Add examples

Author: kulinacs

.github/workflows/build.yml

@@ -3,6 +3,8 @@ name: Build main
 on:
   push:
     branches: [main]
+  pull_request:
+    branches: [main]
 jobs:
   build:
     runs-on: windows-latest
@@ -34,3 +36,7 @@ jobs:
           name: Shelidate
           path: shelidate.exe
           retention-days: 7
+      - name: Run example/simple tests
+        run: go test -timeout 30s -v ./examples/simple/...
+      - name: Run example/options tests
+        run: go test -timeout 30s -v ./examples/options/...

.gitignore

@@ -0,0 +1 @@
+*.exe

.vscode/c_cpp_properties.json

@@ -0,0 +1,21 @@
+{
+    "configurations": [
+        {
+            "name": "Win32",
+            "includePath": [
+                "${workspaceFolder}/**"
+            ],
+            "defines": [
+                "_DEBUG",
+                "UNICODE",
+                "_UNICODE"
+            ],
+            "windowsSdkVersion": "10.0.22621.0",
+            "cStandard": "c17",
+            "cppStandard": "c++17",
+            "intelliSenseMode": "windows-gcc-x64",
+            "compilerPath": "C:\\msys64\\ucrt64\\bin\\gcc.exe"
+        }
+    ],
+    "version": 4
+}

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+    "C_Cpp.default.compilerPath": ""
+}

examples/options/main.c.tmpl

@@ -0,0 +1,47 @@
+#include <windows.h>
+#include <stdio.h>
+
+DWORD WINAPI run() {
+  unsigned char shellcode[] = {{ byteArray .Shellcode }};
+  {{ if .Prepend }}
+  SIZE_T shellcode_len = {{ len .Shellcode | add 1024 }};
+  {{ else }}
+  SIZE_T shellcode_len = {{ len .Shellcode }};
+  {{ end }}
+
+  {{ if .RWX }}
+  LPVOID dest = VirtualAlloc(NULL, shellcode_len, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+  {{ else }}
+  LPVOID dest = VirtualAlloc(NULL, shellcode_len, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
+  {{ end }}
+  if (dest == NULL)
+  {
+    return 0;
+  }
+
+  {{ if .Prepend }}
+  memcpy(dest + 1024, shellcode, shellcode_len - 1024);
+  {{ else }}
+  memcpy(dest, shellcode, shellcode_len);
+  {{ end }}
+
+  {{ if not .RWX }}
+  DWORD oldProtect = 0;
+  VirtualProtect(dest, shellcode_len, PAGE_EXECUTE_READ, &oldProtect);
+  {{ end }}
+
+  void (*function)();
+  {{ if .Prepend }}
+  function = (void (*)())(dest + 1024);
+  {{ else }}
+  function = (void (*)())dest;
+  {{ end }}
+  function();
+
+  return 0;
+}
+
+int main() {
+  run();
+  return 0;
+}

examples/options/main.go

@@ -0,0 +1,88 @@
+package main
+
+import (
+	_ "embed"
+	"fmt"
+	"html/template"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+//go:embed main.c.tmpl
+var tmplS string
+
+// byteArray returns a string representation of a C byte array
+func byteArray(b []byte) string {
+	var s strings.Builder
+	fmt.Fprint(&s, "{ ")
+full:
+	for i := 0; i < len(b); i += 16 {
+		for j := 0; j < 16; j++ {
+			if i+j >= len(b)-1 {
+				fmt.Fprintf(&s, "0x%x", b[i+j])
+				break full
+			}
+			fmt.Fprintf(&s, "0x%x, ", b[i+j])
+		}
+		fmt.Fprint(&s, "\n")
+	}
+	fmt.Fprint(&s, " }")
+	return s.String()
+}
+
+func add(a int, b int) int {
+	return a + b
+}
+
+type State struct {
+	Shellcode []byte
+	RWX       bool
+	Prepend   bool
+}
+
+func generate(shellcode string, rwx bool, prepend bool, out string) error {
+	tmpl := template.Must(template.New("output").Funcs(template.FuncMap{
+		"add":       add,
+		"byteArray": byteArray,
+	}).Parse(tmplS))
+
+	shellcodeB, err := os.ReadFile(shellcode)
+	if err != nil {
+		return fmt.Errorf("unable to open shellcode: %v", err)
+	}
+
+	state := State{
+		Shellcode: shellcodeB,
+		RWX:       rwx,
+		Prepend:   prepend,
+	}
+
+	output, err := os.CreateTemp("", "example-options-*.c")
+	if err != nil {
+		return fmt.Errorf("unable to open output file: %v", err)
+	}
+	defer os.Remove(output.Name())
+
+	if err = tmpl.Execute(output, &state); err != nil {
+		return fmt.Errorf("unable to template output file: %v", err)
+	}
+
+	if out, err := exec.Command("gcc", output.Name(), "-o", out).CombinedOutput(); err != nil {
+		return fmt.Errorf("unable to compile (%s): %v", out, err)
+	}
+
+	return nil
+}
+
+func main() {
+	if len(os.Args) != 3 {
+		fmt.Printf("usage: %v <shellcode_file> <output_file>", os.Args[0])
+		return
+	}
+
+	if err := generate(os.Args[1], true, true, os.Args[2]); err != nil {
+		fmt.Printf("failed to generate: %v", err)
+		return
+	}
+}

