Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/EddieIvan01/gld
Go shellcode LoaDer
https://github.com/EddieIvan01/gld
bypass shellcode-loader windows
Last synced: 3 months ago
JSON representation
Go shellcode LoaDer
- Host: GitHub
- URL: https://github.com/EddieIvan01/gld
- Owner: EddieIvan01
- License: mpl-2.0
- Archived: true
- Created: 2020-04-30T09:19:11.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-01-30T09:49:47.000Z (almost 4 years ago)
- Last Synced: 2024-05-12T05:51:31.458Z (6 months ago)
- Topics: bypass, shellcode-loader, windows
- Language: Go
- Homepage:
- Size: 22.5 KB
- Stars: 170
- Watchers: 4
- Forks: 53
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - EddieIvan01/gld - Go shellcode LoaDer (Go)
README
# Go shellcode LoaDer
**This repo is a demo and lacks enough features to bypass AV/EDR. I have written a private framework with more evasion techs, it may be made public in the future**
## Usage
Generate shellcode via CS/MSF first, then use gld to compile wrapped-binary:
```
./gld shellcode.bin [x64/x86]
```
## Tech
### Loader
+ Shellcode is encrypted via AES-GCM, it will be decrypted and loaded in runtime
+ Use `ntdll!ZwProtectVirtualMemory` instead of `kernelbase!VirtualProtect` (bypass possible hooks) to bypass DEP
+ Use local variable instead of string literal to pass procedure name (`string([]byte{...})`), to avoid static memory matching
### Detector
+ VM
+ Check if has a blacklist MAC prefixes
+ Check if physics memory < 2GB or number of CPU cores < 2 (cpuid and `GlobalMemoryStatusEx`)
+ DBG
+ Check if there is a debugger process (`CreateToolhelp32Snapshot`)
+ Check if current process is being debugged by a user-mode debugger (`IsDebuggerPresent`)