Skip to content
This repository has been archived by the owner on Jan 30, 2021. It is now read-only.

EddieIvan01/gld

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
detect
detect
 
 
loader
loader
 
 
sample
sample
 
 
util
util
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
gld.go
gld.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Go shellcode LoaDer

This repo is a demo and lacks enough features to bypass AV/EDR. I have written a private framework with more evasion techs, it may be made public in the future

Usage

Generate shellcode via CS/MSF first, then use gld to compile wrapped-binary:

./gld shellcode.bin [x64/x86]

Tech

Loader

  • Shellcode is encrypted via AES-GCM, it will be decrypted and loaded in runtime
  • Use ntdll!ZwProtectVirtualMemory instead of kernelbase!VirtualProtect (bypass possible hooks) to bypass DEP
  • Use local variable instead of string literal to pass procedure name (string([]byte{...})), to avoid static memory matching

Detector

  • VM
    • Check if has a blacklist MAC prefixes
    • Check if physics memory < 2GB or number of CPU cores < 2 (cpuid and GlobalMemoryStatusEx)
  • DBG
    • Check if there is a debugger process (CreateToolhelp32Snapshot)
    • Check if current process is being debugged by a user-mode debugger (IsDebuggerPresent)

About

Go shellcode LoaDer

Topics

windows bypass shellcode-loader

Resources

Readme

License

MPL-2.0 license
Activity

Stars

171 stars

Watchers

4 watching

Forks

53 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages