Hooka: Shellcode loader generator with multiples features

by ddos ·

Hooka

Hooka is able to generate shellcode loaders with multiple capabilities. It is also based on other tools like BokuLoaderFreeze or Shhhloader, and it tries to implement more evasion features. Why in Golang? Why not?

Feature

This tool is able to generate loaders with this features:

  • Multiple shellcode injection techniques:

    • SuspendedProcess
    • ProcessHollowing
    • NtCreateThreadEx
    • EtwpCreateEtwThread
    • NtQueueApcThreadEx
    • No-RWX

  • Get shellcode from raw file, PE, DLL or from a URL

  • EXE and DLL are supported as output loader formats

  • Encrypt shellcode using:

    • AES
    • 3DES
    • RC4
    • XOR

  • AMSI and ETW patching (enabled by default)

  • Random variables and function names

  • Shikata Ga Nai obfuscation (see here)

  • Multiple ways to detect sandboxing

  • Enable ACG Guard protection

  • Block non-Microsoft signed DLLs from injecting into created processes

  • Capable of unhooking user-mode hooks via multiple techniques:

    • Classic
    • Full DLL
    • Perun’s Fart technique

  • Phant0m technique to suspend EventLog threads (see here)

  • Windows API hashing (see here)

  • Sign shellcode loader with fake or real certificates

  • Strings obfuscation via Caesar cipher (see here)

  • Compress code weight using Golang compile and UPX (if it’s installed)

  • Compute binary entropy of the loader

  • Compute MD5, SHA1 and SHA256 checksums to keep track of the loader

Install & Use

Tags: shellcode loader