Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/EddieIvan01/gld

Go shellcode LoaDer
https://github.com/EddieIvan01/gld

bypass shellcode-loader windows

Last synced: 22 days ago
JSON representation

Go shellcode LoaDer

Awesome Lists containing this project

README

        

# Go shellcode LoaDer

**This repo is a demo and lacks enough features to bypass AV/EDR. I have written a private framework with more evasion techs, it may be made public in the future**

## Usage

Generate shellcode via CS/MSF first, then use gld to compile wrapped-binary:

```
./gld shellcode.bin [x64/x86]
```

## Tech

### Loader

+ Shellcode is encrypted via AES-GCM, it will be decrypted and loaded in runtime
+ Use `ntdll!ZwProtectVirtualMemory` instead of `kernelbase!VirtualProtect` (bypass possible hooks) to bypass DEP
+ Use local variable instead of string literal to pass procedure name (`string([]byte{...})`), to avoid static memory matching

### Detector

+ VM
+ Check if has a blacklist MAC prefixes
+ Check if physics memory < 2GB or number of CPU cores < 2 (cpuid and `GlobalMemoryStatusEx`)
+ DBG
+ Check if there is a debugger process (`CreateToolhelp32Snapshot`)
+ Check if current process is being debugged by a user-mode debugger (`IsDebuggerPresent`)