• Stars
    star
    271
  • Rank 151,717 (Top 3 %)
  • Language
    Go
  • License
    MIT License
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

GetProcAddressByHash/remap/full dll unhooking/Tartaru's Gate/Spoofing Gate/universal/Perun's Fart/Spoofing-Gate/EGG/RecycledGate/syswhisper/RefleXXion golang implementation

Doge-Gabh

  • 🐸Frog For Automatic Scan

  • 🐶Doge For Defense Evasion & Offensive Security

Doge-Gabh

GetProcAddressByHash/remap/full dll unhooking/Tartaru's Gate/Spoofing Gate/universal/Perun's Fart/Spoofing-Gate/EGG/RecycledGate/syswhisper/RefleXXion golang implementation

Doge-Gabh为集成 Windows ntdll动态调用,直接系统调用,api hash调用,dll脱钩的Golang组件包。

包含多种地狱之门方法,脱钩方法,直接系统调用方法,动态api hash调用方法,可以灵活的使用这些方式,从磁盘或内存中调用系统api。

这可以用于许多目的,例如 PE 解析、动态 API 调用、shellcode loader、进程注入和绕过API挂钩等。

集成多种地狱之门以及地狱之门衍生项目的golang实现:Hells Gate/HalosGate/Tartaru's Gate/Spoofing Gate/Doge-EGGCall/RecycledGate

集成syswhisper实现

项目名称Gabh原意仅为GetAddressByHash, 后延申为类似DInvoke的动态调用工具包。

注意,本工具仅用于实现api调用。具体调用者实现的功能以及危害与项目本体无关。

example文件夹有较多调用示例可供参考

Functions

//getfunc addr by hash from memory
gabh.MemFuncPtr()

//getfunc addr by hash from disk
gabh.DiskFuncPtr()

//get remap ntdll
gabh.ReMapNtdll()

//get remap func addr
GetFuncUnhook()

//ntdll Tartaru's Gate/Halo's Gate
gabh.MemHgate()

gabh.DiskHgate()

//Tartaru's Gate/Halo's Gate call sysid
gabh.HgSyscall()

eggreplace.FindAndReplace()

//Tartaru's Gate/Halo's Gate call sysid more EGG
gabh.EggCall()

//Spoofing-Gate
gabh.SpfGate()


//get universal ntdll
gabh.Universal()

//get universal func addr
UniversalFindProc()

//full dll unhooking
gabh.FullUnhook()

//Perun's Fart unhooking ntdll
gabh.PerunsFart()

//full dll unhooking use cmd.exe type
gabh.CMDUnhook()

//get syscall;ret
gabh.GetRecyCall()

//recycled gate call
gabh.ReCycall()

// 初始化DW_SYSCALL_LIST 
var newWhisper = gabh.DWhisper()

// 从DW_SYSCALL_LIST 获取sysid
sysid := newWhisper.GetSysid("4942059d")

//RefleXXion
gabh.KDllunhook()

//getssnbynameexcept
gabh.GetSSNByNameExcept()

//proxycall
proxycall.ProxyCall()

https://github.com/paranoidninja/Proxy-Function-Calls-For-ETwTI

https://0xdarkvortex.dev/hiding-in-plainsight/

Usage

https://github.com/timwhitez/Doge-Gabh/tree/main/example

package main
import (
	"crypto/sha1"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	gabh "github.com/timwhitez/Doge-Gabh/pkg/Gabh"
	"syscall"
	"unsafe"
)

func main(){
	//
	//	get funcPtr Universal
	//
	ntdll, _ := gabh.Universal(str2sha1)

	//str2sha1(NtDelayExecution)
	sleep, _ := ntdll.UniversalFindProc("84804f99e2c7ab8aee611d256a085cf4879c4be8")

	fmt.Printf("Universal Addr:0x%x\n", sleep)

	fmt.Println("Sleep for 3s")
	times := -(3000 * 10000)
	syscall.Syscall(sleep, 2, 0, uintptr(unsafe.Pointer(&times)), 0)

