| example | Loading last commit info... | |
| pkg/BananaPhone | ||
| README.md |
README.md
BananaPhone
Like hells gate, but more go, more banana.
Useful references:
- https://github.com/am0nsec/HellsGate
- https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/
This is a pure-go implementation of using direct syscalls to do Windowsy stuff. Don't be silly and try this on not-Windows, it won't work and I honestly don't know why you'd even think it would?
Several useful functions in dealing with process things are provided by this lib. Namely:
Syscallwith a providedsysidanduintptrs to parameters, you're able to do a Windows syscall for pretty much any defined kernel call. I only tried with a handful, but it should work with any/most.GetPEBreturn the memory location of the PEB without performing any API calls. At it's core, just does this:MOVQ 0x60(GS), AX ; MOVQ AX, ret+0(FP)(this is the Go ASM syntax, incase you're confused.)GetNtdllStartreturn the start address of ntdll loaded in process memory. Does not make any API calls (see asm_x64.s for details)WriteMemorytake a byte slice, and write it to a certain memory address (may panic if not writable etc lol)- A handful of predefined kernel calls like
NtAllocateVirtualMemoryetc. See source for more details and whatnot.
All of the PE parsing and extraction of interesting information is provided by https://github.com/Binject/debug, which adds on to the stdlib pe library in some very cool ways.
Usage
See examples in example/.