{"id":23421576,"url":"https://github.com/evilbytecode/goevildocs","last_synced_at":"2026-02-23T00:37:56.871Z","repository":{"id":244590185,"uuid":"815666850","full_name":"EvilBytecode/GoEvilDocs","owner":"EvilBytecode","description":"Malware development in Go, learn today, anti dynamic analysis \u0026 Static \u0026 sandboxes. ","archived":false,"fork":false,"pushed_at":"2024-06-27T06:44:26.000Z","size":8,"stargazers_count":11,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-09T09:45:39.749Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/EvilBytecode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-15T19:17:13.000Z","updated_at":"2025-01-15T12:24:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"9dc225bc-9732-4377-ae54-8946a0518ee3","html_url":"https://github.com/EvilBytecode/GoEvilDocs","commit_stats":null,"previous_names":["evilbytecode/goevildocs"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/EvilBytecode/GoEvilDocs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FGoEvilDocs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FGoEvilDocs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FGoEvilDocs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FGoEvilDocs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/EvilBytecode","download_url":"https://codeload.github.com/EvilBytecode/GoEvilDocs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/EvilBytecode%2FGoEvilDocs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29733119,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-22T20:09:16.275Z","status":"ssl_error","status_checked_at":"2026-02-22T20:09:13.750Z","response_time":110,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-23T02:16:04.946Z","updated_at":"2026-02-23T00:37:56.862Z","avatar_url":"https://github.com/EvilBytecode.png","language":null,"readme":"# GoEvilDocs\nMalware development in Go, learn today, anti dynamic analysis \u0026amp; Static \u0026amp; sandboxes. \n\u003ca href=\"https://t.me/pulzetools\"\u003e\u003cimg src=\"https://img.shields.io/badge/Join%20my%20Telegram%20group-2CA5E0?style=for-the-badge\u0026logo=telegram\u0026labelColor=db44ad\u0026color=5e2775\"\u003e\u003c/a\u003e\n\n# Introduction:\n- Welcome to GoEvilDocs, your guide to using Go for developing malware that bypasses dynamic analysis, static detection, and sandbox environments. Explore advanced techniques to ensure your malicious Go applications evade detections.\n\n## Malware Dev - Part 1\n- Analyzing Blank Go File.\n![image](https://github.com/EvilBytecode/GoEvilDocs/assets/151552809/2f23033d-13d2-4179-a94a-cbbbf04e63c7)\n\n```go\npackage main\n\nfunc main() {\n}\n```\n- We've gotten 8/72, for blank file. lets add some checks to make it less.\n---\n## We will try now a Hardware resources, HDD, CPU, Ram Check:\n ![image](https://github.com/EvilBytecode/GoEvilDocs/assets/151552809/3e10277f-c4c1-4a7c-97df-3c7cdc734900)\n\n```go\npackage main\n\n/*\n#include \u003cwindows.h\u003e\n#include \u003cwinioctl.h\u003e\n#include \u003cstdio.h\u003e\n\nBOOL checksysreq() {\n    SYSTEM_INFO systemInfo;\n    GetSystemInfo(\u0026systemInfo);\n    DWORD numberOfProcessors = systemInfo.dwNumberOfProcessors;\n    if (numberOfProcessors \u003c 2) {\n        return FALSE;\n    }\n\n    MEMORYSTATUSEX memoryStatus;\n    memoryStatus.dwLength = sizeof(memoryStatus);\n    GlobalMemoryStatusEx(\u0026memoryStatus);\n    DWORD RAMMB = (DWORD)(memoryStatus.ullTotalPhys / (1024 * 1024));\n    if (RAMMB \u003c 2048) {\n        return FALSE;\n    }\n\n    HANDLE hDevice = CreateFileW(L\"\\\\\\\\.