examples/options/main_test.go

@@ -0,0 +1,63 @@
+package main
+
+import (
+	"fmt"
+	"math/rand/v2"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/mandiant/shelidate"
+)
+
+var s shelidate.Server
+
+func TestGenerate(t *testing.T) {
+	tmpdir := t.TempDir()
+	sh, err := s.Generate(tmpdir, rand.Uint32())
+	if err != nil {
+		t.Fatalf("failed to generate test shellcode: %v", err)
+	}
+
+	tests := []struct {
+		RWX     bool
+		Prepend bool
+	}{
+		{RWX: false, Prepend: false},
+		{RWX: true, Prepend: false},
+		{RWX: false, Prepend: true},
+		{RWX: true, Prepend: true},
+	}
+	for _, args := range tests {
+		t.Run(fmt.Sprintf("RXW:%v;Prepend:%v", args.RWX, args.Prepend), func(t *testing.T) {
+			out := filepath.Join(tmpdir, fmt.Sprintf("main-%v-%v.exe", args.RWX, args.Prepend))
+
+			if err := generate(sh.Path, args.RWX, args.Prepend, out); err != nil {
+				t.Fatalf("failed to generate payload: %v", err)
+			}
+
+			var wg sync.WaitGroup
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+				<-sh.Recv
+			}()
+			if _, err := exec.Command(out).CombinedOutput(); err != nil {
+				t.Fatalf("failed to exec payload: %v", err)
+			}
+			wg.Wait()
+		})
+	}
+}
+
+func TestMain(m *testing.M) {
+	if err := s.Listen("127.0.0.1:13373"); err != nil {
+		os.Exit(1)
+	}
+	defer s.Close()
+
+	code := m.Run()
+	os.Exit(code)
+}

examples/simple/main.c.tmpl

@@ -0,0 +1,25 @@
+#include <windows.h>
+
+DWORD WINAPI run() {
+  unsigned char shellcode[] = {{ byteArray .Shellcode }};
+  SIZE_T shellcode_len = {{ len .Shellcode }};
+
+  LPVOID dest = VirtualAlloc(NULL, shellcode_len, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+  if (dest == NULL)
+  {
+    return 0;
+  }
+  memcpy(dest, shellcode, shellcode_len);
+
+
+  void (*function)();
+  function = (void (*)())dest;
+  function();
+
+  return 0;
+}
+
+int main() {
+  run();
+  return 0;
+}

examples/simple/main.go

@@ -0,0 +1,79 @@
+package main
+
+import (
+	_ "embed"
+	"fmt"
+	"html/template"
+	"os"
+	"os/exec"
+	"strings"
+)
+
+//go:embed main.c.tmpl
+var tmplS string
+
+// byteArray returns a string representation of a C byte array
+func byteArray(b []byte) string {
+	var s strings.Builder
+	fmt.Fprint(&s, "{ ")
+full:
+	for i := 0; i < len(b); i += 16 {
+		for j := 0; j < 16; j++ {
+			if i+j >= len(b)-1 {
+				fmt.Fprintf(&s, "0x%x", b[i+j])
+				break full
+			}
+			fmt.Fprintf(&s, "0x%x, ", b[i+j])
+		}
+		fmt.Fprint(&s, "\n")
+	}
+	fmt.Fprint(&s, " }")
+	return s.String()
+}
+
+type State struct {
+	Shellcode []byte
+}
+
+func generate(shellcode string, out string) error {
+	tmpl := template.Must(template.New("output").Funcs(template.FuncMap{
+		"byteArray": byteArray,
+	}).Parse(tmplS))
+
+	shellcodeB, err := os.ReadFile(shellcode)
+	if err != nil {
+		return fmt.Errorf("unable to open shellcode: %v", err)
+	}
+
+	state := State{
+		Shellcode: shellcodeB,
+	}
+
+	output, err := os.CreateTemp("", "example-simple-*.c")
+	if err != nil {
+		return fmt.Errorf("unable to open output file: %v", err)
+	}
+	defer os.Remove(output.Name())
+
+	if err = tmpl.Execute(output, &state); err != nil {
+		return fmt.Errorf("unable to template output file: %v", err)
+	}
+
+	if out, err := exec.Command("gcc", output.Name(), "-o", out).CombinedOutput(); err != nil {
+		return fmt.Errorf("unable to compile (%s): %v", out, err)
+	}
+
+	return nil
+}
+
+func main() {
+	if len(os.Args) != 3 {
+		fmt.Printf("usage: %v <shellcode_file> <output_file>", os.Args[0])
+		return
+	}
+
+	if err := generate(os.Args[1], os.Args[2]); err != nil {
+		fmt.Printf("failed to generate: %v", err)
+		return
+	}
+}