Welcome to our

Cyber Security News Aggregator

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

First slide label

Some representative placeholder content for the first slide.

Second slide label

Some representative placeholder content for the second slide.

Third slide label

Some representative placeholder content for the third slide.

Hades - Go Shellcode Loader That Combines Multiple Evasion Techniques

published on 2023-05-22 12:30:00 UTC by Unknown
Content:

Hades is a proof of concept loader that combines several evasion technques with the aim of bypassing the defensive mechanisms commonly used by modern AV/EDRs.

Usage

The easiest way, is probably building the project on Linux using make.

git clone https://github.com/f1zm0/hades && cd hades
make

Then you can bring the executable to a x64 Windows host and run it with .\hades.exe [options].

PS > .\hades.exe -h

  '||'  '||'     |     '||''|.   '||''''|   .|'''.|
   ||    ||     |||     ||   ||   ||  .     ||..  '
   ||''''||    |  ||    ||    ||  ||''|      ''|||.
   ||    ||   .''''|.   ||    ||  ||       .     '||
  .||.  .||. .|.  .||. .||...|'  .||.....| |'....|'

          version: dev [11/01/23] :: @f1zm0

Usage:
  hades -f <filepath> [-t selfthread|remotethread|queueuserapc]

Options:
  -f, --file <str>        shellcode file path (.bin)
  -t, --technique <str>   injection technique [selfthread, remotethread, queueuserapc]

Example:

Inject shellcode that spawms calc.exe with queueuserapc technique:

.\hades.exe -f calc.bin -t queueuserapc

Showcase

User-mode hooking bypass with syscall RVA sorting (NtQueueApcThread hooked with frida-trace and custom handler)

Instrumentation callback bypass with indirect syscalls (injected DLL is from syscall-detect by jackullrich)

Additional Notes

Direct syscall version

In the latest release, direct syscall capabilities have been replaced by indirect syscalls provided by acheron. If for some reason you want to use the previous version of the loader that used direct syscalls, you need to explicitly pass the direct_syscalls tag to the compiler, which will figure out what files needs to be included and excluded from the build.

GOOS=windows GOARCH=amd64 go build -ldflags "-s -w" -tags='direct_syscalls' -o dist/hades_directsys.exe cmd/hades/main.go

Disclaimers

Warning
This project has been created for educational purposes only, to experiment with malware dev in Go, and learn more about the unsafe package and the weird Go Assembly syntax. Don't use it to on systems you don't own. The developer of this project is not responsible for any damage caused by the improper use of this tool.

Credits

Shoutout to the following people that shared their knowledge and code that inspired this tool:

@smelly__vx and @am0nsec creators of Hell's Gate
@modexp's excellent blog post Bypassing User-Mode Hooks and syscall invocation in C
@ElephantSe4l creator of FreshyCalls
@C_Sto creator of BananaPhone
@winternl for this blog post on Hooking Nirvana and instrumentation callback to detect suspicious syscalls from user-mode.

License

This project is licensed under the GPLv3 License - see the LICENSE file for details

Download Hades

Article: Hades - Go Shellcode Loader That Combines Multiple Evasion Techniques - published over 1 year ago.

https://www.kitploit.com/2023/05/hades-go-shellcode-loader-that-combines.html
Published: 2023 05 22 12:30:00
Received: 2023 05 25 13:45:05
Feed: PenTest and Hacking Tools - powered by FeedBurner
Source: PenTest and Hacking Tools - powered by FeedBurner
Category: News
Topic: Security Tooling
Views: 1