hades: Go shellcode loader

by do son ·

evasion techniques

Hades

Hades is a proof-of-concept loader that combines several evasion techniques with the aim of bypassing the defensive mechanisms commonly used by modern AV/EDRs.

Install

The easiest way is probably building the project on Linux using make.

git clone https://github.com/f1zm0/hades && cd hades
make

Use

You can bring the executable to an x64 Windows host and run it with .\hades.exe [options].

Example:

Inject shellcode that spawns calc.exe with queueuserapc technique:

.\hades.exe -f calc.bin -t queueuserapc

Showcase

User-mode hooking bypass with syscall RVA sorting (NtQueueApcThread hooked with frida-trace and custom handler)

Instrumentation callback bypass with indirect syscalls (injected DLL is from syscall-detect by jackullrich)

Additional Notes

Direct syscall version

In the latest release, direct syscall capabilities have been replaced by indirect syscalls provided by acheron. If for some reason you want to use the previous version of the loader that used direct syscalls, you need to explicitly pass the direct_syscalls tag to the compiler, which will figure out what files needs to be included and excluded from the build.

GOOS=windows GOARCH=amd64 go build -ldflags “-s -w” -tags=’direct_syscalls’ -o dist/hades_directsys.exe cmd/hades/main.go

Copyright (C) 2023 f1zm0

Source: https://github.com/f1zm0/

Tags: evasion techniqueshades