	//
	//	get funcPtr by hash
	//
	//sha1(sleep)=c3ca5f787365eae0dea86250e27d476406956478
	sleep_ptr,moduleN,err := gabh.MemFuncPtr("kernel32.dll","c3ca5f787365eae0dea86250e27d476406956478",str2sha1)
	if err != nil{
		fmt.Println(err)
		return
	}

	fmt.Printf("%s: %x\n",moduleN,sleep_ptr)
	syscall.Syscall(uintptr(sleep_ptr),1,1000,0,0)

	//sha256(sleep)=d466bcf52eb6921b1e747e51bf2cc1441926455ba146ecc477bed1574e44f9c0
	sleep_ptr,moduleN,err = gabh.DiskFuncPtr("kernel32.dll","d466bcf52eb6921b1e747e51bf2cc1441926455ba146ecc477bed1574e44f9c0",Sha256Hex)
	if err != nil{
		fmt.Println(err)
		return
	}

	fmt.Printf("%s: %x\n",moduleN,sleep_ptr)
	syscall.Syscall(uintptr(sleep_ptr),1,1000,0,0)


	//
	//	get unhook ntdll funcPtr by hash
	//
	unNt,e := gabh.ReMapNtdll()
	if e != nil{
		panic(e)
	}
	
	times = -(3000 * 10000)
	//NtDelayExecution
	NtDelayExecution_ptr,_,_ := unNt.GetFuncUnhook("84804f99e2c7ab8aee611d256a085cf4879c4be8",str2sha1)

	fmt.Printf("%s: %x\n","NtDelayExecution ptr ",NtDelayExecution_ptr)
	syscall.Syscall(uintptr(NtDelayExecution_ptr),2,0,uintptr(unsafe.Pointer(&times)),0)


	//
	//	get ntdll hellsgate Sysid by hash
	//
	//NtDelayExecution HellsGate
	sleep1,e := gabh.DiskHgate("84804f99e2c7ab8aee611d256a085cf4879c4be8",str2sha1)
	if e != nil {
		panic(e)
	}

	fmt.Printf("%s: %x\n","NtDelayExecution Sysid",sleep1)


	//hellsgate syscall
	gabh.HgSyscall(sleep1,0,uintptr(unsafe.Pointer(&times)))

}


func str2sha1(s string) string{
	h := sha1.New()
	h.Write([]byte(s))
	bs := h.Sum(nil)
	return fmt.Sprintf("%x", bs)
}


func Sha256Hex(s string)string{
	return hex.EncodeToString(Sha256([]byte(s)))
}

func Sha256(data []byte)[]byte{
	digest:=sha256.New()
	digest.Write(data)
	return digest.Sum(nil)
}

asm_x64.s mod from https://github.com/C-Sto/BananaPhone

ref

https://github.com/timwhitez/Doge-ReMap

https://idiotc4t.com/defense-evasion/load-ntdll-too

https://github.com/Binject/debug/

https://github.com/C-Sto/BananaPhone

https://github.com/Binject/universal

https://github.com/trickster0/TartarusGate

https://github.com/plackyhacker/Peruns-Fart

https://github.com/TomOS3/UserModeUnhooking/blob/main/CustomCode/PerunsFart/PerunsFart.cpp

https://github.com/timwhitez/Spoofing-Gate

https://klezvirus.github.io/RedTeaming/AV_Evasion/NoSysWhisper/

https://github.com/klezVirus/SysWhispers3

https://github.com/thefLink/RecycledGate

https://golang.org/src/runtime/sys_windows_amd64.s

https://github.com/helpsystems/nanodump/blob/main/source/syscalls-asm.asm

https://github.com/timwhitez/Doge-RecycledGate

https://github.com/timwhitez/Doge-Whisper

https://github.com/Crummie5/Freshycalls

https://github.com/jthuraisamy/SysWhispers2

https://github.com/klezVirus/SysWhispers3

https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/

🚀Star Trend

Stargazers over time

JetBrains

Thanks to JetBrains for kindly sponsoring Doge-Gabh by providing a Goland IDE Open Source license

