Talkin' Bout [Infosec] News

In this Black Hills Information Security (BHIS) webcast, we explore using GoLang to author malware with embedded shellcode.

GoLang is a Google-authored modern successor language to C/C++. It is multi-platform, high performance, multi-threaded, and unlike C/C++ includes garbage collection! It has the advantage of compiling to native machine code, unlike .NET C# which is dependent on the common language runtime, and easily reversible. We explore how to execute Windows shellcode with GoLang in the same process thread space, and then also explore one process injection method.

If you are a penetration tester looking to expand your malware authoring skills, a little Go(lang) will take you far!

Recorded • 2021-05-20

Join the BHIS Community Discord: https://discord.gg/bhis

00:00 – FEATURE PRESENTATION BEGINS: Shellcode Execution with GoLang

01:39 – Meet Joff Thyer

02:16 – What is GoLang?

04:14 – Aspects of GoLang

07:43 – C# or Go?

09:24 – Go Command Line

10:57 – Golang Type Safety

11:31 – What is Shellcode?

12:51 – Sources of Shellcode

14:50 – Executing Shellcode on Windows

16:08 – GoLang “unsafe” Package

16:55 – Go “syscall” package is becoming per platform

17:50 – GoLang “windows” Package

18:22 – “x/sys/windows” package

20:29 – Looking deeper into Syscall

22:26 – Calling Functions out of Kernel32.dll

Show Notes

In this Black Hills Information Security (BHIS) webcast, we explore using GoLang to author malware with embedded shellcode. GoLang is a Google-authored modern successor language to C/C++. It is multi-platform, high performance, multi-threaded, and unlike C/C++ includes garbage collection! It has the advantage of compiling to native machine code, unlike .NET C# which is dependent on the common language runtime, and easily reversible. We explore how to execute Windows shellcode with GoLang in the same process thread space, and then also explore one process injection method. If you are a penetration tester looking to expand your malware authoring skills, a little Go(lang) will take you far! Recorded • 2021-05-20 Join the BHIS Community Discord: https://discord.gg/bhis 00:00 – FEATURE PRESENTATION BEGINS: Shellcode Execution with GoLang 01:39 – Meet Joff Thyer 02:16 – What is GoLang? 04:14 – Aspects of GoLang 07:43 – C# or Go? 09:24 – Go Command Line 10:57 – Golang Type Safety 11:31 – What is Shellcode? 12:51 – Sources of Shellcode 14:50 – Executing Shellcode on Windows 16:08 – GoLang “unsafe” Package 16:55 – Go “syscall” package is becoming per platform 17:50 – GoLang “windows” Package 18:22 – “x/sys/windows” package 20:29 – Looking deeper into Syscall 22:26 – Calling Functions out of Kernel32.dll
  • (00:00) - FEATURE PRESENTATION BEGINS: Shellcode Execution with GoLang
  • (01:38) - Meet Joff Thyer
  • (02:15) - What is GoLang?
  • (04:12) - Aspects of GoLang
  • (07:40) - C# or Go?
  • (09:19) - Go Command Line
  • (10:52) - Golang Type Safety
  • (11:25) - What is Shellcode?
  • (12:44) - Sources of Shellcode
  • (14:43) - Executing Shellcode on Windows
  • (15:59) - GoLang "unsafe" Package
  • (16:46) - Go "syscall" package is becoming per platform
  • (17:42) - GoLang "windows" Package
  • (18:13) - "x/sys/windows" package
  • (20:20) - Looking deeper into Syscall
  • (22:13) - Calling Functions out of Kernel32.dll
  • (22:59) - GoLang: Byte Array for Shellcode
  • (24:18) - Method 1: Direct Syscall
  • (29:07) - Tangent: The A/V and EDR evasion paradox
  • (32:04) - Single byte XOR function in GoLang
  • (33:27) - Method 2: Creating Thread in Same Process
  • (35:13) - GoLang Windows Native DLL
  • (36:19) - Steps to build a native DLL
  • (40:38) - Living off the Land with Native DLL
  • (43:22) - DEMO : Run shell code
  • (45:55) - Method 3: Process Injection
  • (48:20) - DEMO - Remote Process Injection
  • (49:19) - Additional Resources
  • (49:59) - DEMO - Remote Process Injection cont.
  • (52:01) - QnA
  • (53:46) - LINK: Attacker Emulation and C2 - https://www.antisyphontraining.com/enterprise-attacker-emulation-and-c2-implant-development-w-joff-thyer/

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET