-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.go
116 lines (96 loc) · 2.39 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package main
import (
"bytes"
"fmt"
"github.com/Binject/debug/pe"
"os"
"strings"
"syscall"
"unsafe"
)
func main() {
fileName := os.Args[1]
function0 := os.Args[2]
buf, e := os.ReadFile(fileName)
if e != nil {
panic(e)
}
Ldr1(fileName, function0)
Ldr2(buf, function0)
}
func Ldr1(fn, funcn string) {
p, e := pe.Open(fn)
if e != nil {
panic(e)
}
//funcN := "ReflectiveLoader"
funcN := funcn
ex, e := p.Exports()
if e != nil {
panic(e)
}
var RDIOffset uintptr
for _, exp := range ex {
if strings.Contains(strings.ToLower(exp.Name), strings.ToLower(funcN)) {
RDIOffset = uintptr(rvaToOffset(p, exp.VirtualAddress))
}
}
fmt.Printf("Offset: 0x%x\n", RDIOffset)
buf, e := p.Bytes()
if e != nil {
panic(e)
}
va := syscall.NewLazyDLL("kernel32").NewProc("VirtualAlloc").Addr()
ba, _, _ := syscall.SyscallN(va, 0, uintptr(len(buf)), 0x1000|0x2000, syscall.PAGE_EXECUTE_READWRITE)
if ba == 0 {
panic("VirtualAlloc")
}
writeMem(ba, buf)
Ldr := ba + RDIOffset
syscall.SyscallN(Ldr)
}
func Ldr2(buf []byte, funcn string) {
p, e := pe.NewFile(bytes.NewReader(buf))
if e != nil {
panic(e)
}
//funcN := "ReflectiveLoader"
funcN := funcn
ex, e := p.Exports()
if e != nil {
panic(e)
}
var RDIOffset uintptr
for _, exp := range ex {
if strings.Contains(strings.ToLower(exp.Name), strings.ToLower(funcN)) {
RDIOffset = uintptr(rvaToOffset(p, exp.VirtualAddress))
}
}
fmt.Printf("Offset: 0x%x\n", RDIOffset)
va := syscall.NewLazyDLL("kernel32").NewProc("VirtualAlloc").Addr()
ba, _, _ := syscall.SyscallN(va, 0, uintptr(len(buf)), 0x1000|0x2000, syscall.PAGE_EXECUTE_READWRITE)
if ba == 0 {
panic("VirtualAlloc")
}
writeMem(ba, buf)
Ldr := ba + RDIOffset
syscall.Syscall(Ldr, 0, 0, 0, 0)
}
// rvaToOffset converts an RVA value from a PE file into the file offset. When using binject/debug, this should work fine even with in-memory files.
func rvaToOffset(pefile *pe.File, rva uint32) uint32 {
for _, hdr := range pefile.Sections {
baseoffset := uint64(rva)
if baseoffset > uint64(hdr.VirtualAddress) &&
baseoffset < uint64(hdr.VirtualAddress+hdr.VirtualSize) {
return rva - hdr.VirtualAddress + hdr.Offset
}
}
return rva
}
func writeMem(destination uintptr, inbuf []byte) {
for index := uint32(0); index < uint32(len(inbuf)); index++ {
writePtr := unsafe.Pointer(destination + uintptr(index))
v := (*byte)(writePtr)
*v = inbuf[index]
}
}