-
Notifications
You must be signed in to change notification settings - Fork 73
Expand file tree
/
Copy pathEXEfromMemory.go
More file actions
121 lines (99 loc) · 3.02 KB
/
EXEfromMemory.go
File metadata and controls
121 lines (99 loc) · 3.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
// +build windows
package main
import (
"fmt"
"io/ioutil"
"log"
"os"
"runtime"
"syscall"
"unsafe"
clr "github.com/ropnop/go-clr"
)
func must(err error) {
if err != nil {
log.Fatal(err)
}
}
func checkOK(hr uintptr, caller string) {
if hr != 0x0 {
log.Fatalf("%s returned 0x%08x", caller, hr)
}
}
func init() {
if len(os.Args) != 2 {
fmt.Println("Usage: EXEfromMemory.exe <exe_file>")
os.Exit(1)
}
}
func main() {
filename := os.Args[1]
exebytes, err := ioutil.ReadFile(filename)
must(err)
runtime.KeepAlive(exebytes)
var pMetaHost uintptr
hr := clr.CLRCreateInstance(&clr.CLSID_CLRMetaHost, &clr.IID_ICLRMetaHost, &pMetaHost)
checkOK(hr, "CLRCreateInstance")
metaHost := clr.NewICLRMetaHostFromPtr(pMetaHost)
versionString := "v4.0.30319"
pwzVersion, _ := syscall.UTF16PtrFromString(versionString)
var pRuntimeInfo uintptr
hr = metaHost.GetRuntime(pwzVersion, &clr.IID_ICLRRuntimeInfo, &pRuntimeInfo)
checkOK(hr, "metahost.GetRuntime")
runtimeInfo := clr.NewICLRRuntimeInfoFromPtr(pRuntimeInfo)
var isLoadable bool
hr = runtimeInfo.IsLoadable(&isLoadable)
checkOK(hr, "runtimeInfo.IsLoadable")
if !isLoadable {
log.Fatal("[!] IsLoadable returned false. Bailing...")
}
hr = runtimeInfo.BindAsLegacyV2Runtime()
checkOK(hr, "runtimeInfo.BindAsLegacyV2Runtime")
var pRuntimeHost uintptr
hr = runtimeInfo.GetInterface(&clr.CLSID_CorRuntimeHost, &clr.IID_ICorRuntimeHost, &pRuntimeHost)
runtimeHost := clr.NewICORRuntimeHostFromPtr(pRuntimeHost)
hr = runtimeHost.Start()
checkOK(hr, "runtimeHost.Start")
fmt.Println("[+] Loaded CLR into this process")
var pAppDomain uintptr
var pIUnknown uintptr
hr = runtimeHost.GetDefaultDomain(&pIUnknown)
checkOK(hr, "runtimeHost.GetDefaultDomain")
iu := clr.NewIUnknownFromPtr(pIUnknown)
hr = iu.QueryInterface(&clr.IID_AppDomain, &pAppDomain)
checkOK(hr, "iu.QueryInterface")
appDomain := clr.NewAppDomainFromPtr(pAppDomain)
fmt.Println("[+] Got default AppDomain")
fmt.Printf("[+] Loaded %d bytes into memory from %s\n", len(exebytes), filename)
safeArray, err := clr.CreateSafeArray(exebytes)
must(err)
runtime.KeepAlive(safeArray)
fmt.Println("[+] Crated SafeArray from byte array")
var pAssembly uintptr
hr = appDomain.Load_3(uintptr(unsafe.Pointer(&safeArray)), &pAssembly)
checkOK(hr, "appDomain.Load_3")
assembly := clr.NewAssemblyFromPtr(pAssembly)
fmt.Printf("[+] Executable loaded into memory at 0x%08x\n", pAssembly)
var pEntryPointInfo uintptr
hr = assembly.GetEntryPoint(&pEntryPointInfo)
checkOK(hr, "assembly.GetEntryPoint")
fmt.Printf("[+] Executable entrypoint found at 0x%08x. Calling...\n", pEntryPointInfo)
fmt.Println("-------")
methodInfo := clr.NewMethodInfoFromPtr(pEntryPointInfo)
var pRetCode uintptr
nullVariant := clr.Variant{
VT: 1,
Val: uintptr(0),
}
hr = methodInfo.Invoke_3(
nullVariant,
uintptr(0),
&pRetCode)
fmt.Println("-------")
checkOK(hr, "methodInfo.Invoke_3")
fmt.Printf("[+] Executable returned code %d\n", pRetCode)
appDomain.Release()
runtimeHost.Release()
runtimeInfo.Release()
metaHost.Release()
}