Fscan二次开发与免杀技术详解<\/h1>

一、前言<\/h2>
在当今严格的安全环境下，传统安全工具容易被静态和行为分析识别。本文详细记录对Go语言编写的fscan工具进行二次开发，通过特征绕过和体积优化实现高程度免杀的技术方法。<\/p>

二、项目准备<\/h2>

下载项目：<\/p>

git clone https:\/\/github.com\/shadow1ng\/fscan
<\/span><\/span><\/code><\/pre><\/li>

推荐使用shadow1ng的fscan版本作为基础进行修改<\/p>
<\/li>
<\/ol>
三、静态特征去除<\/h2>
1. 修改项目标识<\/h3>

进入go.mod<\/code>文件，将module fscan<\/code>改为自定义名称如module hacker<\/code><\/li>
全局搜索替换所有fscan<\/code>字符串为自定义名称<\/li>
修改后所有导入路径将变为hacker\/xxxx<\/code>形式<\/li>
<\/ul>
2. 修改命令行参数<\/h3>

修改common\/flag.go<\/code>文件中的参数定义：

更改-h<\/code>帮助参数为其他值（如示例中的ta<\/code>）<\/li>
修改其他可能被检测的危险参数名称<\/li>
<\/ul>
<\/li>
<\/ul>
3. 删除\/修改Banner信息<\/h3>

直接删除或修改项目中的Banner信息<\/li>
避免保留任何可能被标记的危险字符串<\/li>
<\/ul>
4. 修改帮助输出<\/h3>

编辑i18n.go<\/code>文件中的帮助信息输出<\/li>
自定义帮助文本以增强抗静态分析能力<\/li>
<\/ul>
四、动态行为绕过<\/h2>
1. 修改主函数逻辑（main.go）<\/h3>
func<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 添加启动条件检查
<\/span><\/span><\/span><\/span>    if<\/span> len(os<\/span>.Args<\/span>) < 2<\/span> ||<\/span> os<\/span>.Args<\/span>[1<\/span>] !=<\/span> "confirm"<\/span> {
<\/span><\/span>        fmt<\/span>.Println<\/span>("[+] 请以 confirm 模式启动程序: xxx.exe confirm"<\/span>)
<\/span><\/span>        os<\/span>.Exit<\/span>(1<\/span>)
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 重写os.Args去除confirm参数
<\/span><\/span><\/span><\/span>    os<\/span>.Args<\/span> = append([]string<\/span>{os<\/span>.Args<\/span>[0<\/span>]}, os<\/span>.Args<\/span>[2<\/span>:]...<\/span>)
<\/span><\/span>    
<\/span><\/span>    \/\/ 添加人机验证
<\/span><\/span><\/span><\/span>    rand<\/span>.Seed<\/span>(time<\/span>.Now<\/span>().UnixNano<\/span>())
<\/span><\/span>    n1<\/span> :=<\/span> rand<\/span>.Intn<\/span>(15<\/span>)
<\/span><\/span>    n2<\/span> :=<\/span> rand<\/span>.Intn<\/span>(15<\/span>)
<\/span><\/span>    checktime<\/span>()
<\/span><\/span>    fmt<\/span>.Println<\/span>("[+] enter your Verification"<\/span>)
<\/span><\/span>    fmt<\/span>.Printf<\/span>("[ %d ] + [ %d ] = "<\/span>, n1<\/span>, n2<\/span>)
<\/span><\/span>    var<\/span> num<\/span> int<\/span>
<\/span><\/span>    _<\/span>, _<\/span> = fmt<\/span>.Scanf<\/span>("%d"<\/span>, &<\/span>num<\/span>)
<\/span><\/span>    if<\/span> num<\/span> !=<\/span> n1<\/span>+<\/span>n2<\/span> {
<\/span><\/span>        os<\/span>.Exit<\/span>(1<\/span>)
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 文件名检查
<\/span><\/span><\/span><\/span>    check<\/span>()
<\/span><\/span>    
<\/span><\/span>    \/\/ 随机睡眠
<\/span><\/span><\/span><\/span>    sleeptime<\/span> :=<\/span> rand<\/span>.Intn<\/span>(8<\/span>)
<\/span><\/span>    time<\/span>.Sleep<\/span>(time<\/span>.Duration<\/span>(sleeptime<\/span>) *<\/span> time<\/span>.Second<\/span>)
<\/span><\/span>    
<\/span><\/span>    \/\/ 原fscan逻辑
<\/span><\/span><\/span><\/span>    Common<\/span>.InitLogger<\/span>()
<\/span><\/span>    var<\/span> Info<\/span> Common<\/span>.HostInfo<\/span>
<\/span><\/span>    Common<\/span>.Flag<\/span>(&<\/span>Info<\/span>)
<\/span><\/span>    _<\/span> = Common<\/span>.Parse<\/span>(&<\/span>Info<\/span>)
<\/span><\/span>    _<\/span> = Common<\/span>.InitOutput<\/span>()
<\/span><\/span>    defer<\/span> Common<\/span>.CloseOutput<\/span>()
<\/span><\/span>    Core<\/span>.Scan<\/span>(Info<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 文件名检查函数<\/h3>
func<\/span> check<\/span>() {
<\/span><\/span>    if<\/span> filepath<\/span>.Base<\/span>(os<\/span>.Args<\/span>[0<\/span>]) !=<\/span> "can.exe"<\/span> {
<\/span><\/span>        os<\/span>.Exit<\/span>(1<\/span>)
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 反沙箱检测函数<\/h3>
func<\/span> checktime<\/span>() {
<\/span><\/span>    var<\/span> kernel<\/span> = syscall<\/span>.NewLazyDLL<\/span>("Kernel32.dll"<\/span>)
<\/span><\/span>    GetTickCount<\/span> :=<\/span> kernel<\/span>.NewProc<\/span>("GetTickCount"<\/span>)
<\/span><\/span>    r<\/span>, _<\/span>, _<\/span> :=<\/span> GetTickCount<\/span>.Call<\/span>()
<\/span><\/span>    ms<\/span> :=<\/span> time<\/span>.Duration<\/span>(r<\/span> *<\/span> 1000<\/span> *<\/span> 1000<\/span>)
<\/span><\/span>    tm<\/span> :=<\/span> time<\/span>.Duration<\/span>(30<\/span> *<\/span> time<\/span>.Minute<\/span>)
<\/span><\/span>    if<\/span> ms<\/span> < tm<\/span> {
<\/span><\/span>        os<\/span>.Exit<\/span>(1<\/span>)
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、编译与混淆<\/h2>
1. 使用garble工具<\/h3>
garble是一个Go构建包装器，提供：<\/p>

