- Previous work
- About Golang
- Interesting Tools in Golang
These repo inspires us to make OffensiveGo
- OffensiveRust : this project contains a bunch of examples made in Rust.
- OffensiveNim : this one contains examples written in Nim.
- OffensiveCSharp : A Collection of Offensive C# Tooling.
- OffensiveDLR : Toolbox containing research notes & PoC code for weaponizing .NET's DLR.
- OffensiveVBA : This repo covers some code execution and AV Evasion methods for Macros in Office documents.
- OffensiveZig : Some attempts at using Zig in penetration testing.
- Simpler syntax: Go's syntax is simpler and easier to learn.
- Garbage collection: Go uses garbage collection, which makes memory management easier for developers.
- Cross-platform support: Go has excellent cross-platform support and can be compiled to run on a wide range of platforms, including Windows, Linux, and macOS. Rust also has good cross-platform support, but its compilation process can be more complex.
- Goroutine: Goroutines are lightweight threads of execution that enable concurrent programming in Go, making it easy to write efficient, safe, and scalable concurrent programs, allowing for non-blocking concurrent execution and communication via channels.
OPSEC Consideration & Caveat of Golang
Go binaries generally have no installation dependencies, compiler statically links Go runtime and needed packages. Static linking results in larger binaries. 1.9 MB for "Hello World" compared to 54 KB in C.
- create a
go.modfile in your project directory, which will be used to manage dependencies :
> go mod init offensivego
- ensure that all your project's dependencies are up to date :
go build file.gofor compilation.
- Omit debug symbols and strip the symbol table. it can also reduce binary size by about 30% :
go build -ldflags="-s -w" file.go
- Hide console, to avoid Go program displaying console windows on execution :
go build -ldflags -H=windowsgui rshell.go
The assembly language used with Go is based on Plan9 (P9) and is a high-level architecture-independent language that includes mnemonics like
RET, as well as higher-level constructs like loops and conditionals, which are implemented using lower-level assembly instructions by the assembler.
- That's how you declare function :
- NOSPLIT : Don't insert the preamble to check if the stack must be split. The frame for the routine, plus anything it calls, must fit in the spare space remaining in the current stack segment. Used to protect routines such as the stack splitting code itself, which can improve performance.
- NOFRAME : skip the generation of a function prologue and epilogue, even if this is not a leaf function, which can also improve performance by reducing the overhead of setting up and tearing down the stack frame for each call.
you can obfuscate Go builds using garble to replace strings and many other indcators with base64 encoding and removes extra intformations if necessary : https://github.com/burrowers/garble
garble build [build flags] [packages]
symtab(symbol table) section contains symbol table information to map program addresses to their corresponding function and variable names. The symtab section in a Golang binary is generated by the Go linker.
If your implant use net/http lib with the default http headers, GO will put
Go-http-client/1.1has the user-agent.
|Process Injection - APC
|Execute a shellcode with
|Process Injection - CreateThread
|Execute a shellcode with
|bypass AMSI by patching in memory
|bypass ETW, by patching in memory with
|TCP, HTTP, and named pipes servers and clients for different communication channels.
|List the AV/EDR solution with a wmi query
|Convert DLL files to position independent shellcode
|Encryption algorithms for various usage. Contains AES, RC4, chacha20 and xor.
|Self remove a executable. Golang implementation of delete-self-poc
|Dump any process with
MiniDumpWriteDump. In this example, it dumps LSASS
DllMain() entrypoint in Golang from this. Can be used for dll hijacking.
|Play with windows token. List all the token,
|Sandbox detection and evasion techniques
|Callback shellcode injection using
EnumFonts and more...
|Disable Instrumentation Callback on your process to reduce any potential direct syscall detection
Note : More Examples will be added in the future :D
- Geacon : implementation of CobaltStrike's Beacon in Go.
- Acheron : Indirect syscalls for AV/EDR evasion in Go assembly.
- Sliver : An Adversary Emulation Framework fully written in Golang with advanced evasion capabilities.
- Merlin : cross-platform post-exploitation HTTP/2 Command & Control server and agent
- BananaPhone : An easy to use GO variant of Hells gate with automatic SSN parsing.
- SourcePoint : C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion by reducing the Indicators of Compromise IoCs.
- ScareCrow : Payload creation framework designed around EDR bypass such as AMSI & ETW Bypass, Encryption, Stealth Process Injections, ect.
- Hooka : Implant drop-in with multiple features.
- RedGuard : a C2 front flow control tool, Can avoid Blue Teams, AVs, EDRs check.
- Freeze : Payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
- Mangle : A tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
- Dent : A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
- Ivy : Payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
I would also mention the timwhitez's github that contains many re-implementations in Golang.
- @joff_thyer - https://www.youtube.com/watch?v=gH9qyHVc9-M&t=1131s&ab_channel=BlackHillsInformationSecurity
- @BlueSentinelSec - https://github.com/bluesentinelsec/OffensiveGoLang/blob/master/Offensive%20GoLang%202.0%20-%20SANS%20Pen%20Test%20HackFest%202021.pdf
- @zimnyaatishina - https://tishina.in/execution/golang-winmaldev-basics