前言

在学Go相关的免杀,来提高木马的存活性,看到一些有意思的东西记下来

加载DLL

syscall.NewLazyDLLsyscall.LoadLibrarysyscall.MustLoadDLL
NewLazyDLL*LazyDLLLoadLibrary

创建函数

syscall.NewLazyDLL

package main

import (
	"syscall"
	"unsafe"
)

func main() {
	user32 := syscall.NewLazyDLL("user32.dll")
	MessageBoxW := user32.NewProc("MessageBoxW")
	MessageBoxW.Call(uintptr(0), uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("windows下的第一种调用方式"))), uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("ascotbe"))), uintptr(0))
}

syscall.LoadLibrary

package main

import (
	"syscall"
	"unsafe"
)

const (
	MB_YESNOCANCEL = 0x00000003
)

func main() {
	user32, _ := syscall.LoadLibrary("user32.dll")
	messageBox, _ := syscall.GetProcAddress(user32, "MessageBoxW")
	_, _, callErr := syscall.Syscall9(messageBox,
		4,
		0,
		uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("第二种调用方式"))),
		uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("ascotbe"))),
		MB_YESNOCANCEL,
		0, 0, 0, 0, 0)
	if callErr != 0 {

	}
}

syscall.MustLoadDLL

package main

import (
	"syscall"
	"unsafe"
)

const (
	MB_YESNOCANCEL = 0x00000003
)

var (
	user32      = syscall.MustLoadDLL("user32.dll")
	MessageBoxW = user32.MustFindProc("MessageBoxW")
)

func main() {

	_, _, eeee := MessageBoxW.Call(0,
		uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("第三种调用方式"))),
		uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr("ascotbe"))),
		MB_YESNOCANCEL)
	if eeee != nil {
	}

}
Call
syscall.Syscallr1,r2 uintptr,err error
syscallGetLastErrorsyscall
Calluintptr

API函数签名

CreateJobObjectA
HANDLE CreateJobObjectA(
  LPSECURITY_ATTRIBUTES lpJobAttributes,
  LPCSTR                lpName
);
CreateJobObjectALPSECURITY_ATTRIBUTES

C结构与Go结构

LPSECURITY_ATTRIBUTES
typedef struct _SECURITY_ATTRIBUTES {
  DWORD  nLength;
  LPVOID lpSecurityDescriptor;
  BOOL   bInheritHandle;
} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;
syscall
SecurityAttributes
typedef struct _SECURITY_ATTRIBUTES {
  DWORD  nLength;
  LPVOID lpSecurityDescriptor;
  BOOL   bInheritHandle;
} SECURITY_ATTRIBUTES, *PSECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES;

而Go中SecurityAttributes的定义为:

type SecurityAttributes struct {
    Length             uint32
    SecurityDescriptor uintptr
    InheritHandle      uint32
}
DWORDuint32LPVOID (* void)uintptrBOOLuint32syscallgo.sys

然而,了解下面这些常见C类型与Go类型的对应关系会非常有用。

type (
	BOOL          uint32
	BOOLEAN       byte
	BYTE          byte
	DWORD         uint32
	DWORD64       uint64
	HANDLE        uintptr
	HLOCAL        uintptr
	LARGE_INTEGER int64
	LONG          int32
	LPVOID        uintptr
	SIZE_T        uintptr
	UINT          uint32
	ULONG_PTR     uintptr
	ULONGLONG     uint64
	WORD          uint16
)

参考文章

https://razeencheng.com/post/breaking-all-the-rules-using-go-to-call-windows-api.html