符号名混淆（函数、变量、结构体等）<\/li>
去除调试信息<\/li>
改写构建路径<\/li>
随机化编译结果<\/li>
<\/ul>
2. 安装garble<\/h3>
go install mvdan.cc\/garble@latest
<\/span><\/span><\/code><\/pre>3. 构建命令<\/h3>
garble -literals -tiny build -o payload.exe main.go
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

-literals<\/code>：混淆字符串\/整数等字面量<\/li>
-tiny<\/code>：精简输出体积（剥离符号、缩减段表）<\/li>
build<\/code>：等效于go build<\/li>
<\/ul>
六、增强免杀技巧<\/h2>

对数字杀毒软件可考虑添加假签名<\/li>
有能力者可对更多部分进行重构和二开<\/li>
可考虑添加更多反沙箱检测：

检查内存大小<\/li>
检查CPU核心数<\/li>
检查运行进程<\/li>
检查是否有用户交互<\/li>
<\/ul>
<\/li>
<\/ol>
七、注意事项<\/h2>

修改参数后需确保不影响工具功能<\/li>
混淆可能导致调试困难，建议分阶段测试<\/li>
不同环境可能需要调整反沙箱阈值<\/li>
定期更新修改策略以应对新的检测方法<\/li>
<\/ol>
通过以上步骤，可有效绕过数字、某绒和Defender等常见安全产品的检测。技术能力强的开发者可进一步优化各部分代码实现更高级别的免杀效果。<\/p>

Fscan二次开发与免杀技术详解<\/h1>

一、前言<\/h2> 在当今严格的安全环境下，传统安全工具容易被静态和行为分析识别。本文详细记录对Go语言编写的fscan工具进行二次开发，通过特征绕过和体积优化实现高程度免杀的技术方法。<\/p>

三、静态特征去除<\/h2>

四、动态行为绕过<\/h2>

五、编译与混淆<\/h2>

一、前言<\/h2>
在当今严格的安全环境下，传统安全工具容易被静态和行为分析识别。本文详细记录对Go语言编写的fscan工具进行二次开发，通过特征绕过和体积优化实现高程度免杀的技术方法。<\/p>