

.\hades.exe -f calc.bin -t queueuserapc


Below is a very quick proof of concept of the tools, that is used to inject a simple calc shellcode with APC injection, while intercepting the call to NtQueueApcThread with Frida. The tool doesn't care about the hook and instead uses the RVAs of Zw* functions to calculate the SSN of NtQueueApcThread and make a direct system call.

NtQueueApcThread Frida interceptor


Big thanks to the following people that shared their knowledge and code that inspired this tool:


This project is licensed under the GPLv3 License - see the LICENSE file for details