hades: Go shellcode loader
Hades is a proof-of-concept loader that combines several evasion techniques with the aim of bypassing the defensive mechanisms commonly used by modern AV/EDRs.
The easiest way is probably building the project on Linux using make.
You can bring the executable to an x64 Windows host and run it with .\hades.exe [options].
Inject shellcode that spawns calc.exe with queueuserapc technique:
.\hades.exe -f calc.bin -t queueuserapc
User-mode hooking bypass with syscall RVA sorting (
NtQueueApcThread hooked with frida-trace and custom handler)
Instrumentation callback bypass with indirect syscalls (injected DLL is from syscall-detect by jackullrich)
Direct syscall version
In the latest release, direct syscall capabilities have been replaced by indirect syscalls provided by acheron. If for some reason you want to use the previous version of the loader that used direct syscalls, you need to explicitly pass the direct_syscalls tag to the compiler, which will figure out what files needs to be included and excluded from the build.
GOOS=windows GOARCH=amd64 go build -ldflags “-s -w” -tags=’direct_syscalls’ -o dist/hades_directsys.exe cmd/hades/main.go
Copyright (C) 2023 f1zm0