-
Notifications
You must be signed in to change notification settings - Fork 38
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
97 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,97 @@ | ||
| # Acheron | ||
| <p align="center"> | ||
| <img src=".github/readme-banner.png" title="acheron banner" width="80%"/> | ||
| </p> | ||
| <p align="center"> | ||
| <a href="https://github.com/f1zm0/acheron/releases"><img alt="latest release version" src="https://img.shields.io/github/v/release/f1zm0/acheron?color=aabbcc&logo=github&logoColor=white&labelColor=2b2c33"></a> | ||
| <a href="https://pkg.go.dev/github.com/f1zm0/acheron"><img src="https://pkg.go.dev/badge/github.com/f1zm0/acheron.svg" alt="Go Reference"></a> | ||
| <a href="https://pkg.go.dev/github.com/f1zm0/acheron"><img src="https://goreportcard.com/badge/github.com/f1zm0/acheron" alt="Go Report Card"></a> | ||
| <a href="https://github.com/f1zm0/acheron"><img src="https://img.shields.io/github/license/f1zm0/acheron?color=aabbcc&logo=bookstack&logoColor=white&labelColor=2b2c33" alt="project license"></a> | ||
| <a href="https://github.com/f1zm0/acheron/issues"><img alt="Issues" src="https://img.shields.io/github/issues/f1zm0/acheron?logo=dependabot&color=aabbcc&logoColor=d9e0ee&labelColor=2b2c33"></a> | ||
| </p> | ||
|
|
||
| ## About | ||
|
|
||
| Acheron is a library inspired by [SysWhisper3](https://github.com/klezVirus/SysWhispers3)/[FreshyCalls](https://github.com/crummie5/FreshyCalls)/[RecycledGate](https://github.com/thefLink/RecycledGate), with most of its functionality implemented in Go assembly. </br> | ||
|
|
||
| `acheron` package can be used to add indirect syscall capabilities to your Golang tradecraft, to bypass AV/EDRs that makes use of usermode hooks and [instrumentation callbacks](https://winternl.com/detecting-manual-syscalls-from-user-mode/) to detect anomalous syscalls that don't return to ntdll.dll, when the call transition back from kernel->userland. | ||
|
|
||
| ## Main Features | ||
|
|
||
| - No dependencies | ||
| - Pure Go and Go assembly implementation | ||
| - Custom string encryption/hashing function support to counter static analysis | ||
|
|
||
| ## How it works | ||
|
|
||
| The following steps are performed when creating a new syscall proxy instance: | ||
|
|
||
| 1. Walk the PEB to retrieve the base address of in-memory ntdll.dll | ||
| 2. Parse the exports directory to retrieve the address of each exported function | ||
| 3. Calculate the system service number for each `Zw*` function | ||
| 4. Enumerate unhooked/clean `syscall;ret` gadgets in ntdll.dll, to be used as trampolines | ||
| 5. Creates the proxy instance, which can be used to make indirect (or direct) syscalls | ||
|
|
||
| ## Quickstart | ||
|
|
||
| Integrating `acheron` into your offsec tools is pretty easy. | ||
|
|
||
| You just need to call `acheron.New()` to create a syscall proxy instance and use `acheron.Syscall()` to make an indirect syscall for `Nt*` APIs. | ||
|
|
||
| Minimal example: | ||
|
|
||
| ```go | ||
| package main | ||
|
|
||
| import ( | ||
| "unsafe" | ||
|
|
||
| "github.com/f1zm0/acheron" | ||
| ) | ||
|
|
||
| func main() { | ||
| // creates Acheron instance, resolves SSNs, collects clean trampolines in ntdll.dlll, etc. | ||
| acheron, err := acheron.New() | ||
| if err != nil { | ||
| panic(err) | ||
| } | ||
|
|
||
| // make indirect syscall for NtQuerySystemInformation | ||
| bufferSize := uint32(0) | ||
| _ = acheron.Syscall( | ||
| acheron.HashString("NtQuerySystemInformation"), | ||
| 0x5, // arg1: _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass | ||
| 0, // arg2: _Out_ PVOID SystemInformation | ||
| uintptr(bufferSize), // arg3: _In_ ULONG SystemInformationLength | ||
| uintptr(unsafe.Pointer(&bufferSize)), // arg4: _Out_opt_ PULONG ReturnLength | ||
| ) | ||
|
|
||
| // ... | ||
| } | ||
| ``` | ||
|
|
||
| For more examples check out the [examples](examples) directory or [hades](https://github.com/f1zm0/hades) loader repository. | ||
|
|
||
| ## References | ||
|
|
||
| - https://github.com/am0nsec/HellsGate | ||
| - https://sektor7.net/#!res/2021/halosgate.md | ||
| - https://github.com/trickster0/TartarusGate | ||
| - https://github.com/klezVirus/SysWhispers3 | ||
| - https://github.com/crummie5/FreshyCalls | ||
| - https://github.com/boku7/AsmHalosGate | ||
| - https://github.com/thefLink/RecycledGate | ||
| - https://github.com/C-Sto/BananaPhone | ||
| - https://winternl.com/detecting-manual-syscalls-from-user-mode/ | ||
| - https://www.usenix.org/legacy/events/vee06/full_papers/p154-bhansali.pdf | ||
| - https://redops.at/en/blog/direct-syscalls-a-journey-from-high-to-low | ||
|
|
||
| ## Notes | ||
|
|
||
| The name is a reference to the [Acheron](https://en.wikipedia.org/wiki/Acheron) river in Greek mythology, which is the river where souls of the dead are carried to the underworld. | ||
|
|
||
| > **Info** | ||
| > This project has been created for educational purposes only. Don't use it to on systems you don't own. The developer of this project is not responsible for any damage caused by the improper usage of the library. | ||
| ## License | ||
|
|
||
| This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details |