8000 GitHub - timwhitez/Doge-Gabh: GetProcAddressByHash/remap/full dll unhooking/Tartaru's Gate/Spoofing Gate/universal/Perun's Fart/Spoofing-Gate/EGG/RecycledGate/syswhisper/RefleXXion golang implementation
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ Doge-Gabh Public

GetProcAddressByHash/remap/full dll unhooking/Tartaru's Gate/Spoofing Gate/universal/Perun's Fart/Spoofing-Gate/EGG/RecycledGate/syswhisper/RefleXXion golang implementation

License

MIT license
319 stars 68 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

timwhitez/Doge-Gabh

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

154 Commits
example
example
 
 
pkg
pkg
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Doge-Gabh

Doge-Gabh

  • ðŸ¸Frog For Automatic Scan

  • ðŸ¶Doge For Defense Evasion & Offensive Security

项目简介 (Project Introduction)

Doge-Gabh 是一个集æˆäº† Windows ntdll 动æ€è°ƒç”¨ã€ç›´æŽ¥ç³»ç»Ÿè°ƒç”¨ã€API hash 调用和 DLL 脱钩的 Golang 组件包。该项目æ供了多ç§åœ°ç‹±ä¹‹é—¨æ–¹æ³•ã€è„±é’©æ–¹æ³•ã€ç›´æŽ¥ç³»ç»Ÿè°ƒç”¨æ–¹æ³•å’ŒåŠ¨æ€ API hash 调用方法,使用户能够çµæ´»åœ°ä»Žç£ç›˜æˆ–内存中调用系统 API。

Doge-Gabh is a Golang component package that integrates Windows ntdll dynamic calls, direct system calls, API hash calls, and DLL unhooking. This project provides various Hell's Gate methods, unhooking methods, direct system call methods, and dynamic API hash call methods, allowing users to flexibly call system APIs from disk or memory.

主è¦ç”¨é€”包括但ä¸é™äºŽï¼š Main uses include but are not limited to:

  • PE è§£æž (PE parsing)
  • åŠ¨æ€ API 调用 (Dynamic API calls)
  • Shellcode 加载器 (Shellcode loader)
  • 进程注入 (Process injection)
  • 绕过 API 挂钩 (Bypassing API hooks)

项目å称 Gabh 原æ„为 GetAddressByHash,åŽæ¥æ‰©å±•ä¸ºç±»ä¼¼ DInvoke 的动æ€è°ƒç”¨å·¥å…·åŒ…。

The project name Gabh originally stood for GetAddressByHash, later expanded to become a dynamic calling toolkit similar to DInvoke.

注æ„ï¼ 8000 šæœ¬å·¥å…·ä»…用于实现 API 调用。具体调用者实现的功能以åŠå¯èƒ½é€ æˆçš„å½±å“与项目本体无关。

Note: This tool is only for implementing API calls. The specific functions implemented by the caller and any potential impacts are not related to the project itself.

主è¦ç‰¹æ€§ (Main Features)

  1. 集æˆå¤šç§åœ°ç‹±ä¹‹é—¨åŠå…¶è¡ç”Ÿé¡¹ç›®çš„ Golang 实现: Golang implementation of various Hell's Gate and its derivative projects:

    • Hell's Gate
    • Halo's Gate
    • Tartaru's Gate
    • Spoofing Gate
    • Doge-EGGCall
    • RecycledGate

  2. é›†æˆ syswhisper 实现 Integrated syswhisper implementation

  3. æ供多ç§èŽ·å–函数地å€å’Œç³»ç»Ÿè°ƒç”¨çš„方法: Provides various methods for obtaining function addresses and system calls:

    • 通过 hash 从内存获å–å‡½æ•°åœ°å€ (Get function address from memory by hash)
    • 通过 hash 从ç£ç›˜èŽ·å–å‡½æ•°åœ°å€ (Get function address from disk by hash)
    • é‡æ˜ å°„ ntdll (Remap ntdll)
    • 获å–é‡æ˜ å°„åŽçš„å‡½æ•°åœ°å€ (Get function address after remapping)
    • Tartaru's Gate/Halo's Gate 调用 (Tartaru's Gate/Halo's Gate call)
    • Spoofing-Gate
    • 通用 ntdll èŽ·å– (Universal ntdll acquisition)
    • å…¨ DLL 脱钩 (Full DLL unhooking)
    • Perun's Fart 脱钩 ntdll (Perun's Fart ntdll unhooking)
    • CMD 类型的全 DLL 脱钩 (CMD-type full DLL unhooking)
    • Recycled Gate 调用 (Recycled Gate call)
    • RefleXXion
    • 代ç†è°ƒç”¨ (Proxy call)

安装 (Installation)

go get github.com/timwhitez/Doge-Gabh

主è¦åŠŸèƒ½ (Main Functions)

// 从内存中通过 hash 获å–函数地å€
// Get function address from memory by hash
gabh.MemFuncPtr()

// 从ç£ç›˜ä¸­é€šè¿‡ hash 获å–函数地å€
// Get function address from disk by hash
gabh.DiskFuncPtr()

// 获å–é‡æ˜ å°„çš„ ntdll
// Get remapped ntdll
gabh.ReMapNtdll()

// 获å–é‡æ˜ å°„åŽçš„函数地å€
// Get function address after remapping
GetFuncUnhook()

// ntdll Tartaru's Gate/Halo's Gate
gabh.MemHgate()
gabh.DiskHgate()

// Tartaru's Gate/Halo's Gate 调用系统 ID
// Tartaru's Gate/Halo's Gate call system ID
gabh.HgSyscall()

// EGG 替æ¢
// EGG replacement
eggreplace.FindAndReplace()

