|
2 weeks ago | |
---|---|---|
cmd | 2 weeks ago | |
internal | 2 months ago | |
pkg | 2 weeks ago | |
static | 2 weeks ago | |
.gitignore | 4 months ago | |
LICENSE | 2 weeks ago | |
Makefile | 2 weeks ago | |
README.md | 2 weeks ago | |
go.mod | 4 months ago | |
go.sum | 4 months ago |
README.md
SSN sorting and direct syscall invocation for AV/EDR evasion in Go and Go ASM
Disclaimer
The techniques used in this project are not new. This project is just a proof of concept, and has been created for educational purposes only, to experiment with malware dev in Go, and learn more about the unsafe package and the weird Go Assembly syntax.
Usage
The easiest way, is probably building the project on Linux using make
.
git clone https://github.com/f1zm0/hades && make
Then you can bring the executable to a x64 Windows host and run it with ./hades
or ./hades -h
to see the available options.
PS > .\hades.exe -h
'||' '||' | '||''|. '||''''| .|'''.|
|| || ||| || || || . ||.. '
||''''|| | || || || ||''| ''|||.
|| || .''''|. || || || . '||
.||. .||. .|. .||. .||...|' .||.....| |'....|'
version: dev [11/01/23] :: @f1zm0
Usage:
hades -f <filepath> [-t selfthread|remotethread|queueuserapc]
Options:
-f, --file <str> shellcode file path (.bin)
-t, --technique <str> injection technique [selfthread, remotethread, queueuserapc]
For instance you can run the tool with:
.\hades.exe -f calc.bin -t queueuserapc
Showcase
Below is a very quick proof of concept of the tools, that is used to inject a simple calc shellcode with APC injection, while intercepting the call to NtQueueApcThread
with Frida. The tool doesn't care about the hook and instead uses the RVAs of Zw*
functions to calculate the SSN of NtQueueApcThread
and make a direct system call.
Credits
Big thanks to the following people that shared their knowledge and code that inspired this tool:
- @smelly__vx and @am0nsec creators of Hell's Gate
- @modexp's excellent blog post Bypassing User-Mode Hooks and syscall invocation in C
- @ElephantSe4l creator of FreshyCalls
- @C_Sto creator of BananaPhone
License
This project is licensed under the GPLv3 License - see the LICENSE file for details