Hades – Go Shellcode Loader That Combines Multiple Evasion Techniques
Hades is a
Instrumentation callback bypass with indirect
Direct syscall version
In the latest release, direct syscall capabilities have been replaced by indirect syscalls provided by acheron. If for some reason you want to use the previous version of the loader that used direct syscalls, you need to explicitly pass the
direct_syscalls tag to the compiler, which will figure out what files needs to be included and excluded from the build.
GOOS=windows GOARCH=amd64 go build -ldflags "-s -w" -tags='direct_syscalls' -o dist/hades_directsys.exe cmd/hades/main.go
This project has been created for educational purposes only, to experiment with malware dev in Go, and learn more about the unsafe package and the weird Go Assembly syntax. Don’t use it to on systems you don’t own. The developer of this project is not responsible for any damage caused by the improper use of this tool.
Shoutout to the following people that shared their knowledge and code that inspired this tool:
- @smelly__vx and @am0nsec creators of Hell’s Gate
- @modexp’s excellent blog post Bypassing User-Mode Hooks and syscall invocation in C
- @ElephantSe4l creator of FreshyCalls
- @C_Sto creator of BananaPhone
- @winternl for this blog post on Hooking Nirvana and instrumentation callback to detect suspicious syscalls from user-mode.
This project is licensed under the GPLv3 License – see the LICENSE file for details