RunHacking8
#include <Windows.h> #include <stdio.h> DWORD threadID; BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } //extern "C" to prevent C++ name mangling extern "C" __declspec(dllexport) BOOL RunHacking8(LPVOID lpUserdata, DWORD nUserdataLen) { MessageBoxA(NULL, "Hacking8 Test!", "Hello", 64); return TRUE; }
main.h
#include <windows.h> void RunHacking8(); BOOL WINAPI DllMain( HINSTANCE _hinstDLL, // handle to DLL module DWORD _fdwReason, // reason for calling function LPVOID _lpReserved // reserved );
main.go
package main //#include "main.h" import "C" import ( "os/exec" ) var isRunning bool = false // RunHacking8 - Export for shared lib build //export RunHacking8 func RunHacking8() { if !isRunning { isRunning = true main() } } // Thanks Ne0nd0g for those //https://github.com/Ne0nd0g/merlin/blob/master/cmd/merlinagentdll/main.go#L65 // DllInstall is used when executing the implant with regsvr32.exe (i.e. regsvr32.exe /s /n /i sliver.dll) // https://msdn.microsoft.com/en-us/library/windows/desktop/bb759846(v=vs.85).aspx //export DllInstall func DllInstall() { main() } func main() { _ = exec.Command("calc.exe").Run() }编译
go build -ldflags "-s -w" -buildmode=c-shared -o export.dll main.go
一些漏洞利用程序(如MS17-010)经常需要一段shellcode代码,shellcode也经常在免杀以及渗透中扮演重要的作用。由于windows shellcode开发难度比较大,使用传统软件生成的shellcode功能比较少。
程序会将DLL转换为与位置无关的Shellcode(支持32位
和64位
),增强shellcode的功能。