// Tartaru's Gate/Halo's Gate 调用系统 ID(更多 EGG)
// Tartaru's Gate/Halo's Gate call system ID (more EGG)
gabh.EggCall()

// Spoofing-Gate
gabh.SpfGate()

// 获å–通用 ntdll
// Get universal ntdll
gabh.Universal()

// 获å–通用函数地å€
// Get universal function address
UniversalFindProc()

// 全 DLL 脱钩
// Full DLL unhooking
gabh.FullUnhook()

// Perun's Fart 脱钩 ntdll
// Perun's Fart ntdll unhooking
gabh.PerunsFart()

// CMD 类型的全 DLL 脱钩
// CMD-type full DLL unhooking
gabh.CMDUnhook()

// èŽ·å– syscall;ret
// Get syscall;ret
gabh.GetRecyCall()

// Recycled Gate 调用
// Recycled Gate call
gabh.ReCycall()

// åˆå§‹åŒ– DW_SYSCALL_LIST
// Initialize DW_SYSCALL_LIST
var newWhisper = gabh.DWhisper()

// 从 DW_SYSCALL_LIST 获å–系统 ID
// Get system ID from DW_SYSCALL_LIST
sysid := newWhisper.GetSysid("4942059d")

// RefleXXion
gabh.KDllunhook()

// 通过åç§°èŽ·å– SSN(排除æŸäº›æƒ…况)
// Get SSN by name (excluding certain cases)
gabh.GetSSNByNameExcept()

// 代ç†è°ƒç”¨
// Proxy call
proxycall.ProxyCall()

使用示例 (Usage Example)

项目的 example 文件夹中包å«äº†å¤šä¸ªä½¿ç”¨ç¤ºä¾‹ï¼Œæ¶µç›–了å„ç§åŠŸèƒ½çš„调用方法。以下是一个基本的使用示例:

The example folder in the project contains multiple usage examples covering various function call methods. Here's a basic usage example:

package main

import (
    "fmt"
    "syscall"
    "unsafe"
    gabh "github.com/timwhitez/Doge-Gabh/pkg/Gabh"
)

func main() {
    // 使用 Universal 方法获å–函数指针
    // Use Universal method to get function pointer
    ntdll, _ := gabh.Universal(str2sha1)
    sleep, _ := ntdll.UniversalFindProc("84804f99e2c7ab8aee611d256a085cf4879c4be8")
    fmt.Printf("Universal Addr:0x%x\n", sleep)

    fmt.Println("Sleep for 3s")
    times := -(3000 * 10000)
    syscall.Syscall(sleep, 2, 0, uintptr(unsafe.Pointer(&times)), 0)

    // 使用 MemFuncPtr 通过 hash 获å–函数指针
    // Use MemFuncPtr to get function pointer by hash
    sleep_ptr, moduleN, err := gabh.MemFuncPtr("kernel32.dll", "c3ca5f787365eae0dea86250e27d476406956478", str2sha1)
    if err != nil {
        fmt.Println(err)
        return
    }
    fmt.Printf("%s: %x\n", moduleN, sleep_ptr)
    syscall.Syscall(uintptr(sleep_ptr), 1, 1000, 0, 0)

    // 使用 HellsGate 获å–系统调用 ID
    // Use HellsGate to get system call ID
    sleep1, e := gabh.DiskHgate("84804f99e2c7ab8aee611d256a085cf4879c4be8", str2sha1)
    if e != nil {
        panic(e)
    }
    fmt.Printf("%s: %x\n", "NtDelayExecution Sysid", sleep1)

    // 使用 HellsGate 进行系统调用
    // Use HellsGate for system call
    gabh.HgSyscall(sleep1, 0, uintptr(unsafe.Pointer(&times)))
}

// 辅助函数:将字符串转æ¢ä¸º SHA1 哈希
// Helper function: Convert string to SHA1 hash
func str2sha1(s string) string {
    // 实现略 (Implementation omitted)
}

更多详细示例请å‚考项目的 example 文件夹。 For more detailed examples, please refer to the example folder in the project.

项目结构 (Project Structure)

  • pkg/: 核心功能包 (Core function package)
  • example/: 使用示例 (Usage examples)
    • CMDUnhook
    • EggCall
    • FullUnhook
    • GetSSNExcept
    • KnownDllunhook
    • PerunsFart
    • ProxyCall
    • RecycledGate
    • SpfGate
    • Unhook_remap
    • UniversalLoad
    • Whisper
    • shellcodecalc
    • sleep
    • testhook

å‚考资料 (References)

🚀Star Trend

Stargazers over time

致谢 (Acknowledgements)

æ„Ÿè°¢ JetBrains 为 Doge-Gabh 项目æä¾› Goland IDE å¼€æºè®¸å¯è¯ã€‚ Thanks to JetBrains for providing the Goland IDE open source license for the Doge-Gabh project.

JetBrains Logo GoLand Logo

å…责声明 (Disclaimer)

本项目仅供学习和研究使用。使用者应当éµå®ˆæ‰€æœ‰é€‚用的法律法规,ä¸å¾—将本项目用于任何éžæ³•ç›®çš„。作者对使用者的任何行为ä¸æ‰¿æ‹…任何责任。

This project is for learning and research purposes only. Users should comply with all applicable laws and regulations and must not use this project for any illegal purposes. The author bears no responsibility for any actions taken by users.

About

GetProcAddressByHash/remap/full dll unhooking/Tartaru's Gate/Spoofing Gate/universal/Perun's Fart/Spoofing-Gate/EGG/RecycledGate/syswhisper/RefleXXion golang implementation

Resources

Readme

License

MIT license
Activity

Stars

319 stars

Watchers

7 watching

Forks

68 forks
Report repository

Releases 26

v1.9.3 Latest
Mar 17, 2023
+ 25 releases

Packages

No packages published

Languages
0