package mainimport ( "fmt" "log" "reflect" "syscall" "unsafe")var hell

1. package main
2.  
3. import (
4. "fmt"
5. "log"
6. "reflect"
7. "syscall"
8. "unsafe"
9. )
10.  
11. var helloworldInstructions = []byte{
12. 0x48, 0x83, 0xec, 0x48, // sub $0x48,%rsp
13. 0x48, 0x89, 0x6c, 0x24, 0x40, // mov %rbp,0x40(%rsp)
14. 0x48, 0x8d, 0x6c, 0x24, 0x40, // lea 0x40(%rsp),%rbp
15. 0x48, 0x8d, 0x05, 0x00, 0x00, 0x00, 0x00, // lea 0x0(%rip),%rax # string type address
16. 0x48, 0x89, 0x44, 0x24, 0x30, // mov %rax,0x30(%rsp)
17. 0x48, 0x8d, 0x05, 0x2f, 0x00, 0x00, 0x00, // lea 0x2f(%rip),%rax # string value address
18. 0x48, 0x89, 0x44, 0x24, 0x38, // mov %rax,0x38(%rsp)
19. 0x48, 0x8d, 0x44, 0x24, 0x30, // lea 0x30(%rsp),%rax
20. 0x48, 0x89, 0x04, 0x24, // mov %rax,(%rsp)
21. 0x48, 0xc7, 0x44, 0x24, 0x08, 0x01, 0x00, 0x00, 0x00, // movq $0x1,0x8(%rsp)
22. 0x48, 0xc7, 0x44, 0x24, 0x10, 0x01, 0x00, 0x00, 0x00, // movq $0x1,0x10(%rsp)
23. 0xe8, 0x00, 0x00, 0x00, 0x00, // callq 0x0(%rip) # fmt.Println
24. 0x48, 0x8b, 0x6c, 0x24, 0x40, // mov 0x40(%rsp),%rbp
25. 0x48, 0x83, 0xc4, 0x48, // add $0x48,%rsp
26. 0xc3, // retq
27. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // # points to data
28. 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // # data length
29. 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64, // "Hello world"
30. }
31.  
32. func createHelloworldFunction() func() {
33. region, err := anonMMap(len(helloworldInstructions))
34. if err != nil {
35. log.Fatalf("failed to mmap: %+v", err)
36. }
37.  
38. copy(region, helloworldInstructions)
39.  
40. regionAddr := *(*uintptr)(unsafe.Pointer(&region))
41.  
42. strTypeAddr := stringTypeAddr()
43. relAddr := strTypeAddr - (regionAddr + 21)
44. region[17] = byte(relAddr)
45. region[18] = byte(relAddr >> 8)
46. region[19] = byte(relAddr >> 16)
47. region[20] = byte(relAddr >> 24)
48.  
49. printlnFunc := fmt.Println
50. printlnAddr := **(**uintptr)(unsafe.Pointer(&printlnFunc))
51. relAddr = printlnAddr - (regionAddr + 70)
52. region[66] = byte(relAddr)
53. region[67] = byte(relAddr >> 8)
54. region[68] = byte(relAddr >> 16)
55. region[69] = byte(relAddr >> 24)
56.  
57. helloworldDataAddr := (regionAddr + 96)
58. region[80] = byte(helloworldDataAddr)
59. region[81] = byte(helloworldDataAddr >> 8)
60. region[82] = byte(helloworldDataAddr >> 16)
61. region[83] = byte(helloworldDataAddr >> 24)
62. region[84] = byte(helloworldDataAddr >> 32)
63. region[85] = byte(helloworldDataAddr >> 40)
64. region[86] = byte(helloworldDataAddr >> 48)
65. region[87] = byte(helloworldDataAddr >> 56)
66.  
67. pointerToFunc := (uintptr)(unsafe.Pointer(&region))
68. return *(*func())(unsafe.Pointer(&pointerToFunc))
69. }
70.  
71. func anonMMap(len int) ([]byte, error) {
72. flags := syscall.MAP_PRIVATE | syscall.MAP_ANON | syscall.MAP_32BIT
73. prot := syscall.PROT_READ | syscall.PROT_WRITE | syscall.PROT_EXEC
74. return syscall.Mmap(0, 0, len, prot, flags)
75. }
76.  
77. func munmap(addr, len int) error {
78. _, _, errno := syscall.Syscall(syscall.SYS_MUNMAP, uintptr(addr), uintptr(len), 0)
79. if errno != 0 {
80. return syscall.Errno(errno)
81. }
82. return nil
83. }
84.  
85. func stringTypeAddr() uintptr {
86. var str string
87. efaceToString := reflect.TypeOf(str)
88.  
89. collapsedEfaceToString := *(*struct {
90. typ uintptr
91. val uintptr
92. })(unsafe.Pointer(&efaceToString))
93.  
94. return collapsedEfaceToString.val
95. }
96.  
97. func main() {
98. helloworld := createHelloworldFunction()
99. helloworld()
100. }