[]()

**Hades** is a [proof of concept]( “proof of concept” ) loader that combines several evasion technques with the aim of [bypassing]( “bypassing” ) the defensive mechanisms commonly used by modern AV/EDRs.

## Usage

The easiest way, is probably building the project on Linux using `make`.

git clone https://github.com/f1zm0/hades && cd hades
make

Then you can bring the executable to a x64 Windows host and run it with `.hades.exe [options]`.

PS > .hades.exe -h

‘||’ ‘||’ | ‘||”|. ‘||””| .|”’.|
|| || ||| || || || . ||.. ‘
||””|| | || || || ||”| ”|||.
|| || .””|. || || || . ‘||
.||. .||. .|. .||. .||…|’ .||…..| |’….|’

version: dev [11/01/23] :: @f1zm0

Usage:
hades -f [-t selfthread|remotethread|queueuserapc]

Options:
-f, –file shellcode file path (.bin)
-t, –technique [injection]( “injection” ) technique [selfthread, remotethread, queueuserapc]

### Example:

Inject shellcode that spawms `calc.exe` with [queueuserapc]( “queueuserapc” ) technique:

.hades.exe -f calc.bin -t queueuserapc

## Showcase

User-mode hooking bypass with syscall RVA sorting (`NtQueueApcThread` hooked with [frida-trace]( “frida-trace” ) and [custom handler]( “custom handler” ))

[]( “Go shellcode loader that combines multiple evasion techniques (13)” )[]()

Instrumentation callback bypass with indirect [syscalls]( “syscalls” ) (injected DLL is from [syscall-detect]( “syscall-detect” ) by [jackullrich]( “jackullrich” ))

[]( “Go shellcode loader that combines multiple evasion techniques (17)” )[]()

## Additional Notes

### Direct syscall version

In the latest release, direct syscall capabilities have been replaced by indirect syscalls provided by [acheron]( “acheron” ). If for some reason you want to use the previous version of the loader that used direct syscalls, you need to explicitly pass the `direct_syscalls` tag to the compiler, which will figure out what files needs to be included and excluded from the build.

GOOS=windows GOARCH=amd64 go build -ldflags “-s -w” -tags=’direct_syscalls’ -o dist/hades_directsys.exe cmd/hades/main.go

### Disclaimers

> Warning
This project has been created for educational purposes only, to experiment with malware dev in Go, and learn more about the [unsafe]( “unsafe” ) package and the weird [Go Assembly]( “Go Assembly” ) syntax. Don’t use it to on systems you don’t own. The developer of this project is not responsible for any damage caused by the improper use of this tool.

## Credits

Shoutout to the following people that shared their knowledge and code that inspired this tool:

* [@smelly__vx]( “@smelly__vx” ) and [@am0nsec]( “@am0nsec” ) creators of [Hell’s Gate]( “Hell’s Gate” )
* [@modexp]( “@modexp” )’s excellent blog post [Bypassing User-Mode Hooks and syscall invocation in C]( “Bypassing User-Mode Hooks and syscall invocation in C” )
* [@ElephantSe4l]( “@ElephantSe4l” ) creator of [FreshyCalls]( “FreshyCalls” )
* [@C_Sto]( “@C_Sto” ) creator of [BananaPhone]( “BananaPhone” )
* [@winternl]( “@winternl” ) for [this blog post]( “this blog post” ) on Hooking Nirvana and [instrumentation]( “instrumentation” ) callback to detect suspicious syscalls from user-mode.

## License

This project is licensed under the GPLv3 License – see the [LICENSE]( “LICENSE” ) file for details

**[Download Hades]( “Download Hades” )**Read More