\\\\PhysicalDrive0\", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);\n    if (hDevice == INVALID_HANDLE_VALUE) {\n        printf(\"Failed to open HDD\\n\");\n        return FALSE;\n    }\n\n    DISK_GEOMETRY pDiskGeometry;\n    DWORD bytesReturned;\n    if (!DeviceIoControl(hDevice, IOCTL_DISK_GET_DRIVE_GEOMETRY, NULL, 0, \u0026pDiskGeometry, sizeof(pDiskGeometry), \u0026bytesReturned, (LPOVERLAPPED)NULL)) {\n        CloseHandle(hDevice);\n        return FALSE;\n    }\n\n    DWORD diskSizeGB = (DWORD)(pDiskGeometry.Cylinders.QuadPart * (ULONG)pDiskGeometry.TracksPerCylinder * (ULONG)pDiskGeometry.SectorsPerTrack * (ULONG)pDiskGeometry.BytesPerSector / (1024 * 1024 * 1024));\n    CloseHandle(hDevice);\n    if (diskSizeGB \u003c 100) {\n        return FALSE;\n    }\n\n    return TRUE;\n}\n*/\nimport \"C\"\nimport (\n    \"fmt\"\n)\n\nfunc main() {\n    fmt.Println(\"Checking system requirements...\")\n    if C.checksysreq() == C.BOOL(1) {\n        fmt.Println(\"System meets the minimum requirements.\")\n    } else {\n        fmt.Println(\"System does not meet the minimum requirements.\")\n    }\n}\n\n```\n--- \n### Now lets try more techniques: \n- USB Mounted in (Check if USB Was plugged inside computer before)\n- Detection Rate:\n![image](https://github.com/EvilBytecode/GoEvilDocs/assets/151552809/6f626b0e-df67-480f-a46a-c34471674f68)\n```go\npackage main\n\nimport (\n\t\"log\"\n\t\"os/exec\"\n\t\"strings\"\n)\n\n// PluggedIn checks if USB devices were ever plugged in and returns true if found, false otherwise.\nfunc PluggedIn() (bool, error) {\n\tusbcheckcmd := exec.Command(\"reg\", \"query\", \"HKLM\\\\SYSTEM\\\\ControlSet001\\\\Enum\\\\USBSTOR\")\n\toutputusb, err := usbcheckcmd.CombinedOutput()\n\tif err != nil {\n\t\tlog.Printf(\"Error running reg query command: %v\", err)\n\t\treturn false, err\n\t}\n\n\tusblines := strings.Split(string(outputusb), \"\\n\")\n\tpluggedusb := 0\n\tfor _, line := range usblines {\n\t\tif strings.TrimSpace(line) != \"\" {\n\t\t\tpluggedusb++\n\t\t}\n\t}\n\n\tif pluggedusb \u003e 0 {\n\t\treturn true, nil\n\t}\n\n\treturn false, nil\n}\n\nfunc main() {\n\tpluggedIn, err := PluggedIn()\n\tif err != nil {\n\t\tlog.Fatalf(\"Error checking USB devices: %v\", err)\n\t}\n\n\tif pluggedIn {\n\t\tlog.Println(\"USB devices were plugged in.\")\n\t} else {\n\t\tlog.Println(\"No USB devices were ever plugged in.\")\n\t}\n}\n```\n---\n### Lets now use GoDefender:\n```go\npackage main\n\nimport (\n\t\"log\"\n\n\t// AntiDebug\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/CheckBlacklistedWindowsNames\"\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/InternetCheck\"\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/IsDebuggerPresent\"\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/KillBadProcesses\"\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/ParentAntiDebug\"\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/RunningProcesses\"\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/RemoteDebugger\"\n\t\"github.com/EvilBytecode/GoDefender/AntiDebug/pcuptime\"\n\n\t// AntiVirtualization\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/KVMCheck\"\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/MonitorMetrics\"\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/RecentFileActivity\"\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/TriageDetection\"\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/UsernameCheck\"\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/VirtualboxDetection\"\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/VMWareDetection\"\n\t\"github.com/EvilBytecode/GoDefender/AntiVirtualization/USBCheck\"\n\n)\n\nfunc main() {\n\t// AntiDebug checks\n\tif connected, _ := InternetCheck.CheckConnection(); connected {\n\t\tlog.Println(\"[DEBUG] Internet connection is present\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Internet connection isn't present\")\n\t}\n\n\tif parentAntiDebugResult := ParentAntiDebug.ParentAntiDebug(); parentAntiDebugResult {\n\t\tlog.Println(\"[DEBUG] ParentAntiDebug check failed\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] ParentAntiDebug check passed\")\n\t}\n\n\tif runningProcessesCountDetected, _ := RunningProcesses.CheckRunningProcessesCount(50); runningProcessesCountDetected {\n\t\tlog.Println(\"[DEBUG] Running processes count detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Running processes count passed\")\n\t}\n\n\tif pcUptimeDetected, _ := pcuptime.CheckUptime(1200); pcUptimeDetected {\n\t\tlog.Println(\"[DEBUG] PC uptime detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] PC uptime passed\")\n\t}\n\n\tKillBadProcesses.KillProcesses()\n\tCheckBlacklistedWindowsNames.CheckBlacklistedWindows()\n\t// Other AntiDebug checks\n\tif isDebuggerPresentResult := IsDebuggerPresent.IsDebuggerPresent1(); isDebuggerPresentResult {\n\t\tlog.Println(\"[DEBUG] Debugger presence detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Debugger presence passed\")\n\t}\n\n\tif remoteDebuggerDetected, _ := RemoteDebugger.RemoteDebugger(); remoteDebuggerDetected {\n\t\tlog.Println(\"[DEBUG] Remote debugger detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Remote debugger passed\")\n\t}\n\t//////////////////////////////////////////////////////\n\n\t// AntiVirtualization checks\n\tif recentFileActivityDetected, _ := RecentFileActivity.RecentFileActivityCheck(); recentFileActivityDetected {\n\t\tlog.Println(\"[DEBUG] Recent file activity detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Recent file activity passed\")\n\t}\n\n\tif vmwareDetected, _ := VMWareDetection.GraphicsCardCheck(); vmwareDetected {\n\t\tlog.Println(\"[DEBUG] VMWare detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] VMWare passed\")\n\t}\n\n\tif virtualboxDetected, _ := VirtualboxDetection.GraphicsCardCheck(); virtualboxDetected {\n\t\tlog.Println(\"[DEBUG] Virtualbox detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Virtualbox passed\")\n\t}\n\n\tif kvmDetected, _ := KVMCheck.CheckForKVM(); kvmDetected {\n\t\tlog.Println(\"[DEBUG] KVM detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] KVM passed\")\n\t}\n\n\tif blacklistedUsernameDetected := UsernameCheck.CheckForBlacklistedNames(); blacklistedUsernameDetected {\n\t\tlog.Println(\"[DEBUG] Blacklisted username detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Blacklisted username passed\")\n\t}\n\n\tif triageDetected, _ := TriageDetection.TriageCheck(); triageDetected {\n\t\tlog.Println(\"[DEBUG] Triage detected\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Triage passed\")\n\t}\n\tif isScreenSmall, _ := MonitorMetrics.IsScreenSmall(); isScreenSmall {\n\t\tlog.Println(\"[DEBUG] Screen size is small\")\n\t} else {\n\t\tlog.Println(\"[DEBUG] Screen size is not small\")\n\t}\n\t// USBCheck\n\tif usbPluggedIn, err := USBCheck.PluggedIn(); err != nil {\n\t\t\tlog.Println(\"[DEBUG] Error checking USB devices:\", err)\n\t} else if usbPluggedIn {\n\t\t\tlog.Println(\"[DEBUG] USB devices have been plugged in, check passed.\")\n\t} else {\n\t\t\tlog.Println(\"[DEBUG] No USB devices detected\")\n\t}\n\n}\n```\n- Results:\n- ![image](https://github.com/EvilBytecode/GoEvilDocs/assets/151552809/da394b99-4e37-470b-b6af-cf5c134e684b)\n\n\n## License\nThis project is licensed under the MIT License. See the LICENSE file for details.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilbytecode%2Fgoevildocs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fevilbytecode%2Fgoevildocs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fevilbytecode%2Fgoevildocs/lists"}