Webcast: Shellcode Execution with GoLang





In this Black Hills Information Security (BHIS) webcast, we explore using GoLang to author malware with embedded shellcode.

GoLang is a Google-authored modern successor language to C/C++. It is multi-platform, high performance, multi-threaded, and unlike C/C++ includes garbage collection! It has the advantage of compiling to native machine code, unlike .NET C# which is dependent on the common language runtime, and easily reversible. We explore how to execute Windows shellcode with GoLang in the same process thread space, and then also explore one process injection method.

If you are a penetration tester looking to expand your malware authoring skills, a little Go(lang) will take you far!

Recorded • 2021-05-20

Join the BHIS Community Discord: https://discord.gg/bhis

00:00 – FEATURE PRESENTATION BEGINS: Shellcode Execution with GoLang

01:39 – Meet Joff Thyer

02:16 – What is GoLang?

04:14 – Aspects of GoLang

07:43 – C# or Go?

09:24 – Go Command Line

10:57 – Golang Type Safety

11:31 – What is Shellcode?

12:51 – Sources of Shellcode

14:50 – Executing Shellcode on Windows

16:08 – GoLang “unsafe” Package

16:55 – Go “syscall” package is becoming per platform

17:50 – GoLang “windows” Package

18:22 – “x/sys/windows” package

20:29 – Looking deeper into Syscall

22:26 – Calling Functions out of Kernel32.dll

23:14 – GoLang: Byte Array for Shellcode

24:35 – Method 1: Direct Syscall

29:32 – Tangent: The A/V and EDR evasion paradox

32:36 – Single byte XOR function in GoLang

34:02 – Method 2: Creating Thread in Same Process

35:50 – GoLang Windows Native DLL

36:57 – Steps to build a native DLL

41:18 – Living off the Land with Native DLL

44:05 – DEMO : Run shell code

46:42 – Method 3: Process Injection

49:07 – DEMO – Remote Process Injection

50:10 – Additional Resources

50:51 – DEMO – Remote Process Injection cont.

52:54 – QnA

54:39 – LINK: Attacker Emulation and C2 – https://www.antisyphontraining.com/enterprise-attacker-emulation-and-c2-implant-development-w-joff-thyer/


Check out our Cyber Range, not just a place to work through challenges and play, but also an open direct/hands-on training environment.

https://www.blackhillsinfosec.com/services/cyber-range/