JetBrains Logo GoLand Logo

More Repositories

1

crawlergo_x_XRAY

360/0Kee-Team/crawlergo动态爬虫结合长亭XRAY扫描器的被动扫描功能
Python
1,168
star
2

Cobalt-Strike-Aggressor-Scripts

Cobalt Strike Aggressor 插件包
C
664
star
3

Doge-Loader

🐶Cobalt Strike Shellcode Loader by Golang
Go
279
star
4

Doge-XSS-Phishing

xss钓鱼,cna插件配合php后端收杆
JavaScript
266
star
5

rad-xray

xray+rad批量主动扫描
Python
217
star
6

Frog-Auth

🐸Unauthorized Detection Framework未授权访问检测框架
Python
156
star
7

Frog-checkCDN

批量检查目标是否为cdn
Python
133
star
8

Frog-Fp

🐸fingerprint detect framework 批量深度指纹识别框架
Python
114
star
9

Doge-Assembly

Golang evasion tool, execute-assembly .Net file
Go
88
star
10

Frog-Submon

🐸Subdomain Monitor, 子域名监控
Python
75
star
11

Doge-Defense-Evasion-Ref

Defense Evasion & Bypass AntiVirus reference
74
star
12

ReturnGate

ReturnGate, just like HellsGate.
Go
66
star
13

killProcessPOC

use aswArPot.sys to kill process
Go
62
star
14

Doge-MemX

Golang implementation of Reflective load PE from memory
Go
59
star
15

doge-getsys

An easy way to getsystem by golang.
Go
56
star
16

Doge-sRDI

Shellcode implementation of Reflective DLL Injection by Golang. Convert DLLs to position independent shellcode
Go
53
star
17

Doge-Persistence-Platform

后渗透持久化控制平台; Windows Persistence Platform;
45
star
18

Git-Daily

Github Security Daily Repository.
43
star
19

Doge-CSBridge

CS http Dynamic Encrypt Bridge.
Go
42
star
20

Spoofing-Gate

(Hellsgate|Halosgate|Tartarosgate)+Spoofing-Gate. Ensures that all systemcalls go through ntdll.dll
Go
41
star
21

gobusterdns

lite version of gobuster. Only subdomain brute. 内网轻量化子域名爆破工具
Go
40
star
22

Bof2PIC

BOF/COFF obj file to PIC(shellcode). by golang
C
35
star
23

memmod

Fork & modify of Wireguard's Memmod
Go
32
star
24

Doge-CLRLoad

load assembly executable file in memory
Go
30
star
25

Doge-ScreenShot

desktop screenshot
Go
30
star
26

about-anti-honeypot

关于蜜罐的一些微小的统计工作
JavaScript
30
star
27

Doge-AMSI-patch

golang amsi bypass
Go
30
star
28

Doge-DumpMem

dump lsass
Go
30
star
29

Doge-RecycledGate

Golang implementation of Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll;
Go
29
star
30

