{"id":17383511,"url":"https://github.com/cuerz/go-shellcode-bypass","last_synced_at":"2025-04-15T09:53:08.297Z","repository":{"id":152131836,"uuid":"533641136","full_name":"Cuerz/Go-Shellcode-Bypass","owner":"Cuerz","description":"golang 混淆免杀国内绝大部分杀软。火绒，360，腾讯。。。","archived":false,"fork":false,"pushed_at":"2022-09-07T07:09:18.000Z","size":602,"stargazers_count":74,"open_issues_count":1,"forks_count":11,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-28T19:07:28.580Z","etag":null,"topics":["bypass","golang","shellcode"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cuerz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-07T06:45:07.000Z","updated_at":"2025-02-08T06:31:35.000Z","dependencies_parsed_at":"2023-04-18T07:31:55.901Z","dependency_job_id":null,"html_url":"https://github.com/Cuerz/Go-Shellcode-Bypass","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cuerz%2FGo-Shellcode-Bypass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cuerz%2FGo-Shellcode-Bypass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cuerz%2FGo-Shellcode-Bypass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cuerz%2FGo-Shellcode-Bypass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cuerz","download_url":"https://codeload.github.com/Cuerz/Go-Shellcode-Bypass/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249048713,"owners_count":21204306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","golang","shellcode"],"created_at":"2024-10-16T07:42:59.994Z","updated_at":"2025-04-15T09:53:08.280Z","avatar_url":"https://github.com/Cuerz.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Go-Shellcode-Bypass\r\n\u003e Golang实现的简单免杀\r\n\r\n## 免杀思路\r\n\r\n原理：1.延长运行时间，导致杀软检测超时，\r\n\r\n​\t\t\t2.利用杀软对golang的弱检测，\r\n\r\n​\t\t\t3.对shellcode进行多次编码解码来隐藏特征，\r\n\r\n​\t\t\t4.加载无关字符串混淆。\r\n\r\n首先用msf或者cs生成shellcode，我这里是c语言格式的弹出计算器的shellcode，用于测试。\r\n\r\n![image-20220907134752862](./assets/image-20220907134752862.png)\r\n\r\n这里，需要转换一下格式，将\\x替换为0x，中间用逗号隔开\r\n\r\n![image-20220907135337396](./assets/image-20220907135337396.png)\r\n\r\n最后会变成这样，其实到这里就可以用go来编译运行了，但尝试下来，这样的效果也不好。\r\n\r\n后来修改了一下，把shellcode 单独拿出来，这里把`0x` 逗号 还有换行空格全部去掉，在加载时再恢复.\r\n\r\n![image-20220907135618378](./assets/image-20220907135618378.png)\r\n\r\n最后变成这样的16进制字符串，此时再进行免杀效果就很不错。\r\n\r\n注意将这时的shellcode保存在txt文件，使用其他格式的文件来进行混淆。\r\n\r\n编译 go程序，`go build main.go`\r\n\r\n还可以做点手脚，比如去掉运行时的黑框 `go build -ldflags=\"-H windowsgui -w -s\" main.go`\r\n甚至可以让程序调用打开图片，让人以为这是一个打开图片的程序，放松警惕。\r\n\r\n运行效果\r\n\r\n![image-20220907144254173](./assets/image-20220907144254173.png)\r\n\r\n此时VirusTotal查杀有11个杀软检测出来![image-20220907142635804](./assets/image-20220907142635804.png)\r\n\r\n再对shellcode进行多次base64编码，再次查杀后效果就好很多了。\r\n\r\n我自己电脑上的火绒没有查出来，360和腾讯也过了。\r\n\r\n![image-20220907143413374](./assets/image-20220907143413374.png)\r\n\r\n![image-20220907150510278](./assets/image-20220907150510278.png)\r\n\r\n## 运行\r\n\r\n#### 编译程序\r\n\r\n```go\r\ngo build main.go\r\n```\r\n\r\n#### 去掉运行时的黑框 \r\n\r\n```go\r\ngo build -ldflags=\"-H windowsgui -w -s\" main.go\r\n```\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcuerz%2Fgo-shellcode-bypass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcuerz%2Fgo-shellcode-bypass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcuerz%2Fgo-shellcode-bypass/lists"}