This repo is made by @RistBS, @Enelg & @dreamkinn and contains some examples of offensives tools & utilities rewrote in Golang that can be used in a red team engagement.
Table of Content
️💾 Previous works
These repo inspires us to make OffensiveGo
- OffensiveRust : this project contains a bunch of examples made in Rust.
- OffensiveNim : this one contains examples written in Nim.
- OffensiveCSharp : A Collection of Offensive C# Tooling.
- OffensiveDLR : Toolbox containing research notes & PoC code for weaponizing .NET's DLR.
- OffensiveVBA : This repo covers some code execution and AV Evasion methods for Macros in Office documents.
- OffensiveZig : Some attempts at using Zig in penetration testing.
📝 About Golang
- Simpler syntax: Go's syntax is simpler and easier to learn.
- Garbage collection: Go uses garbage collection, which makes memory management easier for developers.
- Cross-platform support: Go has excellent cross-platform support and can be compiled to run on a wide range of platforms, including Windows, Linux, and macOS. Rust also has good cross-platform support, but its compilation process can be more complex.
- Goroutine: Goroutines are lightweight threads of execution that enable concurrent programming in Go, making it easy to write efficient, safe, and scalable concurrent programs, allowing for non-blocking concurrent execution and communication via channels.
OPSEC Consideration & Caveat of Golang
Go binaries generally have no installation dependencies, compiler statically links Go runtime and needed packages. Static linking results in larger binaries. 1.9 MB for "Hello World" compared to 54 KB in C.
🏗 Workspace Setup
- create a
go.modfile in your project directory, which will be used to manage dependencies :
> go mod init offensivego
- ensure that all your project's dependencies are up to date :
Compilation
- Use
go build file.gofor compilation. - Omit debug symbols and strip the symbol table. it can also reduce binary size by about 30% :
go build -ldflags="-s -w" file.go - Hide console, to avoid Go program displaying console windows on execution :
go build -ldflags -H=windowsgui rshell.go
Assembly in Go
The assembly language used with Go is based on Plan9 (P9) and is a high-level architecture-independent language that includes mnemonics like CALL and RET, as well as higher-level constructs like loops and conditionals, which are implemented using lower-level assembly instructions by the assembler.
- That's how you declare function :
- NOSPLIT : Don't insert the preamble to check if the stack must be split. The frame for the routine, plus anything it calls, must fit in the spare space remaining in the current stack segment. Used to protect routines such as the stack splitting code itself, which can improve performance.
- NOFRAME : skip the generation of a function prologue and epilogue, even if this is not a leaf function, which can also improve performance by reducing the overhead of setting up and tearing down the stack frame for each call.
Note : It can be useful to use Assembly in Go for your loaders if you want to build direct / indirect syscall stub.
Obfuscate Go Builds
you can obfuscate Go builds using garble to replace strings and many other indcators with base64 encoding and removes extra intformations if necessary : https://github.com/burrowers/garble
garble build [build flags] [packages]
Golang Binary
-
The
symtab(symbol table) section contains symbol table information to map program addresses to their corresponding function and variable names. The symtab section in a Golang binary is generated by the Go linker.
-
If your implant use net/http lib with the default http headers, GO will put
Go-http-client/1.1has the user-agent.
Examples
| File | Description |
|---|---|
| Process Injection - APC | Execute a shellcode with NtQueueApcThread |
| Process Injection - CreateThread | Execute a shellcode with NtCreateThreadEx and CreateThread |
| AMSI Patching | bypass AMSI by patching in memory AmsiScanBuffer |
| ETW Patching | bypass ETW, by patching in memory with ret on NtTraceControl |
| Network | TCP, HTTP, and named pipes servers and clients for different communication channels. |
| WMI Query | List the AV/EDR solution with a wmi query |
| sRDI | Convert DLL files to position independent shellcode |
| Cryptography | Encryption algorithms for various usage. Contains AES, RC4, chacha20 and xor. |
| Self Remove | Self remove a executable. Golang implementation of delete-self-poc |
| Process Dump | Dump any process with MiniDumpWriteDump. In this example, it dumps LSASS |
| Dllmain | DllMain() entrypoint in Golang from this. Can be used for dll hijacking. |
| Token Manipulation | Play with windows token. List all the token, ImpersonateLoggedOnUser and CreateProcessWithToken. |
| Sandbox detection/evasion | Sandbox detection and evasion techniques |
| Callback Injection | Callback shellcode injection using GrayStringA, EnumFonts and more... |
| Instrumentation Callback | Disable Instrumentation Callback on your process to reduce any potential direct syscall detection |
Note : The misc folder contains some scripts like convert_to_golang_shellcode_format.sh that can be written in other languages but but still relates to the Golang language.
Note : More Examples will be added in the future :D
🔎 Interesting Tools in Golang
- Geacon : implementation of CobaltStrike's Beacon in Go.
- Acheron : Indirect syscalls for AV/EDR evasion in Go assembly.
- Sliver : An Adversary Emulation Framework fully written in Golang with advanced evasion capabilities.
- Merlin : cross-platform post-exploitation HTTP/2 Command & Control server and agent
- BananaPhone : An easy to use GO variant of Hells gate with automatic SSN parsing.
- SourcePoint : C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion by reducing the Indicators of Compromise IoCs.
- ScareCrow : Payload creation framework designed around EDR bypass such as AMSI & ETW Bypass, Encryption, Stealth Process Injections, ect.
- Hooka : Implant drop-in with multiple features.
- RedGuard : a C2 front flow control tool, Can avoid Blue Teams, AVs, EDRs check.
- Freeze : Payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods.
- Mangle : A tool that manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs.
- Dent : A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
- Ivy : Payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
I would also mention the timwhitez's github that contains many re-implementations in Golang.
🎖 Credits
- @joff_thyer - https://www.youtube.com/watch?v=gH9qyHVc9-M&t=1131s&ab_channel=BlackHillsInformationSecurity
- @BlueSentinelSec - https://github.com/bluesentinelsec/OffensiveGoLang/blob/master/Offensive%20GoLang%202.0%20-%20SANS%20Pen%20Test%20HackFest%202021.pdf
- @zimnyaatishina - https://tishina.in/execution/golang-winmaldev-basics