Doge-Hide

windows API to hide console window by golang
Go
28
star
31

Doge-Direct-Syscall

Golang Direct Syscall
Assembly
28
star
32

AddressOfEntryPoint-injection

x64 version
Go
27
star
33

Doge-SelfDelete

Golang implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
Go
26
star
34

Doge-PX

DPX - the Doge Packer for eXecutables
Go
26
star
35

Doge-Process-Injection

Demo of process injection, using Nt, direct syscall, etc.
Go
26
star
36

ScareCrow-Common

ScareCrow loader binary source which easier to read and learn
Go
25
star
37

iSliver

Learning notes of amazing Sliver C2 project.
Go
24
star
38

Doge-Whisper

golang implementation of Syswhisper2/Syswhisper3
Go
23
star
39

Doge-AliveCheck

Use ICMP requests to check the alive subnet.
Go
23
star
40

Doge-newSyscall

use shellcode as asm function
Go
22
star
41

Doge-EGGCall

Like Hell's Gate but more EGG :)
Go
21
star
42

Doge-BlockDLLs

Preventing 3rd Party DLLs from Injecting into your Malware
Go
21
star
43

CLR-RWX

Load CLR to get RWX 通过加载clr在自身内存中产生rwx空间
Go
21
star
44

Doge-RL

Reflective DLL injection Execution
Go
20
star
45

find-subdomain-by-xray

利用xray高级版批量收集子域名
Python
19
star
46

JmpUnhook

Ntdll Unhooking POC
Go
18
star
47

Doge-AddSSP

Load ssp dll golang implementation
Go
17
star
48

Cobalt-Strike-det

Cobalt Strike teamserver detection.
Python
17
star
49

Doge-HeapAlloc

Go
15
star
50

Doge-Misc

杂 物 收 纳
Go
15
star
51

Freeze-Common

Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
Go
14
star
52

Doge-PX_GUI

DPX工具界面展示
14
star
53

Cafe

程序员在家饮品制作指南。Programmer's guide about how to make drinks at home (Chinese only).
13
star
54

Doge-Persist

Windows Persistence Collection
Go
12
star
55

Etwti-UnhookPOC

Etwti-UnhookPOC just for test
Go
11
star
56

Doge-Unhook

DLL Unhooking
Go
11
star
57

Doge-BadUSB

开源!自主设计的badusb电路板
10
star
58

PyC2-demo

从入门到放弃的产物,学习过程中用python实现的一个单点c2基本功能
Python
10
star
59

sandbox-data-collection

云沙箱数据采集(19年刚学go的远古项目,勿吐槽)
Go
10
star
60

Go-VEH

VEH hook
Go
10
star
61

Divide-Conquer-demo

Divide and Conquer - A technique to bypass NextGen AV
Go
9
star
62

Doge-UnhookEtw

unhook etw by golang
Go
9
star
63

Doge-Obf

golang String Obfuscate
Go
9
star
64

Doge-WhereAmI

Golang implementation of boku7/whereami
Go
8
star
65

ice-strike-design

Ice-Strike C2界面设计分享
8
star
66

Doge-memLDR

memory dll loader
Go
8
star
67

Doge-FindFirewallPorts

Golang implementation of FindFirewallPorts by 清水川崎
Go
7
star
68

Frog-CertDomain

Get CommonName and DNS domains from SSL cert.
Go
7
star
69

Doge-NpThief

Grab unsaved Notepad contents
Go
7
star
70

CVE-2018-8639-EXP

CVE-2018-8639-EXP
6
star
71

Doge-RWXenum

Enumerating RWX Protected Memory Regions.
Go
6
star
72

Doge-OTP

Google Authenticator OTP
Go
6
star
73

Argue-like-Cobalt-Strike

Argue like Cobalt Strike
C++
5
star
74

Doge-hookbypass

C++
5
star
75

Doge-TypeUnhook

type ntdll.dll for dll unhooking
Go
5
star
76

Doge-ReMap

Unhook full dll by Section ReMap
Go
5
star
77

ACG-BOF

Preventing 3rd Party DLLs from Injecting into your Malware
C
5
star
78

fingerprint-scanner-research

开源指纹识别项目调研
5
star
79

Mouse-Control

just for fun
Go
4
star
80

argument-spoofing

argue like Cobalt Strike
4
star
81

VEH-FuncObf

function call Obfuscator using veh hook
C
4
star
82

timwhitez

about me
4
star
83

Doge-ByteBinStr

Byte<->BinaryString convert
Go
4
star
84

powershell-killav

use ps1 to kill some antivirus
PowerShell
3
star
85

v4-v6

ipv4 address maps to ipv6 address
Go
3
star
86

useless-webshell

比小马大比大马小,俗称中马
PHP
3
star
87

BinHol

Binary Hollowing
Go
3
star
88

Sub-Filter

过滤跑出来的子域名
Python
3
star
89

LockWorkStation

Go
2
star
90

str2ntlm

string to ntlm hash string
Go
2
star
91

Garmin-Async

自动化使用dailysync.vyzt.dev定期同步佳明国内与国际版账号
Go
2
star
92

AD-CoT

Advanced Dynamic Chain-of-Thought Framework Prompt
2
star
93

zoomeye-search

导入domain批量zoomeye查询
Python
1
star
94

Sec_MindMap

一些思维导图记录
1
star
95

META-ATT-CK-Framework

A comprehensive matrix of actionable offensive security techniques based on ATT&CK Framework
1
star