Protect Loader: Advanced Go Shellcode Loading
Protect Loader
Protect Loader is a shellcode loader written in pure golang designed to provide various security and evasion techniques for Go applications. It includes features such as shellcode loading, obfuscation, the use of indirect syscalls, and much more.
Features
- Shellcode Loading: Secure shellcode loading using apc method.
- GUI: User interface created with Fyne.
- Obfuscation: Code obfuscation with garble with optionnaly his controlflow (need to set the environment variable
GARBLE_EXPERIMENTAL_CONTROLFLOW=1). - Indirect Syscalls: Use of indirect syscalls by acheron for evasion.
- Api ashing: Acheron package have a integrated api hashing for evasion
- Bypass AMSI and EDR: Techniques to bypass AMSI and EDR.
- Admin Privileges Check: Check if admin privileges are enabled.
- Random Sleep: Adding random delays.
- Block Non-Microsoft DLLs: Blocking the injection of non-Microsoft DLLs.
- Phantom Technique: Suspension of event logs.
- Unhooking: Removal of hooks for av evasion.
- PE file To Shellcode: The PE file is automatically transformed into a .bin using Donut and encoded using Shikata ga nai and encrypted using two layer of encryption (aes and xor)
- Key Encryption: The key generated is encrypted using XOR to prevent his extraction
- Adding control flow obfuscation with garble
-
Encrypt XOR and AES keys in
main.go -
Make the code obfuscation with garble
-
Use indirect syscalls
-
Implement techniques to bypass AMSI and EDR
-
Check if admin privileges are enabled
-
Add random delays
-
Block the injection of non-Microsoft DLLs
-
Phantom technique to suspend event logs
-
Unhooking
- Create a GUI with Fyne
