sliver
sliver copied to clipboard
Published
20 hours ago •
BishopFox
BishopFox
Support ACG (Arbitrary Code Guard)
https://www.ired.team/offensive-security/defense-evasion/acg-arbitrary-code-guard-processdynamiccodepolicy
I was trying to work with ACG in Golang but failed because I can't truly define _PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY struct in golang. can you give me some help?
here is my source code:
package main
import (
"bufio"
"fmt"
"golang.org/x/sys/windows"
"os"
"unsafe"
)
type PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY struct {
flag int
MicrosoftSignedOnly int
StoreSignedOnly int
MitigationOptIn int
AuditMicrosoftSignedOnly int
AuditStoreSignedOnly int
ReservedFlags int
}
type PROCESS_MITIGATION_POLICY int32
const (
ProcessSignaturePolicy PROCESS_MITIGATION_POLICY = 8
)
func main(){
kernel := windows.NewLazySystemDLL("kernel32")
GetProcessMitigationPolicy := kernel.NewProc("GetProcessMitigationPolicy")
SetProcessMitigationPolicy := kernel.NewProc("SetProcessMitigationPolicy")
var signature PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
hProcess := uintptr(0xffffffffffffffff)
_,_,r :=GetProcessMitigationPolicy.Call(hProcess, uintptr(ProcessSignaturePolicy), uintptr(unsafe.Pointer(&signature)), unsafe.Sizeof((signature)))
fmt.Println(r)
fmt.Printf(" MicrosoftSignedOnly %x\n", signature.MicrosoftSignedOnly)
signature.MicrosoftSignedOnly = 1
_,_,r =SetProcessMitigationPolicy.Call(uintptr(ProcessSignaturePolicy), uintptr(unsafe.Pointer(&signature)), unsafe.Sizeof(signature))
fmt.Println(r)
fmt.Println("set ACG")
var signature0 PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY
_,_,r =GetProcessMitigationPolicy.Call(hProcess, uintptr(ProcessSignaturePolicy), uintptr(unsafe.Pointer(&signature0)), unsafe.Sizeof((signature)))
fmt.Println(r)
fmt.Printf(" MicrosoftSignedOnly %x\n", signature0.MicrosoftSignedOnly)
fmt.Print("Press 'Enter' to continue...")
bufio.NewReader(os.Stdin).ReadBytes('\n')
}