{"id":19504288,"url":"https://github.com/f1zm0/hades","last_synced_at":"2025-04-06T06:09:36.415Z","repository":{"id":65594665,"uuid":"549462597","full_name":"f1zm0/hades","owner":"f1zm0","description":"Go shellcode loader that combines multiple evasion techniques","archived":false,"fork":false,"pushed_at":"2023-06-21T19:22:57.000Z","size":2225,"stargazers_count":364,"open_issues_count":1,"forks_count":46,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-03-30T05:06:11.574Z","etag":null,"topics":["adversary-emulation","av-evasion","edr-evasion","evasion","golang","ntapi","ntdll","offensive-security","pentesting","red-teaming","syscalls"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/f1zm0.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-11T08:16:24.000Z","updated_at":"2025-03-25T09:09:39.000Z","dependencies_parsed_at":"2024-06-20T02:54:21.277Z","dependency_job_id":"8b5d0351-08f0-4cf6-8f94-5ffd458b05be","html_url":"https://github.com/f1zm0/hades","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2Fhades","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2Fhades/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2Fhades/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/f1zm0%2Fhades/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/f1zm0","download_url":"https://codeload.github.com/f1zm0/hades/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247441052,"owners_count":20939239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversary-emulation","av-evasion","edr-evasion","evasion","golang","ntapi","ntdll","offensive-security","pentesting","red-teaming","syscalls"],"created_at":"2024-11-10T22:25:13.909Z","updated_at":"2025-04-06T06:09:36.390Z","avatar_url":"https://github.com/f1zm0.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\".github/images/hades-banner.png\" title=\"hades banner\" width=\"65%\"/\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/f1zm0/hades/releases\"\u003e\n    \u003cimg alt=\"Made with Go\" src=\"https://img.shields.io/badge/Made%20with%20Go-00ADD8?logo=Go\u0026logoColor=white\" style=\"max-width: 100%;\"\u003e\n\u003c/a\u003e\n\u003ca href=\"https://pkg.go.dev/github.com/f1zm0/hades\"\u003e\u003cimg src=\"https://pkg.go.dev/badge/github.com/f1zm0/hades.svg\" alt=\"Go Reference\"\u003e\u003c/a\u003e\n    \u003c!-- \u003ca href=\"https://github.com/f1zm0/hades/releases\"\u003e\u003cimg alt=\"latest release version\" src=\"https://img.shields.io/github/v/release/f1zm0/hades?color=007d9c\u0026logo=github\u0026logoColor=white\u0026labelColor=2b2c33\"\u003e\u003c/a\u003e --\u003e\n\u003ca href=\"https://github.com/f1zm0/hades\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/license/f1zm0/hades?color=007d9c\u0026logo=bookstack\u0026logoColor=white\u0026labelColor=2b2c33\" alt=\"project license\"\u003e\n\u003c/a\u003e\n  \u003c/a\u003e\n\u003ca href=\"#\"\u003e \u003cimg src=\"https://img.shields.io/badge/Status-PoC-007d9c?labelColor=2b2c33\u0026logo=curl\" alt=\"project status\"\u003e \u003c/a\u003e\n    \u003ca href=\"https://twitter.com/f1zm0\" target=\"_blank\"\u003e\u003cimg alt=\"Twitter Follow\" src=\"https://img.shields.io/badge/Twitter-00acee?logo=twitter\u0026logoColor=white\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n## About\n\n**Hades** is a proof of concept loader that combines several evasion technques with the aim of bypassing the defensive mechanisms commonly used by modern AV/EDRs.\n\n## Usage\n\nThe easiest way, is probably building the project on Linux using `make`.\n\n```sh\ngit clone https://github.com/f1zm0/hades \u0026\u0026 cd hades\nmake\n```\n\nThen you can bring the executable to a x64 Windows host and run it with `.\\hades.exe [options]`.\n\n```\nPS \u003e .\\hades.exe -h\n\n  '||'  '||'     |     '||''|.   '||''''|   .|'''.|\n   ||    ||     |||     ||   ||   ||  .     ||..  '\n   ||''''||    |  ||    ||    ||  ||''|      ''|||.\n   ||    ||   .''''|.   ||    ||  ||       .     '||\n  .||.  .||. .|.  .||. .||...|'  .||.....| |'....|'\n\n          version: dev [11/01/23] :: @f1zm0\n\nUsage:\n  hades -f \u003cfilepath\u003e [-t selfthread|remotethread|queueuserapc]\n\nOptions:\n  -f, --file \u003cstr\u003e        shellcode file path (.bin)\n  -t, --technique \u003cstr\u003e   injection technique [selfthread, remotethread, queueuserapc]\n```\n\n### Example:\n\nInject shellcode that spawms `calc.exe` with [queueuserapc](https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-queueuserapc) technique:\n\n```\n.\\hades.exe -f calc.bin -t queueuserapc\n```\n\n## Showcase\n\nUser-mode hooking bypass with syscall RVA sorting (`NtQueueApcThread` hooked with [frida-trace](https://frida.re) and [custom handler](scripts/NtQueueApcThread.js))\n\n![NtQueueApcThread Frida interceptor](.github/images/frida-poc.gif)\n\nInstrumentation callback bypass with indirect syscalls (injected DLL is from [syscall-detect](https://github.com/jackullrich/syscall-detect) by [jackullrich](https://twitter.com/winternl_t))\n\n![syscall-detect bypass](.github/images/syscall-detect-poc.gif)\n\n## Additional Notes\n\n### Direct syscall version\n\nIn the latest release, direct syscall capabilities have been replaced by indirect syscalls provided by [acheron](https://github.com/f1zm0/acheron). If for some reason you want to use the previous version of the loader that used direct syscalls, you need to explicitly pass the `direct_syscalls` tag to the compiler, which will figure out what files needs to be included and excluded from the build.\n\n```sh\nGOOS=windows GOARCH=amd64 go build -ldflags \"-s -w\" -tags='direct_syscalls' -o dist/hades_directsys.exe cmd/hades/main.go\n```\n\n### Disclaimers\n\n\u003e **Warning** \u003c/br\u003e\n\u003e This project has been created for educational purposes only, to experiment with malware dev in Go, and learn more about the [unsafe](https://pkg.go.dev/unsafe) package and the weird [Go Assembly](https://go.dev/doc/asm) syntax.\n\u003e Don't use it to on systems you don't own. The developer of this project is not responsible for any damage caused by the improper use of this tool.\n\n## Credits\n\nShoutout to the following people that shared their knowledge and code that inspired this tool:\n\n- [@smelly\\_\\_vx](https://twitter.com/smelly_vx) and [@am0nsec](https://twitter.com/am0nsec) creators of [Hell's Gate](https://github.com/am0nsec/HellsGate)\n- [@modexp](https://twitter.com/modexpblog)'s excellent blog post [Bypassing User-Mode Hooks and syscall invocation in C](https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/)\n- [@ElephantSe4l](https://twitter.com/elephantse4l) creator of [FreshyCalls](https://github.com/crummie5/FreshyCalls)\n- [@C_Sto](https://twitter.com/c__sto) creator of [BananaPhone](https://github.com/C-Sto/BananaPhone)\n- [@winternl](https://twitter.com/winternl_t) for [this blog post](https://winternl.com/detecting-manual-syscalls-from-user-mode/) on Hooking Nirvana and instrumentation callback to detect suspicious syscalls from user-mode.\n\n## License\n\nThis project is licensed under the GPLv3 License - see the [LICENSE](LICENSE) file for details\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff1zm0%2Fhades","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff1zm0%2Fhades","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff1zm0%2Fhades/lists"}