-
Notifications
You must be signed in to change notification settings - Fork 49
Expand file tree
/
Copy pathcode.go
More file actions
64 lines (50 loc) · 1.41 KB
/
Copy pathcode.go
File metadata and controls
64 lines (50 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
/*
Shellcode Loader
Archive of Reversing.ID
Executing shellcode by jump to it
Compile:
$ go build code.go
Technique:
- allocation: VirtualAlloc
- writing: RtlMoveMemory
- permission: VirtualProtect
- execution:
*/
package main
import (
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
MEM_RELEASE = 0x8000
MEM_FREE = 0x10000
PAGE_READONLY = 0x02
PAGE_READWRITE = 0x04
PAGE_EXECUTE = 0x10
PAGE_EXECUTE_READ = 0x20
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
VirtualProtect = kernel32.MustFindProc("VirtualProtect")
RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory")
)
func main() {
// shellcode storage in stack
var payload = []byte{
0x90, 0x90, 0xCC, 0xC3,
}
var old_protect uint32
// allocate memory buffer for payload as READ-WRITE (no executable)
runtime, _, _ := VirtualAlloc.Call(0, uintptr(len(payload)), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)
// copy payload to the buffer
RtlMoveMemory.Call(runtime, (uintptr)(unsafe.Pointer(&payload[0])), uintptr(len(payload)))
// make buffer executable (R-X)
VirtualProtect.Call(runtime, uintptr(len(payload)), PAGE_EXECUTE_READ, (uintptr)(unsafe.Pointer(&old_protect)))
// executing
syscall.Syscall(runtime, 0, 0, 0, 0)
}