Skip to content
/ Hooka Public

Evasive shellcode loader, hooks detector and more

License

MIT license
206 stars 32 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

D3Ext/Hooka

BranchesTags

Repository files navigation

Gopher

Hooka

Evasive shellcode loader, hooks detector and more

Coded with 💙 by D3Ext

go report card

IntroductionFeaturesUsageLibraryContributingDisclaimer

Introduction

I started this project to create a powerful shellcode loader with a lot of malleable capabilities via CLI flags like detecting hooked functions, using Hell's and Galo's Gate techniques and more. Why in Golang? Because it's a great language to develop malware and this project can help with it by providing an stable API with some functions which can be really useful. If you have any question feel free to open an issue or whatever you want.

However I've also taken some code from BananaPhone and Doge-Gabh projects (thanks a lot to C-Sto and timwhitez)

Tested on x64, Windows 10

Features

  • Get shellcode from remote URL or local file

  • Shellcode reflective DLL injection (sRDI)

  • AMSI and ETW patch

  • Phant0m technique to kill EventLog threads (see here)

  • Detects hooked functions (i.e. NtCreateThread)

  • Compatible with base64 and hex encoded shellcode

  • Hell's Gate + Halo's Gate technique

  • Capable of unhooking user-mode syscalls via multiple techniques:

    • Classic unhooking
    • Full DLL unhooking
    • Perun's Fart technique

  • Multiple shellcode injection techniques:

    • CreateRemoteThread
    • CreateProcess
    • EnumSystemLocales
    • Fibers
    • QueueUserApc
    • UuidFromString
    • EtwpCreateEtwThread
    • RtlCreateUserThread

  • Inject shellcode into a process (not stable and only works via CreateRemoteThread technique)

  • Dump lsass.exe process to a file

  • Windows API hashing (see here)

  • Test mode (injects calc.exe shellcode)

  • All already mentioned features available through official package API

This repo is under development so it may contain errors, use it under your own responsability for legal testing purposes

Installation

  • Just clone the repository like this:
git clone https://github.com/D3Ext/Hooka
cd Hooka
make

Usage

Before using the project you should know that there are some functions from ntdll.dll that aren't usually hooked but they always appear to be hooked. Here you have all false positives:

NtGetTickCount
NtQuerySystemTime
NtdllDefWindowProc_A
NtdllDefWindowProc_W
NtdllDialogWndProc_A
NtdllDialogWndProc_W
ZwQuerySystemTime