search

BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
8.22k stars 1.08k forks source link

Support ACG (Arbitrary Code Guard) #336

Open timwhitez opened 3 years ago

timwhitez commented 3 years ago

https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy

timwhitez commented 3 years ago

I was trying to work with ACG in Golang but failed because I can't truly define _PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY struct in golang. can you give me some help?

timwhitez commented 3 years ago

here is my source code:

package main

import (
    "bufio"
    "fmt"
    "golang.org/x/sys/windows"
    "os"
    "unsafe"
)

type PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY struct {
    flag int
    MicrosoftSignedOnly int
    StoreSignedOnly int
    MitigationOptIn int
    AuditMicrosoftSignedOnly int
    AuditStoreSignedOnly int
    ReservedFlags int
}

type PROCESS_MITIGATION_POLICY int32

const (
    ProcessSignaturePolicy             PROCESS_MITIGATION_POLICY = 8
)

func main(){

    kernel := windows.NewLazySystemDLL("kernel32")
    GetProcessMitigationPolicy := kernel.NewProc("GetProcessMitigationPolicy")

    SetProcessMitigationPolicy := kernel.NewProc("SetProcessMitigationPolicy")
    var signature PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
    hProcess := uintptr(0xffffffffffffffff)
    _,_,r :=GetProcessMitigationPolicy.Call(hProcess, uintptr(ProcessSignaturePolicy), uintptr(unsafe.Pointer(&signature)), unsafe.Sizeof((signature)))
    fmt.Println(r)
    fmt.Printf("   MicrosoftSignedOnly                        %x\n", signature.MicrosoftSignedOnly)
    signature.MicrosoftSignedOnly = 1
    _,_,r =SetProcessMitigationPolicy.Call(uintptr(ProcessSignaturePolicy), uintptr(unsafe.Pointer(&signature)), unsafe.Sizeof(signature))
    fmt.Println(r)
    fmt.Println("set ACG")
    var signature0 PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
    _,_,r =GetProcessMitigationPolicy.Call(hProcess, uintptr(ProcessSignaturePolicy), uintptr(unsafe.Pointer(&signature0)), unsafe.Sizeof((signature)))
    fmt.Println(r)
    fmt.Printf("   MicrosoftSignedOnly                        %x\n", signature0.MicrosoftSignedOnly)
    fmt.Print("Press 'Enter' to continue...")
    bufio.NewReader(os.Stdin).ReadBytes('\n')
}