1. Basic DLL using Golang
#golang #maldev #malwaredevelopment #persistence
A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box. It helps promote code reuse and efficient memory usage.
Let's dive on how we can program and compile a dll in Golang.
DLL Template in C
In C++ a skeleton DLL template looks like this:
There are a few things happening here. In the DllMain function there is a case switch where code execution happens when the dll is attached, detached on both process and thread. We cannot recreate DllMain inGolang, but we have alternatives.
On line 22 a function named test() is exported.
Windows comes with a tool for testing dlls called rundll32.exe. To run an exported dll function the following code can be used:
Although we cannot recreate a like for like dll from c using Golang let's try recreate the above functionality.
DLL Template in Golang
Golang Code:
Line 3, CGO:
import "C" / cgo is required to compile a dll in go
Line 7, init():
In Go, the init function is a special function that can be defined in a package. The init function is not called explicitly; instead, it is automatically called by the Go runtime before the exported function of the program.
Line 17, Exported function:
All exported functions should be proceeded with the following comment:
//export <func name>
Line 28, main()
It's only required for the code to compile
Compiling the DLL
In order to compile the code Cgo should be installed on the PC. Here is a setup guide.
go build -buildmode=c-shared -o test.dll
Executing the dll using rundll32
Since our dll doesnt have a main function, we have to specify the function. In our code we exported the Test function so that's what we will run.
rundll32.exe .\test.dll, Test
After running the dll function Test, 2 messageboxes will show up. Firstly the one defined in the init() function and then the one from the Test() function.
We now have all the knowledge we need to generate a malicious dll.
Complete Code
Last updated